Commercial Terms of Service
Welcome to Anthropic! Before accessing our Services, please read these Commercial Terms of Service.
These Commercial Terms of Service (“Terms”) are an agreement between Anthropic, PBC (“Anthropic”) and you or the organization, company, or other entity that you represent (“Customer”). They govern Customer’s use of any Anthropic API key, the Anthropic Console, Team or enterprise tools, or any other Anthropic offerings that references these Terms (the “Services”). These Terms are effective on the earlier of the date that Customer first electronically consents to a version of these Terms and the date that Customer first accesses the Services (“Effective Date”). These Terms incorporate by reference our Service Specific Terms.
Please note: You may not enter into these Terms on behalf of an organization, company, or other entity unless you have the legal authority to bind that entity. Services under these Terms are not for consumer use. Our consumer offerings (e.g., Claude.ai) are governed by our Terms of Service instead.
A. Services
- Overview. Subject to these Terms, Customer may use the Services, including to make submissions to the Services (“Prompts”) and generate responses to its Prompts (“Outputs” and, together with Prompts, “Customer Content”).
- Beta Services. Anthropic may offer Services that are in pre-release, beta, or trial form (“Beta Services”). This means that they are not suitable for production use and provided “as-is” on a temporary basis. Anthropic is not responsible for Customer’s use of or reliance on Beta Services.
- Feedback. If Customer decides, in its sole discretion, to provide Anthropic with feedback regarding the Services, Anthropic may use that feedback at its own risk and without obligation to Customer.
- Customer Content. As between the parties and to the extent permitted by applicable law, Anthropic agrees that Customer owns all Outputs, and disclaims any rights it receives to the Customer Content under these Terms. Anthropic does not anticipate obtaining any rights in Customer Content under these Terms. Subject to Customer’s compliance with these Terms, Anthropic hereby assigns to Customer its right, title and interest (if any) in and to Outputs. Anthropic may not train models on Customer Content from paid Services.
- Data Privacy. If Customer submits personal data or personally identifiable information (collectively, “PII”) to the Services, the Anthropic Data Processing Addendum in Exhibit A applies and is incorporated into these Terms by reference.
B. Trust and Safety; Restrictions
- Compliance. Each party will comply with all laws applicable to the provision (for Anthropic) and use (for Customer) of the Services, including any applicable data privacy laws.
- Acceptable Use Policy. Customer may only use the Services in compliance with these Terms, including the Acceptable Use Policy (“AUP”), which is incorporated by reference into these Terms, and which may be updated by Anthropic. Customer must use reasonable efforts to ensure the same of its customers or other end users (“Users”). Customer must cooperate with reasonable requests for information from Anthropic to support compliance with its AUP, including to verify Customer’s identity and use of the Services.
- Limitations of Outputs; Notice to Users. It is Customer’s responsibility to evaluate whether Outputs are appropriate for Customer’s use case, including where human review is appropriate, before using or sharing Outputs. Customer acknowledges, and must notify its Users, that factual assertions in Outputs should not be relied upon without independently checking their accuracy, as they may be false, incomplete, misleading or not reflective of recent events or information. Customer further acknowledges that Outputs may contain content inconsistent with Anthropic’s views.
- Use Restrictions. Customer may not and must not attempt to (a) access the Services to build a competing product or service, including to train competing AI models except as expressly approved by Anthropic; (b) reverse engineer or duplicate the Services; or (c) support any third party’s attempt at any of the conduct restricted in this sentence. Customer and its Users may only use the Services in the countries and regions Anthropic currently supports.
- Security. Customer will promptly notify Anthropic if Customer believes or knows that (a) the account it uses to access the Services has been compromised, or (b) Customer is subject to a denial of service or similar malicious attack that may negatively impact the Services.
C. Confidentiality
- Confidential Information. The parties may share information that is identified as confidential, proprietary, or similar, or that a party would reasonably understand to be confidential or proprietary ("Confidential Information"). Customer Content is Customer’s Confidential Information.
- Obligations of Parties. The receiving party ("Recipient") may only use the Confidential Information of the disclosing party ("Discloser") to exercise its rights and perform its obligations under these Terms. Recipient may only share Discloser’s Confidential Information to Recipient’s employees, agents, and advisors that have a need to know such Confidential Information and who are bound to obligations of confidentiality at least as protective as those provided in these Terms ("Representatives"). Recipient will protect Discloser’s Confidential Information from unauthorized use, access, or disclosure in the same manner as Recipient protects its own Confidential Information, and with no less than reasonable care. Recipient is responsible for all acts and omissions of its Representatives. Recipient will promptly notify Discloser if it suspects or knows that Discloser’s Confidential Information was breached, and agrees to cooperate to mitigate further risks of loss or misuse.
