Security & Privacy

Last verified: 14 April 2026 | Applies to: All plans

In 30 seconds

Claude handles data differently depending on which feature you use. Chat conversations are processed on Anthropic’s servers. Cowork runs in a sandboxed environment on your computer. Connectors authenticate via OAuth, so no passwords are shared with Claude. Understanding what goes where is essential before connecting business tools or processing sensitive data.

How data flows by feature

graph TD
    A[Your input] --> B[Chat]
    A --> C[Cowork / Plugins]
    A --> D[Connectors]
    A --> E[Chrome extension]
    A --> F[Code tab / Claude Code]
    B -->|Messages sent to| G[Anthropic servers]
    C -->|Instructions sent to| G
    C -->|Files stay on| H[Your computer]
    D -->|OAuth token to| I[Third-party tool]
    D -->|Queries via| G
    E -->|Page content sent to| G
    F -->|Code context sent to| G
    G --> J[Response back to you]

Feature	Where it runs	What data leaves your machine	What stays local
Chat	Anthropic’s servers	Your messages and Claude’s responses	Nothing (cloud-based)
Cowork	Sandboxed environment on your computer	Task instructions sent to Anthropic for processing	Files in your selected folder stay local
Plugins	Within Cowork (your computer)	Same as Cowork (instructions processed by Anthropic)	Plugin files, your data files
Connectors	Anthropic’s servers (MCP protocol)	OAuth tokens, tool queries and responses	Nothing (cloud-based)
Claude in Chrome	Your browser + Anthropic’s servers	Page content Claude reads, actions Claude takes	Browser data itself
Code tab	Your computer + Anthropic’s servers	Code and instructions sent for processing	Your codebase files

What operators need to know

Chat conversations: Your messages are sent to Anthropic’s servers for processing. On paid plans, Anthropic states that your conversations are not used to train models. On the Free plan, conversations may be used for training unless you opt out.

Cowork data handling: Cowork gives Claude access to a specific folder on your computer. Files stay on your machine. Claude reads them locally in the sandbox. However, the instructions and context are sent to Anthropic’s servers for processing. This means Claude needs to send information about your files to generate responses, but the files themselves aren’t uploaded or stored.

Connector authentication: Connectors use OAuth, the standard “Sign in with…” flow. You authenticate directly with each tool (Slack, Asana, etc.). Your passwords are never shared with Claude. Claude receives scoped access tokens that can be revoked at any time.

Incognito chats: Available on all plans. When you start an incognito conversation, it is not saved to your chat history and is not written to Claude’s Memory. This is useful for operators handling sensitive data: confidential financials, employee reviews, or anything you don’t want persisting in your account. Incognito chats are discarded when the conversation ends.

Enterprise gap, Cowork audit trail: Cowork conversation history is stored locally on your machine. It is not captured in Audit Logs, the Compliance API, or Data Exports. This is a significant gap for operators in regulated industries or organisations that require comprehensive audit trails. If compliance requires a record of all AI interactions, be aware that Cowork sessions fall outside the enterprise logging perimeter.

Key security features by plan

Feature	Free/Pro/Max	Team	Enterprise
Incognito chats	✓	✓	✓
Conversations not used for training	Paid plans only	✓	✓
Admin controls	—	✓	✓
SSO (SAML/OIDC)	—	✓	✓
SCIM provisioning	—	—	✓
Audit logs	—	—	✓
Compliance API	—	—	✓
Data exports	—	—	✓
Custom data retention	—	—	✓

Practical recommendations

Before connecting business tools:

Review what permissions each connector requests (read-only vs read-write)
Start with read-only access until you’re comfortable
Use a test account or sandbox environment for initial setup if available

For sensitive data processing:

Prefer Cowork over Chat for sensitive documents, as files stay on your machine
Be mindful that instructions and context still travel to Anthropic’s servers
If full data residency is required, discuss options with Anthropic’s Enterprise team

For team deployments:

Team plan provides admin controls and SSO, but not full audit logging
Enterprise plan is required for SCIM provisioning, audit logs, and compliance API
Cowork sessions are not captured by enterprise logging regardless of plan. Factor this into your compliance assessment

“Local” doesn’t mean “offline.” Cowork runs locally but still communicates with Anthropic’s servers for AI processing. It’s not an air-gapped solution.
Connector permissions are scoped. If you connect with read-only access, Claude can’t write. Review permissions when connecting each tool.
Revoking access is straightforward. Go to Settings → Connectors to disconnect any integration. OAuth tokens are revoked immediately.
Data handling policies may change. Check Anthropic’s current privacy policy and terms of service for the latest details, especially before deploying in regulated environments.
Third-party OAuth access is not permitted. As of February 2026, Anthropic’s Terms of Service explicitly prohibit third-party services from using OAuth-based access to Claude accounts. If you need programmatic access to Claude, use the official API, MCP connectors, or Claude Code CLI. Do not authorise third-party tools that request OAuth sign-in to your Claude account.
Third-party extension security. A remote code execution vulnerability has been identified in third-party Claude Desktop extensions. Official Anthropic plugins are not affected. If you use third-party extensions, check with the developer for a patched version and only install extensions from sources you trust.
Anthropic’s safety policy has evolved. Anthropic has published a Frontier Safety Roadmap and updated its approach to model safety evaluations. For operators in regulated environments, review the latest safety commitments on Anthropic’s website.
CMS data breach (26 March 2026). A CMS misconfiguration exposed approximately 3,000 unpublished Anthropic assets, including details of unreleased models and internal documentation. Anthropic acknowledged the incident as “human error.” No customer data was involved, but the breach highlights that even leading AI companies face basic infrastructure security risks. If you’re evaluating Anthropic for enterprise use, factor this incident into your vendor risk assessment.

Enterprise Security & Compliance: enterprise-specific security controls
Connectors: how MCP handles authentication
Audit & Compliance: enterprise logging and compliance tools
Cowork: understanding the sandboxed environment

Something wrong or outdated? Let us know →

Get weekly workflows: subscribe to the newsletter.