Claude Enterprise Security Architecture: The Overview

Claude Enterprise security architecture is designed around three principles: no training on customer data by default, encrypted data in transit and at rest, and strict access controls through enterprise-grade identity management. This article gives CISOs, compliance teams, and security architects the technical detail they need to complete vendor risk assessments.

We run these security reviews as part of our Claude Security & Governance service โ€” most enterprise organisations need 2-4 weeks to complete a full assessment. This guide gives you the factual foundation before that process starts.

SOC 2 Type II
ISO 27001
GDPR Compliant
CCPA Compliant
HIPAA (BAA available)
FedRAMP (Moderate, AWS Bedrock)
DPA Available
TLS 1.3 in Transit
AES-256 at Rest

Data Handling: What Anthropic Does and Doesn't Do with Your Data

This is the question every security team asks first. The answer for Claude Enterprise and API customers: by default, Anthropic does not use your conversations or data to train Claude models. This is a contractual commitment, not a default setting that can be toggled โ€” it requires a DPA or API usage agreement that explicitly opts out of training data use.

Here is the breakdown by product tier:

  • Claude.ai Free and Pro: Anthropic may use conversations to improve models unless you opt out in settings.
  • Claude.ai Enterprise: By contract, conversations are not used for training. This is confirmed in the Enterprise DPA.
  • Anthropic API (any tier): API data is not used for model training by default per the API Usage Policy.
  • Claude via AWS Bedrock: Follows AWS data processing terms โ€” data does not leave your AWS region, and AWS has confirmed no training use.
  • Claude via Google Cloud Vertex AI: Governed by Google Cloud's DPA โ€” no training use of customer data.

Key Commitment: No Training on Enterprise Data

Claude Enterprise organisations receive a signed Data Processing Agreement (DPA) confirming that conversation data, documents, and inputs are not used to train Anthropic's models. Request this document during vendor procurement and review it with your legal team before deployment.

Encryption Standards

Data in transit: All API traffic between your application (or Claude.ai) and Anthropic's servers is encrypted using TLS 1.3. Older TLS versions (1.0, 1.1) are not supported on Anthropic's endpoints. Certificate pinning is not required but is supported for high-security API integrations.

Data at rest: Conversation data, when retained (see retention policy below), is encrypted using AES-256. Anthropic's infrastructure is hosted on AWS, which provides hardware-level encryption for EBS volumes and S3 storage objects.

Key management: Anthropic manages encryption keys using AWS KMS (Key Management Service). Enterprise customers with specific key management requirements should discuss Bring Your Own Key (BYOK) options during contract negotiation โ€” this is available for some enterprise tiers.

Data Retention Policy

Retention policy varies by product and usage method. This is a common source of confusion in security reviews.

Access Method Input Retention Output Retention Conversation History
Claude.ai Free/Pro Retained (configurable opt-out) Retained Stored in account; retained until deleted
Claude.ai Enterprise 30 days (configurable by admin) 30 days (configurable) Admin-controlled retention window
API (no system prompt) Not retained post-response by default Not retained N/A โ€” stateless by default
API with Projects Retained for project context duration Retained for project duration Project-scoped retention
AWS Bedrock Never stored by Anthropic Never stored by Anthropic AWS handles logging per your CloudTrail config

For organisations with strict data residency requirements, AWS Bedrock deployment is often the right architecture โ€” data never leaves your AWS account and Anthropic has no access to it. Our Claude on AWS Bedrock deployment guide covers this architecture in detail.

Access Controls and Identity Management

Claude Enterprise includes the full identity management stack enterprises expect from SaaS vendors.

๐Ÿ”

Single Sign-On (SSO)

SAML 2.0 and OIDC support for SSO with Okta, Azure AD, Google Workspace, and any compliant IdP. MFA is enforced at the IdP level. SSO is required for Enterprise tier โ€” it cannot be disabled.

๐Ÿ‘ฅ

SCIM Provisioning

System for Cross-domain Identity Management (SCIM) integration enables automatic user provisioning and de-provisioning from your IdP. Users removed from Okta or Azure AD lose Claude access immediately โ€” no manual offboarding step required.