- Exclusions. Recipient’s obligations with respect to Confidential Information do not apply if Recipient demonstrates that Discloser’s Confidential Information was (a) already known to Recipient at the time of disclosure by Discloser, (b) disclosed to Recipient by a third party without a duty of confidentiality, (c) publicly available through no fault of Recipient, or (d) independently developed by Recipient without use of or access to Discloser’s Confidential Information. Recipient may disclose Discloser’s Confidential Information to the extent it is required by law, or court or administrative order, but will, except where expressly prohibited, notify Discloser of the required disclosure promptly and fully cooperate with Discloser.
- Destruction Request. Recipient will destroy Discloser’s Confidential Information promptly upon request, except copies in Recipient’s automated back-up systems, which will remain subject to these obligations of confidentiality while maintained.
D. Intellectual Property
Except as expressly stated in these Terms, these Terms do not grant either party any rights to the other’s content or intellectual property, by implication or otherwise.
E. Publicity
Anthropic may use Customer's name and logo to publicly identify Customer as a customer of the Services. Customer will consider in good faith any request by Anthropic to (1) provide a quote from a Customer executive regarding Customer’s motivation for using the Services that Anthropic may use publicly and (2) participate in a public co-marketing activity.
F. Fees
- Payment of Fees. Customer is responsible for fees incurred by its account, at the rates specified on the Model Pricing Page, unless otherwise agreed by the parties. Anthropic may require prepayment for the Services in the form of credits or offer other types of credits, all of which are subject to Anthropic’s Supplemental Credits Terms. Anthropic may update the published rates, to be effective the earlier of 30 days after the updates are posted by Anthropic or Customer otherwise receives Notice.
- Taxes. Fees do not include any taxes, duties, or assessments that may be owed by Customer for use of the Services ("Taxes"), unless otherwise specified in the applicable invoice. Customer is responsible for remitting any necessary withholding Taxes to the relevant authority on a timely basis and providing Anthropic with evidence of the same upon request. Where law provides for the reduction or elimination of withholding taxes, including via Tax treaty, the parties will collaborate in good faith to do so. For clarity, Customer must pay Anthropic the amount ("Gross-up Payment") that will ensure that Anthropic receives the same total amount that it would have received if no such withholding or reduction by Customer had been required (taking into account any and all applicable Taxes (including any Taxes imposed on the Gross-up Payment)).
- Billing. Failure to pay Anthropic all amounts owed when due may result in suspension or termination of Customer’s access to the Services. Anthropic reserves any other rights of collection it may have.
G. Termination and Suspension
- Term. These Terms start on the Effective Date and continue until terminated (the “Term”).
- Termination.
- Each party may terminate these Terms at any time for convenience with Notice, except Anthropic must provide 30 days prior Notice.
- Either party may terminate these Terms for the other party’s material breach by providing 30 days prior Notice detailing the nature of the breach unless cured within that time.
- Anthropic may terminate these Terms immediately with Notice if Anthropic reasonably believes or determines that Anthropic’s provision of the Services to Customer is prohibited by applicable law.
- Suspension.
- Anthropic may suspend Customer’s access to any portion or all of the Services if: (a) Anthropic reasonably believes or determines that (i) there is a risk to or attack on any of the Services; (ii) Customer or any User is using the Services in violation of Sections B.1 (Compliance), B.2 (Acceptable Use Policy) or B.4 (Use Restrictions); or (iii) Anthropic’s provision of the Services to Customer is prohibited by applicable law or would result in a material increase in the cost of providing the Services; or (b) any vendor of Anthropic has suspended or terminated Anthropic’s use of any third-party services or products required to enable Customer to access the Services (each, a “Service Suspension”).
- Anthropic will use reasonable efforts to provide written notice of any Service Suspension to Customer, and resume providing access to the Services, as soon as reasonably possible after the event giving rise to the Service Suspension is cured, where curable. Anthropic will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer may incur because of a Service Suspension.
