Data Processing Addendum

Effective February 24, 2025

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Anthropic Commercial Terms of Service or other agreement between Customer and Anthropic that references this DPA and governs Customer’s use of the Services (the “Agreement”), and applies to Anthropic’s processing of Customer Data (defined below). Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement. Anthropic may amend this DPA from time to time on reasonable notice to Customer to the extent such changes are required due to changes in Applicable Data Protection Laws. If there is any conflict between the terms of this DPA and the Agreement, the conflicting terms in this DPA will govern.

A. Definitions

  1. "Applicable Data Protection Laws" means all applicable privacy or data protection laws and regulations relating to the processing of personal data, as may be amended from time to time.
  2. "Customer Personal Data" means personal data submitted through the Services by or for Customer or a Customer Affiliate.
  3. "Customer Affiliate" means an affiliate of Customer that (a) is permitted to use the Services pursuant to the Agreement between Anthropic and Customer, and (b) directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of voting interests.
  4. “Customer Data” means all data or other information submitted through the Services by or for Customer or a Customer Affiliate.
  5. “Data Subject Request” means a request from a data subject to exercise their personal data-related rights under Applicable Data Protection Laws, such as rights to access, correct, or delete their personal data.
  6. "GDPR" means Regulation (EU) 2016/679.
  7. "Security Breach" means a breach of Anthropic’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data.
  8. "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor) or Module Three (processor to processor) of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
  9. "Subprocessor" means an entity engaged by Anthropic to process Customer Personal Data.
  10. “UK Addendum” means the International Data Transfer Addendum to the SCCs, issued by the Information Commissioner under S119A(1) Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).
  11. The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” as used in this DPA have the meanings given by Applicable Data Protection Laws or, absent any such meaning or law, by GDPR.
  12. The terms “controller” and “processor” include “business”, and “service provider”, respectively, as required by Applicable Data Protection Laws.

B. Processing of Customer Data

  1. With respect to Customer Personal Data, Customer is the controller and Anthropic is Customer’s processor. Each party will comply with its respective obligations under Applicable Data Protection Laws in connection with the Services and the Customer Personal Data.
  2. Unless required by applicable law to which Anthropic is subject, Anthropic will only process Customer Personal Data to provide or maintain the Services, and in compliance with Customer’s documented instructions (including as set out in the Agreement and this DPA).
  3. Without limiting the foregoing, Anthropic will not:
    1. “sell” or “share” Customer Personal Data, as defined by Applicable Data Protection Laws;
    2. retain, use, or disclose Customer Personal Data outside of the direct business relationship and for any purpose other than for the business purposes specified in Part B of Schedule 1 or as otherwise permitted by Applicable Data Protection Laws; and
    3. except as otherwise permitted by Applicable Data Protection Laws, combine Customer Personal Data with personal data that Anthropic receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.
  4. As required under Applicable Data Protection Laws, Anthropic will promptly inform Customer if it makes a determination that it can no longer comply with its processing obligations under this DPA, in which case Customer may take reasonable and appropriate steps in accordance with the Agreement to stop or remediate any unauthorized processing of Customer Personal Data.
  5. Anthropic will promptly inform Customer if, in its opinion, an instruction from Customer relating to the processing of Customer Personal Data violates Applicable Data Protection Law.
  6. Anthropic will cooperate with and provide reasonable assistance to Customer for: (a) Customer’s performance of any data protection impact assessment of the processing of Customer Personal Data by Anthropic, and (b) related consultation with supervisory authorities, either or both of which Customer reasonably considers to be required by Applicable Data Protection Laws.
  7. Anthropic will ensure that each person it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.

