Is Claude SOC2 Type II compliant?

Yes, Anthropic maintains SOC2 Type II certification for Claude Enterprise. The SOC2 report covers security, availability, and confidentiality trust service criteria. Enterprise customers can request Anthropic's SOC2 report via their account team during the procurement process. The report is available under NDA and is sufficient for most corporate security reviews. For regulated industries requiring additional assurance, Anthropic also provides penetration test results and answers to security questionnaires via their Trust Center.

Is Claude HIPAA compliant for healthcare organizations?

Claude Enterprise can be made HIPAA compliant for healthcare organizations through a Business Associate Agreement (BAA) with Anthropic. The BAA establishes the required data handling obligations under HIPAA. With a BAA in place and appropriate data handling protocols, Claude can be used for workflows involving Protected Health Information (PHI). However, using Claude for clinical diagnosis or as a medical device is a separate regulatory question — organizations should consult with legal counsel on the scope of HIPAA and FDA regulations applicable to their specific Claude use cases.

Does Claude Enterprise use my company's data to train its models?

No. Claude Enterprise (and Claude Team) explicitly commit that inputs from enterprise customers are not used to train Claude's models. This is a contractual commitment, not just a policy statement. For Claude Pro (individual plan), the terms differ — Anthropic may use interactions to improve the model unless you opt out. This is the critical reason enterprise organizations must use Team or Enterprise tiers, not individual Pro accounts, for any company data processing.

How should we handle shadow AI — employees using personal Claude accounts?

Shadow AI is a real enterprise risk. Employees using personal Claude Pro accounts send company data under consumer terms without enterprise data protections, audit trails, or governance oversight. The most effective response is a two-part approach: (1) deploy a sanctioned Claude Enterprise or Team environment so employees have an governed alternative, and (2) update your AI usage policy to explicitly classify which AI tools are approved for which data classifications. We help clients draft these policies as part of every governance engagement.

Claude Security and Privacy Guide for Enterprise

How Claude Handles Enterprise Data

The first and most important security question is: what happens to the data I send Claude? The answer depends entirely on which Claude tier you're using — and getting this wrong creates real enterprise risk.

Claude Enterprise and Team: No Training on Your Data

Claude Enterprise and Claude Team both include an explicit contractual commitment: your inputs are not used to train Claude's models. When your attorney sends a contract to Claude for review, or your analyst pastes an earnings model for Claude to analyze, that data is processed to generate the response and then is not retained or used for training. This is the baseline requirement for any enterprise data processing.

Claude Pro: Consumer Tier, Different Terms

Claude Pro (the $20/month individual plan) operates under consumer terms. Anthropic may use interactions to improve the model unless the user opts out. This is why employees must not use personal Claude Pro accounts for company data. This is the shadow AI risk — and it's significant. We cover shadow AI governance in detail later in this article.

Data Retention and Deletion

Claude Enterprise provides configurable data retention settings and the ability to delete conversation history. For regulated industries with specific data retention requirements (legal holds, financial records, HIPAA), these controls are essential. Work with your Anthropic account team to configure retention policies that match your regulatory obligations. Our governance service includes data retention policy configuration as a standard deliverable.

Need help configuring Claude's security settings for your regulated industry? Our governance service covers data classification, retention policy, system prompt governance, and compliance configuration — delivered in 30 days.

Discuss Governance Setup →

Compliance Frameworks: SOC2, HIPAA, GDPR

Here's how Claude Enterprise addresses the major enterprise compliance frameworks:

SOC2 Type II

Security & Availability

Anthropic maintains SOC2 Type II certification covering security, availability, and confidentiality. The report is available to Enterprise customers under NDA via your account team. Sufficient for most corporate security reviews and vendor risk assessments.

HIPAA

Healthcare Data

Claude Enterprise supports a Business Associate Agreement (BAA) for healthcare organizations. With a BAA in place and appropriate data handling protocols, Claude can process workflows involving Protected Health Information (PHI). Clinical diagnosis use cases require separate legal review.