- Effect of Termination. Upon termination, Customer may no longer access the Services. The following provisions will survive termination or expiration of these Terms: (a) Sections C (Confidentiality), E (Publicity), F (Fees), G.4 (Effect of Termination), H (Disputes), I (Indemnification), J.2 (Disclaimer of Warranties), J.3 (Limits on Liability), and K (Miscellaneous); (b) any provision or condition that must survive to fulfill its essential purpose.
H. Disputes
- Disputes. In the event of a dispute, claim or controversy relating to these Terms (“Dispute”), the parties will first attempt in good faith to informally resolve the matter. The party raising the Dispute must notify the other party (“Dispute Notice”), who will have 15 days from the date of delivery of the Dispute Notice to propose a time for the parties to meet with appropriately leveled executives to attempt to resolve the Dispute. If the parties have not resolved the dispute within 45 days of delivery of the Dispute Notice, either party may seek to resolve the dispute through arbitration as stated in Section H.2.
- Arbitration. Any Dispute will be determined by final, binding arbitration in San Francisco, California by a sole arbitrator pursuant to the Comprehensive Arbitration Rules and Procedures of Judicial Arbitration and Mediation Services, Inc. ("JAMS"). Judgment on any award issued through the JAMS arbitration process may be entered in any court having jurisdiction. EACH PARTY AGREES THEY ARE WAIVING THE RIGHT TO A TRIAL BY JURY, AND THE RIGHT TO JOIN AND PARTICIPATE IN A CLASS ACTION, TO THE FULLEST EXTENT PERMITTED UNDER THE LAW IN CONNECTION WITH THESE TERMS.
- Equitable Relief. This Section H (Disputes) does not limit either party from seeking equitable relief.
I. Indemnification
- Claims Against Customer. Anthropic will defend Customer and its personnel, successors, and assigns from and against any Customer Claim (as defined below) and indemnify them for any judgment that a court of competent jurisdiction grants a third party on such Customer Claim or that an arbitrator awards a third party under any Anthropic-approved settlement of such Customer Claim. "Customer Claim" means a third-party claim, suit, or proceeding alleging that Customer’s paid use of the Services (which includes data Anthropic has used to train a model that is part of the Services) in accordance with these Terms or Outputs generated through such authorized use violates third-party patent, trade secret, trademark, or copyright rights.
- Claims Against Anthropic. Customer will defend Anthropic and its personnel, successors, and assigns from and against any Anthropic Claim (as defined below) and indemnify them for any judgment that a court of competent jurisdiction grants a third party on such Anthropic Claim or that an arbitrator awards a third party under any Customer-approved settlement of such Anthropic Claim. “Anthropic Claim” means any third-party claim, suit, or proceeding related to Customer’s or its Users’ (a) Prompts or (b) use of the Services in violation of the AUP, the Service Specific Terms, or Section B.4 (Use Restrictions). Anthropic Claims and Customer Claims are each a “Claim”, as applicable.
- Exclusions. Neither party’s defense or indemnification obligations will apply to the extent the underlying allegation arises from the indemnified party’s fraud, willful misconduct, violations of law, or breach of the Agreement. Additionally, Anthropic’s defense and indemnification obligations will not apply to the extent the Customer Claim arises from: (a) modifications made by Customer to the Services or Outputs; (b) the combination of the Services or Outputs with technology or content not provided by Anthropic; (c) Prompts or other data provided by Customer; (d) use of the Services or Outputs in a manner that Customer knows or reasonably should know violates or infringes the rights of others; (e) the practice of a patented invention contained in an Output; or (f) an alleged violation of trademark based on use of an Output in trade or commerce.
- Process. The indemnified party must promptly notify the indemnifying party of the relevant Claim, and will reasonably cooperate in the defense. The indemnifying party will retain the right to control the defense of any such Claim, including the selection of counsel, the strategy and course of any litigation or appeals, and any negotiations or settlement or compromise, except that the indemnified party will have the right, not to be exercised unreasonably, to reject any settlement or compromise that requires that it admit wrongdoing or liability or subjects it to an ongoing affirmative obligation. The indemnifying party’s obligations will be excused if either of the following materially prejudices the defense: (a) failure of the indemnified party to provide prompt notice of the Claim; or (b) failure to reasonably cooperate in the defense.
- Sole Remedy. To the extent covered under this Section I (Indemnification), indemnification is each party’s sole and exclusive remedy under these Terms for any third-party claims.
