Security & governance
the complete guide
What the CFO and general counsel want to know before rolling out Claude. Data retention, SSO, SOC 2, Japan residency. The 15-minute incident playbook. And the new approval-fatigue section that treats mindless click-through as a design problem, not a willpower problem.
1. Data retention and zero data retention
Default retention policy
Anthropic's default retention window for commercial customers is 30 days. API inputs and outputs are deleted automatically. Conversations through Claude Team and Enterprise stay until a user explicitly deletes them, and once deleted they're purged from the backend within 30 days.
Exceptions:
- Usage-policy violations: up to 2 years
- Safety classification scores tied to violations: up to 7 years
- Legal or contractual hold: custom periods
Zero data retention (ZDR)
With ZDR, customer data is dropped from memory after the API response is returned and nothing is persisted โ except for what's needed to meet law-enforcement or abuse-prevention obligations.
| Scope | Covered / not covered |
|---|---|
| ZDR covers | Claude Messages API, Token Counting API, Claude Code (via API key and via Claude Enterprise) |
| ZDR does not cover | Console, Workbench (web UI), Claude Consumer (Free / Pro / Max), Claude Teams, Claude Enterprise UI (except Claude Code), third-party integrations such as Bedrock and Vertex AI |
Enablement: contact the Anthropic sales team. They verify eligibility and turn ZDR on per organization. Switching it on automatically disables certain features that need conversation history to work.
The commercial-terms guarantee
Anthropic's commercial terms state in writing that customer content is not used to train models. Inputs and outputs from commercial customers never end up in the permanent model-improvement pipeline.
2. Identity and access (SSO, SCIM, MFA, RBAC)
Single sign-on (SSO)
Claude Enterprise supports SAML 2.0 and OIDC. Supported IdPs:
- Microsoft Entra ID (Azure AD)
- Google Workspace
- Okta
- Ping Identity
- Any standards-compliant SAML or OIDC IdP
Enforcement options:
Require SSO for Consoleโ admins must sign in via SSORequire SSO for Claudeโ end users must sign in via SSO- MFA policy is inherited from the IdP automatically
SCIM user provisioning
SCIM directory sync is Enterprise-only. When you add or remove a user in the IdP, Claude follows within seconds. Remove a user in the IdP and their access dies across web, desktop, and CLI at the same time. That matters on the day someone leaves.
Role-based access control (RBAC)
| Role | Permissions |
|---|---|
| Admin | All configuration and user management |
| Member | Standard Claude usage |
| Workspace-specific roles | Per-project delegation |
Domain claim
Claim your corporate email domain and any signup attempt from that domain gets routed into the Enterprise workspace. It's the cleanest way to kill shadow IT on personal accounts.
3. Audit and compliance (SOC 2, ISO, HIPAA, GDPR, PIPA)
Certifications
| Certification | Scope | Notes |
|---|---|---|
| SOC 2 Type I & II | Anthropic corp | 12-month observation window, five trust criteria audited by an independent party |
| ISO 27001:2022 | Information security management | API infrastructure, customer data processing, internal access control |
| ISO/IEC 42001:2023 | AI management system | AI security and quality management |
| HIPAA-ready | API layer (BAA required) | For organizations handling protected health information |
Enterprise customers can pull SOC 2 Type II reports and ISO certificates from the Anthropic Trust Portal under NDA.
GDPR and DPA
Anthropic provides a Data Processing Addendum to customers subject to GDPR. Standard Contractual Clauses are included. Accepting the commercial terms pulls in the DPA automatically.
HIPAA (healthcare)
Once a Business Associate Agreement is signed, the Claude API exposes a HIPAA-ready surface. Customers handling PHI get a separately provisioned HIPAA-enabled organization.
Note: Claude Code is not covered by HIPAA. API only.
Japan (APPI)
Anthropic processes personal information in line with Japan's Act on the Protection of Personal Information. The Japan entity is Anthropic Japan GK. Personal information is held on secure servers with encryption and access restrictions in place.
