6 Total
0 High severity
3 Medium severity
3 Low severity
Summary

This is Anthropic's subprocessor list, disclosing the third-party companies that handle data as part of delivering Claude and related products. The most operationally significant disclosure is that Google Cloud Platform, Amazon Web Services, and Microsoft Azure all serve as cloud infrastructure subprocessors for all Anthropic products, with worldwide processing locations, meaning customer data may be processed across multiple global regions by all three major cloud providers simultaneously. Stripe processes billing data for Claude Pro/Max, Claude Developer Platform, and Claude for Work in the United States, while WorkOS handles single sign-on and security for Claude for Work and the Developer Platform, also in the United States.

Technical / Legal Breakdown

This document is Anthropic's publicly disclosed subprocessor list, published on the Anthropic Trust Center, identifying the third-party vendors that process data on behalf of Anthropic across its product lines including Claude Pro/Max, Claude Developer Platform, Claude for Work, and Claude for Government. The list discloses each subprocessor's name, functional category (e.g., cloud infrastructure, billing, user support, identity verification), geographic processing location, and the specific Anthropic products to which each subprocessor applies. Notably, the list distinguishes subprocessors by product scope, with some vendors such as Google Cloud Platform, Amazon Web Services, Microsoft Azure, and Cloudflare applying to all products, while others such as Stripe (billing), WorkOS (SSO), Intercom (user support), and Nutun (trust and safety) are scoped to specific product tiers; the exclusion of Intercom from Claude for Government is an operationally distinct carve-out that suggests differentiated data handling for government deployments. The subprocessor disclosure framework engages GDPR Article 28 requirements for controller-processor agreements and subprocessor notification obligations, as well as CCPA service provider disclosure norms, and organizations subject to FedRAMP, ITAR, or sector-specific data residency requirements should evaluate the worldwide processing locations listed for cloud infrastructure subprocessors. Compliance teams should note that the document does not disclose the contractual terms governing each subprocessor relationship, the specific data categories transferred to each vendor, or the legal mechanisms used for international data transfers, which represent standard due diligence gaps when assessing GDPR adequacy and SCCs applicability.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Get Compliance
Medium — 3 provisions
Low — 3 provisions

Monitoring

Anthropic has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Get Compliance

Cross-platform context

See how other platforms handle Cloud Infrastructure Subprocessors (Worldwide Scope) and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

BIPA
Illinois, USA
View official text ↗
CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗

Related Analysis

Privacy · April 14, 2026
Deleted Claude Conversations Aren't Gone for 30 Days

Anthropic is more transparent than most AI companies about data retention. Here's exactly what happens when you delete your data, and how t…

Archival ProvenanceSource & Archival Record
Last Captured July 6, 2026 22:43 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000927
Version ID CA-V-004525
SHA-256 43ecfd774dcc8cebd3da309fe92bebfb0993f86d290e78ea5008c8f759cf3350
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans