- 05
- June
Before bringing Claude AI into an organization, the first questions from IT Security and Compliance are: "How safe is the data, is it used to train models, can we audit it?" This article summarizes Claude's enterprise data governance and security — the standards it meets, training/retention, audit, and how to position it for PDPA compliance. One principle to grasp from the start: Claude runs on Anthropic's cloud (not on-premise like an ERP system), so good governance is about "configuration and policy," not just trusting the vendor.
In short: 5 security/governance pillars
- Standards: ISO 27001:2022, ISO/IEC 42001:2023 (AI), SOC 2 Type I & II, HIPAA-ready (BAA available)
- Training: commercial data (Team/Enterprise/API) is not used to train models by default
- Retention: configurable + a ZDR (Zero Data Retention) addendum for Enterprise
- Audit: full audit logs + Compliance API (Enterprise)
- Scope to understand: the certifications cover Anthropic's infrastructure — not your app or how you use it
Certifications Anthropic holds
Anthropic holds international security and AI-management certifications that Thai organizations can use as criteria in vendor assessments.
| Standard | Covers |
|---|---|
| ISO/IEC 27001:2022 | Information Security Management System (ISMS) |
| ISO/IEC 42001:2023 | AI Management System — a new AI-specific standard |
| SOC 2 Type I & Type II | Security controls (detailed report via Trust Portal under NDA) |
| HIPAA-ready | BAA available for commercial customers processing health data |
Understanding certification scope: these standards certify Anthropic's infrastructure and internal controls (access control, incident response, vendor management) — they do not automatically make your organization's use of Claude compliant. That remains your responsibility, through configuration and policy.
Is data used to train models, and how long is it retained?
This is Compliance's biggest concern. The short answer: for commercial use, data is not used for training.
- Not trained by default — data from Team, Enterprise and API is not used to train models by default (unlike some consumer usage).
- Configurable retention — Enterprise can set custom retention.
- ZDR (Zero Data Retention) — an Enterprise addendum that doesn't write data to disk after a session, suited to regulated data (see Claude Enterprise for data-residency and ZDR options).
Access control + Audit — who accesses what, can it be traced
For organizations doing serious governance, access-control and audit capabilities sit at the Enterprise level.
| Capability | Available from |
|---|---|
| SSO (SAML/OIDC) + SCIM provisioning | Enterprise |
| Audit logs (user actions, data access) | Enterprise (Team basic) |
| Compliance API (export logs to SIEM) | Enterprise |
| Data residency choice (e.g. EU region) | Enterprise |
See admin-level policy settings in Claude Team & PDPA and User Management.
Positioning for PDPA — Claude is the "processor"
Under Thailand's Personal Data Protection Act (PDPA), when an organization sends personal data to Claude for processing, the responsibility structure is typically:
- Your organization = Data Controller — sets the purpose and holds the legal duties.
- Anthropic = Data Processor — processes on your instructions under a DPA.
- Cross-border issue: Claude processes on the cloud (US, or a chosen region on Enterprise) — sending personal data abroad must be assessed under PDPA Sections 28/29, with a complete DPA.
Different from on-premise ERP: with an ERP installed in-house, data never leaves your machines — but Claude is a cloud service, so you rely on governance tools (DPA, retention controls, not sending more than necessary) rather than "keeping data at home." Don't apply on-prem privacy reasoning wholesale to cloud AI.
Best practice — governance to set up before org-wide rollout
- Sign a DPA with Anthropic and keep compliance documents from the Trust Portal.
- Classify your data — define which data levels must never go into AI.
- Issue a usage policy — no secrets/PII beyond necessity, define allowed use cases.
- Enable audit + ship to your SIEM (Enterprise), retaining logs per your compliance schedule.
- Consider ZDR for workloads with regulated data.
Claude's enterprise security doesn't end at "which certifications Anthropic holds" — it comes down to how your organization configures it and sets usage policy. Certifications cover the provider's infrastructure; using it safely is something we can design together.
- A data-governance view for Thai organizations adopting AI
References
- Anthropic Privacy Center — Certifications obtained
- Anthropic Trust Center
- Thailand PDPC (Personal Data Protection Committee)
Need Claude governance to pass compliance?
Grand Linux procures Claude Enterprise with a DPA and advises on data governance/PDPA for AI use in your organization (optional paid service).
Get advice / request a quoteTel 02-347-7730 | sale@grandlinux.com