4. Japan data residency
Direct API (Anthropic-hosted)
Anthropic's direct Claude API (api.anthropic.com) runs in US and Global regions only. There's no Tokyo region. If you've got a legal or contractual requirement for in-country processing, the direct API won't meet it.
AWS Bedrock ap-northeast-1 (recommended)
Verified 2026-04-20: Claude Opus 4.7 is generally available in AWS Bedrock Tokyo (ap-northeast-1) for production use.
Regional behaviour:
ap-northeast-1โ Tokyo data centre- Cross-region inference profiles keep traffic within US, EU, Japan, or Australia
- Quota increases have to be requested from the region you need them in
Available models:
- Claude Opus 4.7 (latest)
- Claude Sonnet 4.5 / 4.6
- Claude Haiku 4.5
Google Cloud Vertex AI (Tokyo)
Vertex AI supports both multi-region endpoints (dynamic routing across regions) and regional endpoints pinned to a single region. Pin it to Tokyo and processing stays in Japan.
Note: when you integrate directly with Vertex, Google Cloud's DPA applies, not Anthropic's.
5. API key management โ the essentials
We have a whole page on API keys. For the full walkthrough, see the API key hygiene guide. Here are just the governance-level bits.
Secret managers
| Tool | Best fit | MIXI recommendation |
|---|---|---|
| AWS Secrets Manager | Dynamic fetch in Lambda, EC2, ECS | โ โ โ โ โ |
| 1Password | Team sharing plus audit logs | โ โ โ โ โ |
| Doppler | CI/CD and env-var sync | โ โ โ โ โ |
| HashiCorp Vault | On-prem and hybrid | โ โ โ โ โ |
Don't:
- Hard-code keys or commit them
- Paste them into Slack, email, or shared docs
- Keep long-lived keys with no rotation
- Share admin keys across people
Rotation schedule
Rotate every 90 days, or immediately on detected leak.
Staged rotation, five steps:
- Generate the new key, store in Secrets Manager
- Update app env vars to the new key (canary first)
- Run old and new in parallel for 7 days
- Disable the old key
- Confirm retirement at the monthly review
Scope minimisation
One key, one purpose.
PROD_API_KEYโ production only, read/writeSTAGING_API_KEYโ staging, read-only (optional)CI_CD_KEYโ GitHub Actions or GitLab Runner, scoped to the projectLOCAL_DEV_KEYโ per-developer, 30-day expiry on dev machines
Audit logs
The Claude Enterprise dashboard records every key operation. Check monthly:
- Key creation and deletion history
- Anomalous call patterns โ geography, rate, error percentage
- Unused keys flagged for retirement
6. Incident response โ the 15-minute playbook
What counts as an incident
Any of these triggers a 15-minute response:
- API key accidentally committed to a repo
- GitHub public repo exposure caught by an automated scanner
- Cost spike โ 5x or more week-over-week
- API calls from an unexpected geography
- Suspected prompt injection (Anthropic abuse report)
- Unauthorized tool execution or file access by Claude Code
The 15-minute playbook
| Time | Owner | Action | Deliverable |
|---|---|---|---|
| T+0 | Detector | Incident report in Slack #security-alerts | Short written report |
| T+3 | Security lead | Escalate to Anthropic support (support@anthropic.com) | Support ticket ID |
| T+5 | Dev lead | Revoke or disable the suspect key from Console immediately | Revocation confirmed |
| T+7 | Auditor | Pull last 24h of API logs, check for anomalies (who called what) | Log analysis report |
| T+10 | Security lead | Update all teams; decide on exec notification | Risk assessment |
| T+15 | Named owner | Generate and deploy new keys; lock in the rotation schedule | Recovery plan |
Anthropic contacts
- Support: support.anthropic.com
- Abuse report:
api-abuse@anthropic.com - Security issues: HackerOne anthropic-vdp
7. Prompt injection countermeasures
Known attack vectors
Per Anthropic's production research, roughly 90% of Agent incidents originate from tool-output injection.
