WorkOS, located in the United States, is listed as the subprocessor responsible for security and single sign-on (SSO) functionality for Claude for Work and the Claude Developer Platform, meaning authentication and identity data for enterprise and developer users is processed by WorkOS.
This analysis describes what Anthropic's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision discloses that authentication credentials and identity data for enterprise (Claude for Work) and developer platform users are processed by a US-based third party, which is relevant to organizations with identity governance, access management, and cross-border data transfer compliance obligations.
This provision establishes that authentication and single sign-on data for Claude for Work and Claude Developer Platform users is processed by WorkOS in the United States, with additional information available at the linked Anthropic support article on enterprise SSO setup.
Cross-platform context
See how other platforms handle WorkOS as SSO and Security Subprocessor and similar clauses.
Compare across platforms →Monitoring
Anthropic has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"WorkOS | Security, Single Sign-On | United States | Products: Claude for Work, Claude Developer Platform.— Excerpt from Anthropic's Anthropic Sub-Processors
1) REGULATORY LANDSCAPE: Authentication and identity data processed by WorkOS engages GDPR principles of data minimization and purpose limitation for EU/EEA enterprise users, as well as GDPR Chapter V international transfer requirements for US-based processing. For enterprises subject to SOC 2 or ISO 27001 auditing, SSO subprocessor relationships are typically within scope for third-party vendor risk reviews. The FTC has general jurisdiction over deceptive or unfair practices related to identity and authentication data handling. 2) GOVERNANCE EXPOSURE: Medium. SSO and identity data is sensitive from an access management perspective. Enterprise customers integrating WorkOS-powered SSO should assess whether WorkOS is named in Anthropic's DPA and whether WorkOS's own security certifications (SOC 2, ISO 27001) meet organizational vendor requirements. 3) JURISDICTION FLAGS: EU/EEA enterprise customers face GDPR Chapter V transfer obligations for identity data processed by WorkOS in the US. Organizations subject to HIPAA that use Claude for Work with SSO should assess whether identity data handling by WorkOS requires a Business Associate Agreement. Illinois BIPA applicability is unlikely but should be assessed if biometric authentication is ever enabled. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement and security teams should independently review WorkOS's security posture, certifications, and DPA. The Anthropic support article linked in the document (https://support.anthropic.com/en/articles/9797544-setting-up-single-sign-on-on-the-enterprise-plan) provides additional configuration information. Teams should confirm whether their enterprise DPA with Anthropic covers WorkOS as an authorized subprocessor. 5) COMPLIANCE CONSIDERATIONS: Identity governance teams should update vendor inventories to include WorkOS as a processor of authentication data. EU enterprise customers should confirm SCCs or equivalent transfer mechanisms are in place. Access management reviews should include WorkOS as a component of the overall Claude for Work authentication chain.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision discloses that authentication credentials and identity data for enterprise (Claude for Work) and developer platform users are processed by a US-based third party, which is relevant to organizations with identity governance, access management, and cross-border data transfer compliance obligations.
This provision establishes that authentication and single sign-on data for Claude for Work and Claude Developer Platform users is processed by WorkOS in the United States, with additional information available at the linked Anthropic support article on enterprise SSO setup.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Anthropic.