J. Warranties and Limits on Liability
- Warranties. Each party represents and warrants that (a) it is authorized to enter into these Terms; and (b) entering into and performing these Terms will not violate any of its corporate rules, if applicable. Customer further represents and warrants that it has all rights and permissions required to submit Prompts to the Services.
- Disclaimer of Warranties. EXCEPT TO THE EXTENT EXPRESSLY PROVIDED FOR IN THESE TERMS, TO THE MAXIMUM EXTENT PERMITTED UNDER LAW (A) THE SERVICES AND OUTPUTS ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND; AND (B) ANTHROPIC MAKES NO WARRANTIES, EXPRESS OR IMPLIED, RELATING TO THIRD-PARTY PRODUCTS OR SERVICES, INCLUDING THIRD-PARTY INTERFACES. ANTHROPIC EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, AS WELL AS ANY IMPLIED WARRANTY ARISING FROM STATUTE, COURSE OF DEALING OR PERFORMANCE, OR TRADE USE. ANTHROPIC DOES NOT WARRANT, AND DISCLAIMS THAT, THE SERVICES OR OUTPUTS ARE ACCURATE, COMPLETE OR ERROR-FREE OR THAT THEIR USE WILL BE UNINTERRUPTED. REFERENCES TO A THIRD PARTY IN THE OUTPUTS MAY NOT MEAN THEY ENDORSE OR ARE OTHERWISE WORKING WITH ANTHROPIC.
- Limits on Liability.
- Except as stated in Section J.3.b, the liability of each party, and its affiliates and licensors, for any damages arising out of or related to these Terms (i) excludes damages that are consequential, incidental, special, indirect, or exemplary damages, including lost profits, business, contracts, revenue, goodwill, production, anticipated savings, or data, and costs of procurement of substitute goods or services and (ii) is limited to Fees actually paid by Customer for the Services in the previous 12 months.
- The limitations of liability in this Section J.3 (Limits on Liability) do not apply to either party’s obligations under Section I (Indemnification).
- THE LIMITATIONS OF LIABILITY IN THIS SECTION J.3 (LIMITS ON LIABILITY) APPLY: (A) TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW; (B) TO LIABILITY IN TORT, INCLUDING FOR NEGLIGENCE; (C) REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT PRODUCT LIABILITY, OR OTHERWISE; (D) EVEN IF THE BREACHING PARTY IS ADVISED IN ADVANCE OF THE POSSIBILITY OF THE DAMAGES IN QUESTION AND EVEN IF SUCH DAMAGES WERE FORESEEABLE; AND (E) EVEN IF THE INJURED PARTY'S REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.
- The parties agree that they have entered into these Terms in reliance on the terms of this Section J.3 (Limits on Liability) and those terms form an essential basis of the bargain between the parties.
K. Miscellaneous
- Notices. All notices, demands, waivers, and other communications under these Terms (each, a "Notice") must be in writing. Except for notices related to demands to arbitrate or where equitable relief is sought, any Notices provided under these Terms may be delivered electronically to the Customer’s address or other authorized addresses provided to Anthropic; and to notices@anthropic.com if to Anthropic. Notice is effective only: (i) upon receipt by the receiving party, and (ii) if the party giving the Notice has complied with all requirements of this Section K.1 (Notices).
- Electronic Communications. Customer agrees to receive electronic communications from Anthropic based on Customer’s use of the Services and related to these Terms. Except where prohibited by applicable law, electronic communications may include email, through the Services or Customer’s management dashboard, or on Anthropic’s website. Anthropic may also provide electronic communications via text or SMS about Customer’s use of the Services or as Customer otherwise requests from Anthropic. If Customer wishes to stop receiving such messages, Customer may request it from Anthropic or respond to any such texts with “STOP.”
- Amendment and Modification. Anthropic may update these Terms at any time, to be effective 30 days after the updates are posted by Anthropic or Customer otherwise receives Notice, except that updates made in response to changes to law or regulation take effect immediately upon posting or Notice. Changes will not apply retroactively. No other amendment to or modification of these Terms is effective unless it is in writing and signed by both parties. Failure to exercise or delay in exercising any rights or remedies arising from these Terms does not and will not be construed as a waiver; and no single or partial exercise of any right or remedy will preclude future exercise of such right or remedy.