C. Subprocessors

  1. Customer grants Anthropic general authorization to engage the Subprocessors listed in Schedule 4, and any additional Subprocessors in accordance with Section C.3. below.
  2. Anthropic will: (a) enter into a contractual agreement with each Subprocessor imposing data protection obligations that are substantially as protective as Anthropic’s obligations under this DPA to the extent applicable to the nature of the services provided by Subprocessor; and (b) remain liable to Customer for each Subprocessors’ acts and omissions related to this DPA to the extent Anthropic is liable for its own, consistent with the limitation of liability provided in the Agreement.
  3. In the event that Anthropic wishes to appoint an additional Subprocessor: (a) Anthropic will provide Customer reasonable notice of the new Subprocessor prior to giving the Subprocessor access to Customer Personal Data; and (b) Customer may, on the basis of reasonable data privacy or data security concerns, object to Anthropic’s use of such Subprocessor by providing Anthropic with written notice of the objection within fifteen (15) days of the date of such notice, or Customer is deemed to consent to the new Subprocessor. In the event Customer objects to Anthropic’s use of a new Subprocessor, Customer and Anthropic will work together in good faith to find a mutually acceptable resolution to address any objection raised by Customer.

D. Data Subject Requests

  1. Anthropic will forward to Customer promptly any Data Subject Request received by Anthropic relating to the Customer Personal Data and may advise the Data Subject to submit their request directly to Customer.
  2. Anthropic will, taking into account the nature of the processing, provide Customer with reasonable and timely assistance as necessary for Customer to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

E. Security

  1. Anthropic will comply with the data security obligations of Applicable Data Protection Laws, and will implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for the Customer Data (including the Customer Personal Data) appropriate to the risk of the relevant processing, as summarized in Schedule 2. Anthropic may update these measures from time to time, provided that such updates do not materially reduce the overall security of the Services.
  2. The parties agree that the measures set out in Schedule 2 provide an appropriate level of security for the Customer Data (including the Customer Personal Data Data), accounting for the risks presented by the processing outlined in the Agreement and this DPA.

F. Compliance and Audits

  1. Anthropic is audited annually against known, established industry standards performed by external auditors. Upon Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Anthropic will provide Customer with such audit reports or certificates applicable to the Services (e.g., SOC 2 report), to the extent available, or such other information reasonably necessary to demonstrate compliance with this DPA. Anthropic’s current certifications are available for Customer’s review at trust.anthropic.com.
  2. Upon Customer’s written request, Anthropic will permit Customer, at Customer’s expense, to audit Anthropic’s applicable controls and compliance with this DPA (an “Audit”), provided such Audit is (a) conducted by Customer or a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with Anthropic, (b) Customer and Anthropic mutually agree on reasonable details of the Audit, including the start date, scope and duration of, and security and confidentiality controls applicable to such audit, and (c) a similar Audit has not already been conducted less than twelve (12) months prior, unless there are indications of non-compliance and/or it is required by a supervisory authority or other regulatory authority responsible for the enforcement of Applicable Data Protection Laws.
  3. Customer will pay any reasonably incurred costs and expenses incurred by Anthropic in the event Customer performs an Audit that is not (a) required by Applicable Data Protection Laws or (b) in response to a Security Breach.
  4. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of the DPA.

G. Security Breaches

  1. Anthropic will notify Customer in writing without undue delay, but in any event within 48 hours, after becoming aware of any Security Breach, and will assist Customer in complying with Customer’s obligations under Applicable Data Protection laws by reasonably cooperating with Customer’s investigation of the Security Breach. Anthropic’s notification of, or response to, a Security Breach will not be construed as an acknowledgement by Anthropic of any fault or liability with respect to the Security Breach.
  2. Upon becoming aware of a Security Breach, Anthropic will (a) investigate the Security Breach, and (b) provide timely information relating to the nature of the Security Breach, such as, where reasonably possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned, the likely consequences of the Security Breach, and the measures taken or proposed to be taken by Anthropic to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

H. Deletion and Return

  1. Within thirty (30) days of the date of termination or expiration of the Agreement, Anthropic will:
    1. if requested to do so by Customer within that period, return a copy of all Customer Data in its control or possession or provide a self-service functionality allowing Customer to do the same; and
    2. delete all copies of Customer Data (including Customer Personal Data) processed by Anthropic or any Subprocessors, except to the extent (i) Applicable Data Protection Laws or other applicable legal or regulatory requirements requires storage of the Customer Data, (ii) retention of the Customer Data by Anthropic is necessary to resolve a dispute between the parties, or (iii) retention of the Customer Data is necessary to combat harmful use of the Services.