| Vector | Share | Example |
|---|---|---|
| Direct prompt | 10% | A user types malicious instructions straight into Claude |
| Tool-output injection | 50%+ | Instructions embedded in API responses or Web fetch results |
| MCP server poisoning | 20%+ | An untrusted MCP server returns malicious payloads |
| Config and env poisoning | 10%+ | ANTHROPIC_BASE_URL overridden to an attacker endpoint; Hooks or MCP config tampered with |
Claude Code defences
Permission-based architecture:
- Read-only by default โ file writes and command execution require explicit permission
/sandboxisolates bash runs (filesystem and network restrictions)- Command blocklist โ
curl,wget, and other arbitrary-content fetchers are blocked by default
Cowork (remote collaboration) restrictions:
- Trust Verification prompt when cloning untrusted repos
- File watch โ no writes above the parent directory
- Network request approval โ external API calls need pre-authorisation
MIXI-recommended three-layer defence
| Layer | Controls |
|---|---|
| Layer 1 โ Model | Use Claude Sonnet 4.5 or later (improved attack detection) |
| Layer 2 โ System | Allowlist MCP servers from trusted providers only; run Claude Code inside a VM or devcontainer |
| Layer 3 โ Operational | Log all API calls to CloudWatch; monthly anomaly-detection dashboard; code review for risk assessment |
8. Model training implications
Default behaviour
Anthropic does not train models on commercial customer inputs or outputs โ it's in the commercial terms in writing. Two exceptions:
- User Safety classifier results (abuse-detection scores) โ retained and used
- Aggregated, de-identified patterns โ usable for improvement research
Enterprise opt-out
With ZDR, the guarantees tighten further:
- Inputs and outputs are deleted from storage after the API response returns
- User Safety classification is also deleted unless a policy-violation flag fires
Consumer vs commercial
| Surface | Training use | Where to check |
|---|---|---|
| Claude Free / Pro / Max | Possible โ user can opt out in privacy settings | claude.ai/settings/privacy |
| Claude API (commercial) | No | Automatic; confirmed in ZDR contract |
| Claude Code Desktop | No | Confirmed via org-level ZDR |
Require SSO for Claude, and shadow IT goes away.
9. Network and transport (TLS, IP allowlisting, mTLS)
TLS encryption
All traffic to the Claude API runs over TLS. Encryption strength is industry standard.
- API endpoint โ
api.anthropic.com(HTTPS only) - Remote Control sessions โ TLS over a streaming connection (local session routes messages through the Anthropic API)
Egress IP restrictions
Claude Enterprise supports IP allowlisting.
- Admins set an allowed-IP list in Organization settings
- Authentication attempts from client IPs outside that list get blocked
Example: only the MIXI HQ LAN segment 203.0.113.0/24 can authenticate.
Corporate proxy and mTLS
Enterprise deployments can configure the following via environment variables:
- HTTP proxy for outbound traffic
- Custom Certificate Authority (CA) trust
- mTLS client certificates for mutual authentication
Watch out for
- WebDAV on Windows is Microsoft-deprecated โ avoid
- Package manager access (
npm, PyPI) can be scoped to allowed domains, but token exfiltration risk remains โ minimise credentials
10. Enterprise procurement
DPA and BAA signing
| Step | Duration | Owner |
|---|---|---|
| Initial sales contact | Same day | Anthropic account team |
| Scope definition | 2โ3 days | Legal + InfoSec + Sales |
| DPA / BAA draft delivered | 1โ2 days | Anthropic Legal |
| Internal legal review | 5โ7 days | MIXI Legal |
| Redlines and negotiation | 7โ14 days | Anthropic Legal + MIXI Legal |
| Signature and execution | 1โ2 days | Approver and signatory |
Standard DPA includes Anthropic's Standard Contractual Clauses.
