This document summarizes the key provisions of Anthropic's DPA. For the full, legally binding text, please refer to the official source.
Defines key terms like "Applicable Data Protection Laws", "Customer Personal Data", "GDPR", "Security Breach", and "Standard Contractual Clauses".
Establishes Customer as the data controller and Anthropic as the processor. Anthropic commits to only process data based on customer instructions and not to "sell" or "share" customer personal data.
Customer grants general authorization for Anthropic to use subprocessors. Anthropic will provide 15 days' notice for new subprocessors, allowing customers to object.
Anthropic will promptly forward any Data Subject Requests to the customer and provide reasonable assistance.
Anthropic commits to implementing and maintaining appropriate technical and organizational security measures, as detailed in Schedule 2.
Anthropic undergoes annual third-party audits (e.g., SOC 2). Customers can request audit reports or conduct their own audits under specific conditions.
Anthropic will notify customers of a Security Breach without undue delay, and in any event within 48 hours.
Anthropic will delete or return customer data within 30 days of the agreement's termination.
The DPA incorporates the EU SCCs (Module Two and Three) for international data transfers. It specifies that Irish law governs the agreement and that disputes will be resolved in Irish courts.
Outlines the parties involved, categories of data subjects and personal data (determined by the customer), and the purpose of processing (to provide the Services).
Details Anthropic's security program, including access controls (MFA, least privilege), encryption (AES-256 at rest, TLS 1.2+ in transit), vulnerability management, and incident response.
Includes specific addenda for transfers subject to UK and Swiss data protection laws, adapting the EU SCCs for those jurisdictions.
This is a summary for informational purposes. For the complete legal text, please visit the official DPA at https://www.anthropic.com/legal/data-processing-addendum.