I. Standard Contractual Clauses

  1. The parties agree that, to the extent required by Applicable Data Protection Laws, the terms of the SCCs Module Two (controller to processor) and/or Module Three (processor to processor), as completed as described in Schedule 3 of this DPA, are hereby incorporated by reference and will be deemed to have been executed by the parties.
  2. To the extent required by Applicable Data Protection Laws, the jurisdiction-specific addenda to the SCCs set out in Schedule 3 are also incorporated herein by reference and will be deemed to have been executed by the parties.
  3. To the extent that there is any conflict between the terms of this DPA, the Agreement, and the terms of the SCCs, the terms of the following documents will prevail (in order of precedence): (i) the SCCs; (ii) this DPA; and (iii) the Agreement.
  4. Anthropic will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Customer Personal Data. Anthropic will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment to the extent required under Applicable Data Protection Laws.

Schedule 1 - Details of Processing and Transfers

A. List of Parties

The parties are set out in the preamble to this DPA. With regard to any transfers of Customer Personal Data falling within the scope of Applicable Data Protection Laws, additional information regarding the data exporter and data importer is set out below.

  1. Data Exporter: The data exporter is the Customer and/or Customer Affiliates exporting Customer Personal Data to which GDPR applies. The data exporter’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s name and contact details and (if relevant) the representative’s contact details are included in the Agreement or will be disclosed to Anthropic upon request.
  2. Data Importer: The data importer is the Anthropic entity that executed the Agreement. The data importer’s contact person and contact details are included in the Agreement or will be disclosed to Customer upon request.

B. Description of Processing

  1. Categories of data subjects: Determined by Customer (in accordance with the Agreement).
  2. Categories of personal data: Determined by the Customer (in accordance with the Agreement).
  3. Special categories of personal data (if applicable): None.
  4. Duration and Frequency of the processing: The processing is performed on a continuous basis for the duration of the Agreement and is determined by Customer’s configuration of the Services.
  5. Subject matter and nature of the processing: Performing the Services on behalf of Customer which involves processing (including collection, storage, organization and structuring) of personal data as part of a natural language-based, machine-learning tool, as further described in the Agreement; verifying or maintaining the quality, security, and integrity of the Services; debugging to identify and repair errors that impair existing intended functionality.
  6. Purpose(s) of the data transfer and further processing: To provide the Services to Customer pursuant to the Agreement and as may be further agreed upon by Customer and Anthropic.
  7. Storage Limitation: The duration is the term of the Agreement.
  8. Subprocessors (where applicable): May be used by Anthropic to assist in the provision of the Services (more details in Schedule 4).

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs:

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland.

Schedule 2 - Technical and Organizational Measures

Anthropic has implemented and will maintain technical and organizational measures designed in accordance with industry standard practices to protect the security, confidentiality, and integrity of the Customer Data, as set out below. Anthropic may review and update these measures from time to time, provided that any such update will not materially diminish the overall security of the Customer Data during the term of the Agreement. Additional information about Anthropic’s information security program can be found at https://trust.anthropic.com.

A. Security Program and Policies

  1. Anthropic maintains organizational management and dedicated staff responsible for the development, implementation, and maintenance of Anthropic’s information security program, and a qualified security team of a size sufficient to ensure compliance with this DPA.
  2. Anthropic’s operational procedures and controls define physical, technical, and administrative safeguards that provide for the configuration, monitoring and maintenance of technology and information systems that process Customer Data according to prescribed internal and adopted industry standards.
  3. Anthropic’s change management procedures and tracking mechanisms are designed to test, approve, and monitor all changes to Anthropic’s technology and information assets that process Customer Data.
  4. Anthropic’s business resiliency and continuity plan and procedures are tested annually and designed to maintain service availability and enable recovery from emergency situations or disasters.
  5. Anthropic’s network security controls provide for appropriate network traffic filtering, segmentation of networks, and other event correlation procedures designed to protect systems from intrusion and limit the scope of any potential security compromise.
  6. Anthropic maintains a robust suite of internal security policies that are communicated and distributed to all personnel, including policies covering:
    • Information Security
    • Personnel Security
    • Asset Management
    • Data Management
    • Risk Management
    • Access Control
    • Secure Development
    • Operational Security
    • Physical Security
    • Incident Response
    • Business Continuity and Disaster Recovery
    • Cryptography