InfoSec questionnaire / RFI
Anthropic provides:
- SOC 2 Type II report (under NDA)
- ISO 27001 and ISO 42001 certificates
- HIPAA Implementation Guide (when HIPAA is in scope)
- Penetration test summary on request
Recommended process:
- Submit your security questionnaire to Anthropic (any standard template works)
- Anthropic compliance team typically responds within 3โ5 business days
- Take the response to the internal information security board for review
Typical review timelines
| Contract type | Timeline |
|---|---|
| Lightweight (no ZDR) | 2โ3 weeks |
| Standard (ZDR + baseline compliance) | 4โ6 weeks |
| Complex (HIPAA + custom SLA) | 8โ12 weeks |
Start the Anthropic sales conversation early and kick off legal in parallel.
11. Approval fatigue โ the human-in-the-loop problem
Every executive who tries Claude Code surfaces the same worry within a week. "I'm going to press Approve so many times that eventually I'll stop reading what's in the diff." It's not paranoia. It happens. Human attention drops off sharply inside a 30-minute session. Approval dialog number forty isn't being read โ it's being clicked.
And that habituation is where the security risk lives. One backdoor line dropped into a larger diff gets Accepted without a glance.
Five mitigations
Lead with Plan mode
Instead of approving 40 per-change diffs, read the Plan carefully once at the start, then let Auto Accept run. Brain engaged on the design review, not on every edit. Individual changes become a spot-check for drift from the plan, nothing more.
Write the auto-approve boundary down
In settings.json, make it explicit: "read-only auto-approves, write or execute always asks". Draw the line in code and you don't have to draw it in willpower. Example: allow: Read, Grep, Glob / ask: Edit, Write, Bash.
Diff-size gate
Any diff over 20 lines โ you read it. Over 100 โ ask Claude to summarise first, then decide. A numeric rule removes the "I'm tired" excuse, because the number doesn't care how you feel.
End-of-session sweep
Before closing out, run git diff HEAD~N and read the full session's changes as a single diff. Stuff you waved through per-action sometimes looks off when you zoom out. Problems you missed in the moment tend to surface here.
Red-team drill (monthly)
Mid-session, deliberately ask Claude to "embed an opaque base64 string in this file" or "slip in admin-privileged code calling an external API". If you approve it without noticing, that's your fatigue threshold. Untrained, it only gets worse.
Exec KPIs
Make approval quality visible as numbers and abstract worry turns into an operational problem you can actually fix.
| KPI | Target | How to measure |
|---|---|---|
| Post-merge defect rate on Claude-authored PRs | <2% | Monthly pull of merged PRs cross-referenced with the bug tracker |
| Post-approval revert rate | <5% | Claude-generated commits reverted within 30 days |
| Red-team detection rate | 80%+ | Share of monthly-drill traps that got caught |
| Average approvals per session | Under 20 | High numbers mean Plan mode isn't doing its job |
12. Official sources
Everything here traces back to the Anthropic documentation and Trust Center materials below. Last verified 2026-04-22.
- Anthropic Trust Center
- Privacy Center
- Claude Help Center
- API Documentation
- Claude Code Docs
- Legal Docs
- Security Report โ HackerOne
- Zero Data Retention โ Claude Code Docs
- AWS Bedrock Claude Opus 4.7 in Japan (2026-04-20)
- Set up Single Sign-On (SSO) โ Claude Help Center
- Restrict Access with IP Allowlisting
Based on information as of 2026-04-21. Anthropic ships fast โ features, pricing, and compliance scope can change without notice.
- Anthropic Trust Center โ SOC 2 / ISO / HIPAA / GDPR certifications
- Privacy Center โ retention policy and ZDR detail
- Claude Help Center โ SSO, SCIM, IP allowlisting setup
- API Documentation โ API key management and rate limits
- Claude Code Docs โ Desktop and CLI security model
- Legal Docs โ commercial terms, DPA, SCC
- Security Report โ HackerOne โ vulnerability reporting
- Zero Data Retention โ Claude Code Docs โ ZDR coverage matrix
- AWS Bedrock Claude Opus 4.7 in Japan (2026-04-20) โ Opus 4.7 GA in Tokyo
- Set up Single Sign-On (SSO) โ SAML / OIDC IdP integration
- Restrict Access with IP Allowlisting โ egress IP controls