GDPR

EU Data Regulations

Anthropic offers Data Processing Addendum (DPA) for GDPR compliance. For EU-based organizations, the DPA establishes the required controller-processor relationship and data handling obligations. EU-specific data residency requirements should be confirmed with your Anthropic account team.

For financial services organizations, SOC2 compliance is typically sufficient for most Claude use cases. For investment banking and trading workflows involving material non-public information (MNPI), additional governance controls are required — data classification that prohibits MNPI from being included in Claude prompts, and output review protocols. See our financial services industry page for the full framework.

Free White Paper

AI Compliance: SOC2, HIPAA, GDPR for Claude

The complete compliance playbook for regulated-industry Claude deployments — with configuration checklists, policy templates, and audit evidence guidance.

Download Free →

Shadow AI: The Real Enterprise Risk

In our experience, shadow AI — employees using unauthorized personal Claude accounts for company work — is the most prevalent and underestimated security risk in enterprise AI adoption. A conservative estimate from our client base suggests that in organizations that haven't formally deployed AI, 15-30% of knowledge workers are already using personal Claude or ChatGPT accounts for work tasks.

Why Shadow AI Is a Real Risk

When an employee uses their personal Claude Pro account for company work, they are: (a) sending company data under consumer terms without enterprise data protections, (b) creating no audit trail for your organization, (c) potentially violating data residency requirements for regulated information, and (d) operating outside your acceptable use and governance policies. For legal and healthcare organizations, shadow AI use of attorney-client privileged information or PHI creates specific, serious legal risk.

The Two-Part Shadow AI Response

The most effective response to shadow AI is not prohibition alone — prohibition without a sanctioned alternative simply drives shadow AI further underground. The effective response is:

Deploy a sanctioned alternative: Claude Enterprise or Team gives employees a governed, approved Claude environment. Once employees have a high-quality sanctioned option, adoption of unauthorized personal accounts drops dramatically.
Update your AI usage policy: Define clearly which AI tools are approved for which data classifications. The policy should explicitly address personal AI account usage for company data. We help clients draft these policies as part of every governance engagement.

IT Security Configuration Checklist

When deploying Claude Enterprise, here are the security configurations your IT team should implement:

SSO/SAML integration: Enforce Claude login through your identity provider (Okta, Azure AD, Google Workspace). This ensures only approved employees access Claude Enterprise and enables immediate access revocation for departing employees.
Network allowlisting: Allowlist Claude domains (claude.ai and api.anthropic.com) in your web proxy and DLP rules, while potentially blocking personal Claude.ai access from corporate devices for non-approved users.
Audit logging: Enable Claude audit log export and integrate with your SIEM. Audit logs track which users are accessing Claude, when, and at what volume — enabling anomaly detection and compliance reporting.
Organization system prompt: Configure an organization-level system prompt that applies to all users. This is where you encode data handling instructions ("Do not include client names in prompts"), output format requirements, and any other governance constraints you want universally enforced.
Data classification training: IT policy alone is insufficient. Train all Claude users on which data classifications are permitted in Claude prompts. Our training service includes data classification education as a standard module.

Building Your Claude Governance Framework

Security configuration is the technical layer. Governance is the organizational layer — the policies, processes, and controls that ensure Claude is used appropriately over time. A complete Claude governance framework includes:

Data Classification Policy: Which data types are permitted in Claude prompts (open, internal, confidential, restricted) and which are prohibited by default.
Acceptable Use Policy: Which use cases are approved, which require additional review, and which are prohibited.
Output Review Protocol: For high-stakes outputs (legal documents, financial reports, client communications), a tiered review protocol that matches review rigor to output risk.
Incident Response: What to do if a data handling policy is violated — including how to assess impact, who to notify, and how to prevent recurrence.
Ongoing Governance: A designated Claude governance owner, regular policy review cadence, and a process for evaluating new use cases as Claude capabilities expand.

Download our Claude Governance Framework white paper for complete policy templates, or engage our governance service for a customized framework delivered in 30 days.

Claude Security and Privacy: The Complete Enterprise Guide for 2026