B. Access Controls

  1. All Anthropic personnel are assigned unique identifiers for interacting with systems managing Customer Data.
  2. All default system credentials are changed by Anthropic prior to a system’s use in a production capacity.
  3. Anthropic maintains a least privileged access approach to system access, using RBAC (Role Based Access Control), by restricting Anthropic personnel to only the system access needed to fulfill a specific job function or business needs.
  4. All access to systems processing Customer Data are protected by Multi Factor Authentication (MFA).
  5. SSO via Anthropic’s primary IDP is enforced for all systems with access to, or that store or maintain, Customer Data.
  6. Anthropic utilizes Context Aware Access to prevent unauthorized devices from accessing sensitive information, including Customer Data.
  7. Anthropic maintains strong password requirements including:
    1. a minimum of 16 characters;
    2. changing of initial passwords; and
    3. the prevention of password re-use.
  8. Anthropic prohibits the sharing or transmission of passwords through unsecured communication channels.
  9. Anthropic reviews privileged access to systems managing Customer Data on a regular basis to ensure provisioned access remains appropriate to job functions or business needs.
  10. All users with privileged access to Customer Data have all access revoked promptly following termination of employment.

C. Personnel Management

  1. All personnel engaged by Anthropic are properly trained and obligated to comply with the requirements of Anthropic's security program, including with respect to the confidentiality and security of the Customer Data.
  2. Anthropic employees, at hire and annually thereafter, complete security awareness, HIPAA, and other relevant training regarding confidentiality and data security. These trainings provide information regarding relevant threats and business requirements, including social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.
  3. As a part of pre-employment, all candidates complete a rigorous interview process, undergo background checks, and sign confidentiality agreements.
  4. Upon termination, Anthropic removes personnel access authorization without undue delay and in accordance with standard industry practices.

D. Audits and Certifications

  1. Anthropic defines audit and risk assessment procedures for the purposes of: (a) periodic review and assessment of risks to Anthropic’s organization, assets, and data, (b) monitoring and maintaining compliance with Anthropic’s policies and procedures, and (c) reporting the condition of its information security and compliance to internal senior management.
  2. Anthropic’s information security program is assessed annually by independent third-party auditors and reports from such annual assessments are made available to Anthropic’s customers.
  3. To request access to any of our reports and certifications, please go to https://trust.anthropic.com.

E. Encryption Standards

Anthropic utilizes industry standard encryption methods for protection of Customer Data, including a minimum of AES-256 for data at rest, and TLS1.2+ for data in transit over public networks.

F. Endpoint Protection

All Anthropic personnel workstations, and cloud endpoints (where applicable), are protected via EDR (endpoint detection and response) systems that include, but are not limited to: (a) anti-virus and anti-malware protections; (b) active real-time system monitoring; and (c) alerting to internal security teams.

G. Vulnerability Management

  1. Anthropic’s vulnerability assessment, patch management, threat protection technologies, and scheduled monitoring procedures are designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code. Anthropic utilizes a multi-faceted approach to vulnerability management, including: automated code vulnerability scanning; automated artifact vulnerability scanning; automated code review; manual peer code review; endpoint detection and response; automated log analysis; and manual log analysis.
  2. Anthropic engages qualified external assessors for the completion of annual penetration testing of systems that process Customer Data to identify vulnerabilities and attack vectors that can be used to exploit those systems, and identified vulnerabilities are addressed as part of Anthropic’s vulnerability management program. Upon request, Anthropic will make available to Customer a summary of its most recent penetration testing report.
  3. Anthropic applies updates to mitigate vulnerabilities based on risk level and in alignment with industry-accepted timelines.

H. Data Management

All Customer Data stored by Anthropic is logically separated such that no customer is able to access the data of any other customer without authorization. Customer Data associated with a specific customer is easily identifiable. Further, Anthropic maintains reasonable and appropriate network-level segmentation to separate environments processing Customer Data from the internet, from development and testing environments, and from office workspaces.

