All data processed through the API is governed by a separate Data Processing Addendum, which is incorporated into these terms as a binding document.
This analysis describes what Anthropic's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The DPA governs how personal data submitted through the API is processed; because it is incorporated by reference rather than reproduced in the main terms, customers must review it separately to understand their data processing rights and obligations.
Interpretive note: The DPA's specific terms are incorporated by reference and are not reproduced in the main Terms; the compliance implications depend on the content of the separately published DPA, which must be reviewed independently.
Business customers' data processing rights and obligations, including GDPR compliance mechanisms, are governed by the separately published Data Processing Addendum rather than the main Commercial Terms; customers handling personal data through the API must review and assess the DPA for compliance with applicable data protection law.
How other platforms handle this
Zendesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When Zendesk transfers personal data from the EU, UK, or Switzerland to the United ...
Datadog complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Datadog has certified to the U.S. Department of Commerce that it adheres to the EU-...
In addition to the above rights, your local laws (including those in the EU, UK, Japan, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia, or Utah) may afford you f...
Monitoring
Anthropic has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Data submitted through the Services will be processed in accordance with the Anthropic Data Processing Addendum ("DPA"), which is incorporated into these Terms by reference.— Excerpt from Anthropic's Anthropic Commercial Terms
REGULATORY LANDSCAPE: The DPA incorporation directly engages GDPR Article 28 (processor obligations) for EEA and UK customers, enforced by the Irish Data Protection Commission for Anthropic Ireland, Limited. CCPA and state privacy law equivalents may apply to US-based customer personal data. For customers in other jurisdictions, applicable national data protection law governs the DPA's requirements. GOVERNANCE EXPOSURE: High for customers processing personal data through the API. The DPA is incorporated by reference and must be reviewed separately; its specific terms, including sub-processor lists, data transfer mechanisms, and data subject rights procedures, are not summarized in the main Terms and must be independently assessed. JURISDICTION FLAGS: EEA and UK customers face the highest compliance exposure given GDPR and UK GDPR requirements for processor agreements. Customers transferring personal data across borders must assess whether the DPA includes adequate transfer mechanisms such as Standard Contractual Clauses. US customers processing health, financial, or other regulated data should assess whether the DPA is sufficient for their specific regulatory context. CONTRACT AND VENDOR IMPLICATIONS: Legal teams must obtain and review the current version of the Anthropic DPA as part of vendor onboarding. The DPA should be assessed for GDPR Article 28 compliance, adequate data subject rights procedures, sub-processor disclosure and consent mechanisms, breach notification timelines, and data retention and deletion terms. COMPLIANCE CONSIDERATIONS: Data protection officers and legal teams should map data flows through the API against the DPA's sub-processor list and transfer mechanisms. Any changes to the DPA should be monitored as part of ongoing vendor management. Organizations subject to sectoral regulations such as HIPAA or financial data protection law should assess whether the DPA and main Terms are sufficient or require supplementation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The DPA governs how personal data submitted through the API is processed; because it is incorporated by reference rather than reproduced in the main terms, customers must review it separately to understand their data processing rights and obligations.
Business customers' data processing rights and obligations, including GDPR compliance mechanisms, are governed by the separately published Data Processing Addendum rather than the main Commercial Terms; customers handling personal data through the API must review and assess the DPA for compliance with applicable data protection law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Anthropic.