๐Ÿ›ก๏ธ

Role-Based Access

Roles include Admin, Member, and configurable custom roles for billing and audit access. Admins control which models users can access, which Projects are available, and what MCP integrations are permitted.

๐Ÿ“Š

Audit Logs and Usage Analytics

The Admin Console provides usage analytics, conversation volume tracking, and model usage breakdown by user or team. Audit log export is available for SIEM integration. Log retention is configurable.

๐ŸŒ

API Key Management

API keys are scoped to individual users or service accounts. Keys can be revoked instantly from the Admin Console. Rate limits, monthly spend caps, and IP allowlists can be configured per key.

๐Ÿ“‹

Usage Policies and Content Controls

Enterprise admins can configure acceptable use policies, restrict capabilities for specific users or teams, and add system prompts to all conversations within their organisation context.

Network Security and Infrastructure

Claude Enterprise is hosted on AWS infrastructure in the US-East-1 and US-West-2 regions by default. European data residency options are available for organisations with GDPR Article 44+ requirements โ€” confirm availability during contract negotiation.

Infrastructure hardening: Anthropic's AWS infrastructure uses VPC isolation, Security Groups with least-privilege rules, and no public internet exposure for backend services. The API endpoint is rate-limited and behind DDoS protection (AWS Shield Standard minimum; Shield Advanced for Enterprise SLAs).

Penetration testing: Anthropic conducts regular third-party penetration tests. Enterprise customers can request the executive summary of the most recent pentest as part of vendor due diligence.

Vulnerability management: Anthropic maintains a responsible disclosure programme and public CVE database. Critical vulnerabilities in the API surface are patched and disclosed per the security policy timeline.

For organisations deploying Claude via AWS Bedrock, your network security controls apply directly โ€” VPC endpoints, PrivateLink, WAF rules, and CloudTrail logging are all available. This is the recommended architecture for organisations where network traffic must stay within an AWS private network.

Deploying via AWS Bedrock: Maximum Security Posture

For the most security-controlled deployment of Claude Enterprise, AWS Bedrock is the right architecture. It provides:

  • Data stays in your AWS account: No data crosses to Anthropic's infrastructure. Your VPC, your logs, your data.
  • AWS IAM integration: All access to Claude models is governed by IAM policies and roles โ€” the same governance you use for the rest of your AWS workloads.
  • CloudTrail audit logging: Every Bedrock API call is logged in CloudTrail with request metadata (but not prompt content unless you configure it).
  • AWS Macie, Security Hub, GuardDuty: Your existing AWS security tooling monitors Claude interactions as part of your broader security posture.
  • VPC endpoints: Claude API calls can traverse AWS PrivateLink โ€” never touching the public internet.
  • FedRAMP Moderate: AWS Bedrock with Claude is currently in FedRAMP Moderate scope (GovCloud), making it suitable for many government workloads.

Request Data Flow: Claude Enterprise via Bedrock

01
User โ†’ Your Application Layer

User submits prompt through your internal tool or UI. TLS 1.3 encrypts transit between user device and your application.

02
Application โ†’ AWS Bedrock API (via PrivateLink)

Your application calls the Bedrock API over a VPC endpoint. Traffic never leaves the AWS private network. IAM Role authenticates the request.

03
AWS Bedrock โ†’ Claude Model Inference

Bedrock routes the request to Claude model inference. At this point, the data is processed by Anthropic's model but governed by AWS data handling terms โ€” no storage, no training use.

04
Response โ†’ Application โ†’ User

Response is returned over the same private network path. CloudTrail logs the API call metadata. Your application logs the full interaction if configured.

05
Data Retention

AWS Bedrock retains no prompt or response data after the API call completes. Your application logs are the only record โ€” and you control them entirely.

GDPR and Data Residency

Claude Enterprise's GDPR posture is strong but requires active management from enterprise data owners.

Anthropic operates as a Data Processor when providing API or Enterprise services. The enterprise customer is the Data Controller. The DPA defines the processor-controller relationship, specifies sub-processors (AWS, and any other infrastructure providers), and includes Standard Contractual Clauses (SCCs) for data transfers to the US from the EU/EEA.