- Assignment and Delegation. Neither party may assign its rights or delegate its obligations under these Terms without the other party’s prior written consent, except that Anthropic may assign its rights and delegate its obligations as part of a sale of all or substantially all its business. Any purported assignment or delegation is null and void except as permitted above. No permitted assignment or delegation will relieve the contracting party or assignees of their obligations under these Terms. These Terms will bind and inure to the benefit of the parties and their respective permitted successors and assigns.
- Severability. If a provision of these Terms is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will neither affect any other term or provision of these Terms nor invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the parties will negotiate in good faith to modify these Terms to reflect the parties’ original intent as closely as possible.
- Interpretation. These Terms will be construed mutually, with neither party considered the drafter. Document and section titles are provided for convenience and will not be interpreted. The phrases “for example” or “including” or “or” are not limiting.
- Governing Law. These Terms are governed by and construed in accordance with the laws of the State of California, without giving effect to any choice of law provision. Subject to Section H (Disputes), all suits, action, or proceedings related to these Terms will be instituted exclusively in federal or state courts located in San Francisco, California, and each party irrevocably submits to their exclusive jurisdiction.
- Export and Sanctions. Customer may not export or provide access to the Services to persons or entities or into countries or for uses where it is prohibited under U.S. or other applicable international law. Without limiting the foregoing sentence, this restriction applies (a) to countries where export from the US or into such country would be prohibited or illegal without first obtaining the appropriate license, and (b) to persons, entities, or countries covered by U.S. sanctions.
- Integration. These Terms (including the AUP, DPA, Model Pricing Page and other documents or terms that are incorporated by reference by these Terms) constitute the parties’ entire understanding as to the Services’ provision and use. These Terms supersede all other understandings or agreements between the parties regarding the Services. If Customer has also agreed to our Terms of Service, these Terms control.
- Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.
Exhibit A: Anthropic Data Processing Addendum
This Data Processing Addendum (“DPA”) applies to Anthropic PBC, a Public Benefit Corporation (“Anthropic”) and its processing of Personal Data in relation to the provision of Anthropic’s Services to the Customer (as defined in the contract referencing this DPA under which Anthropic has agreed to provide Services). Unless otherwise expressly stated in the Agreement, this DPA shall be effective and remain in force for the full term of the Agreement. Anthropic and the Customer each may be referred to herein as a “Party” or collectively as the “Parties.”
1. DEFINITIONS
- "Customer Affiliate" means an affiliate of Customer who is a beneficiary to the Agreement.
- "Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.
- "Controller" will have the following meaning (as applicable): (a) the meaning given to “controller” under Applicable Data Protection Laws; or (b) the meaning given to “business” under Applicable Data Protection Laws.
- "Covered Data" means Personal Data shared by Customer or a Customer Affiliate in relation to the provision of the Services. “Data Subject” means a natural person whosePersonal Data is part of the Covered Data.
- “Data Subject Requests” means a request from a Data Subject to exercise their rights under Applicable Data Protection Laws. "GDPR" means Regulation (EU) 2016/679.
- “Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information underApplicable Data Protection Laws.
- "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and“Processed” will be interpreted accordingly.
- “Processor” will have the following meaning (as applicable): (a) the meaning given to“processor” under Applicable Data Protection Laws; or (b) the meaning given to “service provider” under Applicable Data Protection Laws.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to(including unauthorized internal access to), Covered Data.
- "Services" means the services to be provided by Anthropic pursuant to the Agreement.
- "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor)and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
- "Sub-processor" means an entity appointed by Anthropic, as a Processor, toProcess Covered Data on its behalf.
- “UK GDPR” has the meaning given under the Data Protection Act 2018 (UK).
2. GENERAL
- This DPA is incorporated into and forms an integral part of the Agreement. If there is any conflict between this DPA and the Agreement relating to the Processing of Covered Data, this DPA shall govern. Customer acknowledges and agrees that Anthropic may amend this DPA from time to time on reasonable notice to Customer where such changes are required because of changes in Applicable Data Protection Laws.
- Clauses 3 to 9 of this DPA apply to the extent Anthropic acts as a Processor on behalf of Customer with respect to the Covered Data.
3. DETAILS OF DATA PROCESSING
- The details of the Processing of Covered Data (such as subject matter, duration, nature, and purpose of the Processing, categories of Personal Data and DataSubjects) are described in the Agreement and in Part B of Schedule 1 to this DPA.