I. Logging, Monitoring, and Incident Response

  1. Anthropic’s incident management procedures are designed to allow Anthropic to investigate, respond to, mitigate, and notify of events related to Anthropic’s technology and information assets that process Customer Data. These incident response procedures are tested annually.
  2. Anthropic maintains a centralized SIEM (security information and event management)/SOAR (security orchestration, automation, and response) tool.
  3. Anthropic logs employee access and actions within Anthropic’s systems, inclusive of those storing or maintaining Customer Data.
  4. System audit or event logging and related monitoring procedures are proactively configured to detect, prioritize, and escalate, as appropriate, suspicious activities for review.
  5. Security-related logs are retained for appropriate timeframes to aid in the investigation of security incidents.

J. Third Party Vendors

Anthropic maintains a third-party information security risk management program, which includes the execution of periodic risk assessments to evaluate the security posture of Anthropic’s third-party vendors.

Schedule 3 - International Data Transfers

A. EU SCCs

  1. Elections for the purposes of Module Two and Module Three of the Standard Contractual Clauses:
    1. Clause 7 (Docking clause) – does not apply.
    2. Clause 11 (Redress) – optional wording does not apply.
    3. Clause 17 (Governing Law) – Option 1 will apply and the governing law will be the law of the Republic of Ireland.
    4. Clause 18 (Choice of forum and jurisdiction) – the applicable choice of forum and jurisdiction will be the Republic of Ireland.
    5. For the purpose of Annex I of the Standard Contractual Clauses, Part A of Schedule 1 contains the specifications regarding the parties, Part B of Schedule 1 contains the description of transfer for Module Two and Module Three, and Part C of Schedule 1 contains the competent supervisory authority.
    6. For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.
  2. Additional elections for the purposes of Module Two and Module Three of the Standard Contractual Clauses:
    1. Clause 9 (Use of subprocessors) – Option 2 (General written authorization) will apply, and the time period is as specified in Section C.3. of this DPA.
    2. For the purpose of Annex III of the Standard Contractual Clauses, the list of Subprocessors are set out in Schedule 4 or as otherwise determined by Section C.3. of this DPA. The Subprocessor’s contact person’s name, position and contact details will be provided by Anthropic upon request.

B. UK Addendum

This UK Addendum will apply to any processing of Customer Personal Data that is subject to the UK GDPR or both the UK GDPR and the GDPR. For the purposes of this UK Addendum:

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.

“UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.

  1. With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Customer (as data exporter) to Anthropic (as data importer):
    1. to the extent necessary under Applicable Data Protection Law, the Approved Addendum as further specified in this UK Addendum of this Schedule 3 will be incorporated into and form part of this DPA;
    2. for the purposes of Table 1 of Part 1 of the Approved Addendum, the parties’ details are as set out in Part A of Schedule 1;
    3. for the purposes of Table 2 of Part 1 of the Approved Addendum, the version of the Approved EU SCCs as set out in the EU SCCs of this Schedule 3 including the Appendix Information are the selected SCCs; and
    4. for the purposes of Table 4 of Part 1 of the Approved Addendum, Anthropic (as data importer) may end the Approved Addendum.

C. Swiss Addendum

This Swiss Addendum will apply to any processing of Customer Personal Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

  1. Interpretation of this Addendum
    1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
      1. This “Addendum” means this Addendum to the Clauses.
      2. “Clauses” means the Standard Contractual Clauses as further specified in this Schedule.
      3. “Swiss Data Protection Laws” means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
    2. This Addendum will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    3. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
    4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
  2. HierarchyIn the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects will prevail.
  3. Incorporation of the Clauses
    1. In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:
      1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and
      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    2. To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by Section 3(a) of this Swiss Addendum, include (without limitation):
      1. References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
      2. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer."
      3. References to "Regulation (EU) 2016/679" or "that Regulation" or “GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable.
      4. References to Regulation (EU) 2018/1725 are removed.
      5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
      6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data Protection Laws;
      7. Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws".
      8. Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The parties agree to submit themselves to the jurisdiction of such courts."

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect the personal data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA (including the Clauses as further specified in this Schedule) will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by Sections 1 and 3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under Section 3(b)(vii) of this Swiss Addendum.

Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

Schedule 4 - Subprocessors

Anthropic’s list of subprocessors is available at https://www.anthropic.com/subprocessors.