For organisations that cannot accept any US data transfers โ€” some financial services regulators and certain EU public sector entities โ€” the AWS Bedrock EU West (Ireland or Frankfurt) deployment keeps data within the EEA. The Anthropic API endpoint, however, routes through US infrastructure by default. Confirm regional endpoint availability with Anthropic's enterprise team during contract negotiation.

Data Subject Requests: For GDPR Article 17 (right to erasure) requests involving Claude conversation data, Anthropic supports deletion of Enterprise account data on request. Document this process in your internal data inventory and DPIA (Data Protection Impact Assessment).

Claude Cowork Security Considerations

Claude Cowork introduces additional security considerations because it operates as a desktop agent with file system access. The security model is worth understanding before enterprise deployment.

Permissions: Cowork requests access to specific folders and applications โ€” it does not have unrestricted filesystem access. Users grant access per-session or persistently to defined directories. Admins can restrict which folders are accessible organisation-wide.

Local processing: Files that Cowork reads from your local machine are sent to Claude's API for processing. This means your document content traverses the network under the same encryption and data handling rules as API calls. If you have documents classified as Top Secret or above data classification, treat Cowork access accordingly.

MCP integrations: When Claude Cowork connects to external services via MCP (Salesforce, Jira, etc.), it acts with the credentials you provide. Review the principle of least privilege when configuring MCP server credentials โ€” Cowork should only have the permissions it needs for its defined workflows.

Our Claude Cowork security guide provides a full permissions audit checklist for enterprise deployment.

Claude Code Security Considerations

Claude Code operates in your developer's terminal with elevated access โ€” it can read files, execute commands, and modify code. The Claude Code Enterprise Security guide covers this in full, but key points:

  • Code never stored: Code submitted to Claude Code via the API follows standard API data handling โ€” not retained post-response.
  • Command execution: Hooks and sub-agent commands execute on the developer's local machine or CI/CD pipeline. Review hook configurations before enterprise-wide rollout.
  • GitHub integration: When Claude Code accesses GitHub for PR reviews, it operates under the OAuth scopes you grant โ€” typically read access to repository content and write access to PR comments. Never grant admin repository access.
  • CLAUDE.md governance: Use CLAUDE.md to define permitted and prohibited actions for Claude Code across your organisation. This is the primary policy control mechanism for Claude Code behaviour.

Security Assessment Checklist for Procurement

Required Documents for Enterprise Security Review

  • Anthropic Data Processing Agreement (DPA) โ€” request from enterprise sales
  • SOC 2 Type II report (request under NDA from Anthropic)
  • Sub-processor list (included in DPA or available separately)
  • Penetration test executive summary (available on request)
  • Acceptable Use Policy (publicly available at anthropic.com)
  • Incident response and notification procedures (in DPA)
  • Business Continuity and Disaster Recovery (BC/DR) summary
  • GDPR SCCs and transfer impact assessment (for EU organisations)

Our Claude Security & Governance service manages the vendor risk assessment process end-to-end โ€” from information requests to DPIA completion and ongoing monitoring. We've run this process for organisations in financial services, healthcare, and legal services, and have the documentation templates ready.

Running a Claude Enterprise Security Assessment?

Our team has completed Claude security reviews for regulated industries including financial services, healthcare, and legal. We provide documentation templates, DPIA support, and implementation guidance for compliant Claude deployment.

Book a Security Assessment โ†’
SERVICE

Claude Security & Governance Service

Our managed security assessment, DPA review, and ongoing governance programme for Claude deployments.

 SECURITY

Claude Cowork Security Guide

Permissions, folder access, admin controls, and enterprise governance for Cowork deployments.

 SECURITY

Claude Code Enterprise Security

Governance controls, hook policies, and security architecture for Claude Code rollouts.
โšก

ClaudeImplementation Team

Claude Certified Architects who have completed enterprise security assessments and GDPR DPIAs for Claude deployments in financial services, healthcare, legal, and government sectors. We know which questions security teams ask โ€” and where the answers live.