- Anthropic will only Process Covered Data in accordance with Applicable DataProtection Laws and on the documented instructions of Customer (including as set out in the Agreement and this DPA), unless required to do otherwise by applicable law to which Anthropic is subject, in which case Anthropic will, unless prohibited by applicable law, inform Customer of such legal requirement before Processing. Without limiting the foregoing, Anthropic is prohibited from:
- selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
- sharing Covered Data with any third party for cross-context behavioural advertising;
- retaining, using, or disclosing Covered Data outside of the direct business relationship and for any purpose other than for the business purposes specified in Part B of Schedule 1 or as otherwise permitted by Applicable Data Protection Laws; and
- except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that Anthropic receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
- To the extent that any of the instructions provided by Customer to Anthropic in accordance with clause 3.b require Processing of Covered Data in a manner that falls outside the scope of the Services, Anthropic may:
- notify Customer that such instructions fall outside the scope of Services under theAgreement and not carry out such instructions, or at Anthropic’s election, make the performance of any such instructions subject to the payment by Customer of any costs and expenses incurred by Customer or such additional charges asCustomer may reasonably determine; or
- immediately terminate the Agreement and the Services.
- Anthropic will promptly inform Customer if, in its opinion, an instruction from Customer relating to the Processing of Covered Data infringes Applicable Data Protection Law.
- Customer hereby authorises and instructs Anthropic to Process Covered Data anywhere that Anthropic or its Sub-processors maintain facilities.
- Anthropic will, at the request of Customer, provide assistance that is reasonable necessary for Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws.
- Customer will have the right to take reasonable and appropriate steps to ensure thatAnthropic uses Covered Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws.
- Anthropic will ensure that each person authorised to process Covered Data is subject to a duty of confidentiality.
- Customer acknowledges that Anthropic’s Services are not designed, intended, or provided for the purpose of making predictions regarding any Data Subject, determining creditworthiness, or any other manner of automated decision-making regarding Data Subject(s) to which the Covered Data relates.
- Anthropic may charge Customer, and Customer will reimburse Anthropic, for any assistance provided by Anthropic to Customer in relation to this DPA, including with respect to any TIAs or consultation with any supervisory authority of Customer.
4. SUB-PROCESSORS
- Customer grants Anthropic the general authorisation to engage the Sub-processors listed in Schedule 5, and any additional Sub-processors in accordance with clause 4.c.
- Anthropic will: (i) enter into a written agreement with each Sub-processor imposing data protection obligations that are substantively no less protective of Covered Data than Anthropic’s obligations under this DPA; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
- In the event that Anthropic wishes to appoint an additional Sub-processor: (a) Anthropic will provide Customer reasonable notice; and (b) Customer may, on the basis of reasonable data privacy and data security concerns, object to Anthropic’s use of such Sub-processor by providing Anthropic with written notice of the objection within ten (10) days of the date of such notice, otherwise the additional Sub-processor shall be deemed approved. In the event Customer objects to Anthropic’s use of a newSub-processor, Customer and Anthropic will work together in good faith to find a mutually acceptable resolution to address any objections raised by Customer.
5. DATA SUBJECT RIGHTS REQUESTS
- Anthropic will forward to Customer promptly any Data Subject Request received byAnthropic relating to the Covered Data and may advise the Data Subject to submit their request directly to Customer.
- Anthropic will, taking into account the nature of the Processing of Covered Data, provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.
6. SECURITY
- Accounting for the state of the art, costs of implementation and the nature, scope and context and purposes of the relevant Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Anthropic will implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for theCovered Data appropriate to the risk of the relevant Processing.
- The Parties agree that the measures set out in Schedule 2 provide an appropriate level of security for the Covered Data, accounting for the risks presented by theProcessing outlined in the Agreement and this DPA.
7. AUDITS AND RECORDS
- Upon request, Anthropic will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
- To the extent required by Applicable Data Protection Legislation, Anthropic will permitCustomer (or a suitably qualified, independent third-party auditor which is not a competitor of Anthropic) to audit Anthropic’s compliance with this DPA no more than once per calendar year on at least thirty (30) days’ written notice to Anthropic (an “Audit”), provided that Customer (or Customer’s third-party auditor, as applicable):
- may only conduct an Audit during Anthropic’s normal business hours;
- will conduct the Audit in a manner that does not disrupt Anthropic’s business;
- enters into a confidentiality agreement reasonably acceptable to Anthropic prior to conducting the Audit;
- pays any reasonably incurred costs and expenses incurred by Anthropic in the event of an Audit;
- ensures that its personnel comply with any policies and procedures notified byAnthropic to Customer when attending Anthropic’s premises;
- submits, as part of the written notice provided by Customer to Anthropic, a detailed proposed audit plan which is agreed by Anthropic (an “Audit Plan”); and
- conducts the Audit in compliance with the final agreed Audit Plan.
- Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of the DPA. Nothing in this clause 7 will require Anthropic to breach any duties of confidentiality it owes to third parties.
8. SECURITY INCIDENTS
- Anthropic will notify Customer in writing without undue delay after becoming aware of any Security Incident. Anthropic will, to the extent reasonably necessary, cooperate with Customer’s investigation of the Security Incident. Anthropic’s notification of, or response to, a Security Incident will not be construed as an acknowledgement byAnthropic of any fault or liability with respect to the Security Incident.
9. DELETION AND RETURN
- Anthropic will, in any event, within thirty (30) days of the date of termination or expiry of the Agreement (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Anthropic or any Sub-processors.
10. STANDARD CONTRACTUAL CLAUSES
The Parties agree that, to the extent required by Applicable Data Protection Laws, the terms of the Standard Contractual Clauses Module 1 (Controller to Controller),Module Two (Controller to Processor) and/or Module Three (Processor to Processor),each as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and will be deemed to have been executed by the Parties.
- To the extent required by Applicable Data Protection Laws, the jurisdiction-specific addenda to the Standard Contractual Clauses set out in Schedule 3 are also incorporated herein by reference and will be deemed to have been executed by the Parties.
- To the extent that there is any conflict between the terms of this DPA and the terms of the Standard Contractual Clauses, the Standard Contractual Clauses shall govern.
- Anthropic will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Covered Data. Anthropic will, upon Customer’s request and at Customer’s cost, provide information toCustomer which is reasonably necessary for Customer to complete a transfer impact assessment ("TIA") to the extent required under Applicable Data Protection Laws.
SCHEDULE 1 - DETAILS OF PROCESSING AND TRANSFERS
PART A – List of Parties
The Parties are set out in the preamble to this DPA. With regard to any transfers of Covered Data falling within the scope of Applicable Data Protection Laws, additional information regarding the data exporter and data importer is set out below.
- Data Exporter
The data exporter is: Customer and/or Customer Affiliates exporting Covered Data to which the GDPR applies.The data exporter’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details are included in the Agreement or will be disclosed to Anthropic upon request. - Data Importer
The data importer is: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, United States. The data importer’s contact person and contact details are included in theAgreement or will be disclosed to Customer upon request.
PART B – Description of Processing
- Categories of Data Subjects - Determined by Customer (in accordance with the Agreement).
- Categories of Personal Data - Determined by the Customer (in accordance with the Agreement).
- Special categories of Personal Data (if applicable) - None.
- Duration and Frequency of the Processing - The Processing is performed on a continuous basis for the duration of the Agreement and is determined by Customer’s configuration of the Services.
- Subject matter and nature of the Processing - Performing the Services on behalf ofAnthropic which involves Processing (including collection, storage, organisation and structuring) of Personal Data as part of a natural language-based, machine-learning tool, as further described in the Agreement; undertaking activities to verify or maintain the quality of the Services; debugging to identify and repair errors that impair existing intended functionality; helping to ensure security and integrity of the Services.
- Purpose(s) of the data transfer and further Processing - To provide the Services to Customer pursuant to the Agreement and as may be further agreed upon by Customer and Anthropic.
- Storage Limitation - The duration is the term of the Agreement.
- Sub-processor (if applicable) - To provide Processing system capability toAnthropic (as described in Schedule 4) to provide the Services described in theAgreement.
PART C – Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs
Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland.
SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES
Anthropic has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, accounting for the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
- Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Anthropic’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Anthropic’s organization, monitoring and maintaining compliance with Anthropic’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Utilization of commercially available and industry standard encryption technologies for Covered Data that is:
- being transmitted by Anthropic over public networks (i.e., the Internet) or when transmitted wirelessly; or
- at rest or stored on portable or removable media (i.e., laptop computers,CD/DVD, USB drives, back-up tapes).
- Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Anthropic’s passwords that are assigned to its employees; controls include appropriate password security requirements, and specific time and use limitations for passwords.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Physical and environmental security of data center, server room facilities and other areas containing Covered Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of
Anthropic facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage. - Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Anthropic’s possession.
- Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Anthropic’s technology and information assets.
- Incident / problem management procedures designed to allow Anthropic to investigate, respond to, mitigate, and notify of events related to Anthropic’s technology and information assets.
- Network security controls that provide for the use of firewall systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
- Business resiliency/continuity plan and procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
SCHEDULE 3 - INTERNATIONAL TRANSFERS
EU SCCS
Elections for the purposes of Module 1, Module Two and Module Three of the Standard ContractualClauses:
- Clause 7 (Docking clause) – does not apply.
- Clause 11 (Redress) – optional wording does not apply.
- Clause 17 (Governing Law) – Option 1 will apply and the governing law will be the law of the Republic of Ireland.
- Clause 18 (Choice of forum and jurisdiction) – the applicable choice of forum and jurisdiction will be the Republic of Ireland.
- For the purpose of Annex I of the Standard Contractual Clauses, Part A of Schedule 1contains the specifications regarding the parties, Part B of Schedule 1 contains the description of transfer for Module Two and Module Three, and Part B of Schedule 1 contains the description of transfer for Module 1 except that the purpose, nature and subject matter of the processing shall be as set out in clause 2.3, and Part C of Schedule1 contains the competent supervisory authority.
- For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.
Additional elections for the purposes of Module Two and Module Three of the Standard ContractualClauses:
- Clause 9 (Use of sub-processors) – Option 2 (General written authorization) will apply, and the time period is as specified in clause 4.c of the DPA.
- For the purpose Annex III of the Standard Contractual Clauses, the list of Sub-processors are set out in Schedule 4 or as otherwise determined by clause 4.c of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Anthropic upon request.
UK ADDENDUM
This UK Addendum will apply to any Processing of Covered Data that is subject to the UK GDPR or both the UK GDPR and the GDPR. For the purposes of this UK Addendum:
“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.
“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.
- With respect to any transfers of Covered Data falling within the scope of the UK GDPR from Customer (as data exporter) to Anthropic (as data importer):
- to the extent necessary under Applicable Data Protection Law, the ApprovedAddendum as further specified in this UK Addendum of this Schedule 3 will be incorporated into and form part of this DPA;
- for the purposes of Table 1 of Part 1 of the Approved Addendum, the parties’ details are as set out in Part A of Schedule 1;
- for the purposes of Table 2 of Part 1 of the Approved Addendum, the version of the Approved EU SCCs as set out in the EU SCCs of this Schedule 3 including the Appendix Information are the selected SCCs; and
- for the purposes of Table 4 of Part 1 of the Approved Addendum, Anthropic (as data importer) may end the Approved Addendum.
SWISS ADDENDUM
This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.
- Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
- This Addendum: This Addendum to the Clauses
- Clauses: The Standard Contractual Clauses as further specified in this Schedule
- Swiss Data Protection Laws: The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
- This Addendum will be read and interpreted in the light of the provisions of SwissData Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
- This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
- Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
- Hierarchy
In the event of a conflict or inconsistency between this Addendum and the provisions of theClauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail. - Incorporation of the Clauses
- In relation to any Processing of Personal Data subject to Swiss Data ProtectionLaws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:
- for transfers made by the data exporter to the data importer, to the extent thatSwiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s Processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
- To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by clause 3.1 of this Swiss Addendum, include (without limitation):
- References to the "Clauses" or the "SCCs" mean this Swiss Addendum as itamends the SCCs.
- Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."
- References to "Regulation (EU) 2016/679" or "that Regulation" or “GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s)
of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable. - References to Regulation (EU) 2018/1725 are removed.
- References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
- Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data ProtectionLaws;
- Clause 17 is replaced to state: "These Clauses are governed by the laws ofSwitzerland insofar as the transfers are governed by Swiss Data Protection Laws".
- Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts ofSwitzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."
- In relation to any Processing of Personal Data subject to Swiss Data ProtectionLaws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:
Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protectPersonal Data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.
- To the extent that any Processing of Personal Data is subject to both Swiss DataProtection Laws and the GDPR, the DPA including the Clauses as further specified in this Schedule will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 3.1 and 3.3 of this SwissAddendum, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under clause 3.3(b)(g) of this Swiss Addendum.
- Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.
SCHEDULE 4 - SUB-PROCESSORS
Anthropic’s list of sub-processors is available at https://www.anthropic.com/subprocessors.