Data Privacy & Security
Your data is your business.
We treat it that way.
An AI Operating System handles your most sensitive information — strategy, clients, pricing, processes. Here is exactly how we protect it.
Anthropic's certifications
SOC 2 Type II
Independent audit of security controls and operational effectiveness
ISO 27001:2022
International standard for information security management systems
ISO/IEC 42001:2023
AI-specific management system standard, one of the first AI providers certified
HIPAA-ready
Business Associate Agreement available for healthcare and regulated industries
Source: Anthropic Trust Center
Your questions, answered
Where is my data processed?
Claude API processes data on Anthropic's infrastructure. Enterprise customers can request US-only data residency. We are exploring European data residency options for Swiss clients and will update this page as they become available. Your structured context files (CLAUDE.md, memory) can be stored on infrastructure you control.
Does Anthropic train on my data?
No. Anthropic explicitly states: "We do not train Claude on your conversations and content" for Enterprise customers. This is a contractual commitment, not just a policy.
What is Zero Data Retention (ZDR)?
Available for Enterprise API customers. With ZDR enabled, Anthropic does not store your inputs or outputs after processing, except where required by law or to prevent abuse. Safety classifier results are retained for usage policy enforcement, but your actual business content is not stored.
What happens to my data after the engagement ends?
All context files, configurations, and deliverables belong to you. Everything can be transferred to your own infrastructure. If any components are hosted externally (e.g., Supabase databases for data connections), a complete export and deletion is provided upon termination.
How is access controlled?
Claude Enterprise provides SSO (Single Sign-On) and SCIM (automated user provisioning). Additional role-based access controls can be configured at the application layer, defining which team members can access which data, trigger which skills, and at what level of autonomy.
Is there an audit trail?
Yes, at two levels. Claude Enterprise provides built-in audit logs (user actions, system events, data access). An AIOS-Logs layer can add a second level: logging every AI session, every tool call, every file access. You can see exactly what the AI did, when, and why.
Is this compliant with Swiss law (FADP/nLPD)?
The Swiss Federal Act on Data Protection (FADP/nLPD, effective September 2023) requires appropriate technical and organizational measures for data processing. Anthropic's SOC 2, ISO 27001, and zero data retention address the technical requirements. The organizational measures (data processing agreements, access controls, documentation of processing activities) are part of the Governance Layer of the AIOS framework.
What about GDPR?
Anthropic's enterprise terms address GDPR requirements including data processing agreements, sub-processor management, and data subject rights. If your company serves EU clients or has EU-based employees, the AIOS implementation should be configured to respect GDPR obligations.
Can I get a Data Processing Agreement (DPA)?
Yes. Anthropic provides DPAs for Enterprise customers. A separate DPA can be arranged for any consulting engagement. Both are available upon request before any work begins.
Have a specific compliance question?
Contact us at contact@getaios.ai →