HANALEI.DEV PORTFOLIO / Vendor Risk Assessment

AI Vendor Security Review: Anthropic

A structured security and governance review of Anthropic as an AI vendor, evaluating data retention, certifications, model training practices, access controls, encryption, and administrative security.

VendorAnthropic PBC
Product ReviewedClaude API / Claude.ai
FrameworkVendor Risk Assessment Template
Review DateQ2 2025
84 /100
Overall Risk Score
A
Data Handling
A
Security Certs
B+
Access Controls
B
Training Data
A-
Encryption
Recommendation
Approved with Conditions
Review Category 1

Data Retention

API Input/Output Retention
Pass
Finding Anthropic's API does not store prompts or completions by default. Inputs and outputs are not retained after the response is returned, and are not used to train models without explicit opt-in.
No persistent logging of API conversations by default Operators can enable logging within their own infrastructure Documented in Anthropic's usage policy and privacy documentation
Claude.ai Consumer Retention
Caution
Finding Claude.ai (consumer product) retains conversation history for product functionality. Users can delete conversations. This distinction matters: the consumer product has different retention characteristics than the API.
Conversations retained until user deletion Enterprise/Team plans offer additional controls Employees should use API-connected enterprise deployments, not personal Claude.ai accounts, for work
Data Processing Agreement
Pass
Finding Anthropic offers a Data Processing Addendum (DPA) for enterprise customers. DPA covers GDPR-aligned processing terms, sub-processor disclosure, and data subject rights handling.
DPA available upon request and via enterprise agreement Sub-processor list maintained and updated Required: Legal must execute DPA before organizational deployment
Data Residency
Caution
Finding Anthropic processes data on infrastructure hosted primarily in the United States. EU data residency options are limited. Organizations with strict data sovereignty requirements should evaluate carefully.
Primary processing in US (AWS infrastructure) No dedicated EU region as of review date Review with Legal for GDPR Article 46 transfer mechanism requirements
Review Category 2

Security Certifications

SOC 2 Type II
Pass
Finding Anthropic holds SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria. Report is available under NDA for enterprise customers.
SOC 2 Type II (Security, Availability, Confidentiality) Annual audit cycle Request current report via enterprise agreement
ISO 27001
Caution
Finding ISO 27001 certification is not confirmed as of review date. Anthropic's security posture is well-documented, but ISO 27001 certification status should be verified directly with the vendor prior to deployment in ISO-required environments.
Verify certification status directly with Anthropic sales Compensating control: SOC 2 Type II provides comparable assurance May be required for regulated industries
Review Category 3

Model Training on Customer Data

Key Finding

Anthropic does not use API inputs or outputs to train its models by default. This opt-out is built into the standard API agreement. The consumer Claude.ai product has separate terms. Enterprise customers should confirm this in their contract.

API Training Opt-Out
Pass
Details Anthropic's API terms explicitly state that customer prompts and completions are not used for model training. This is a default, not an opt-out. Enterprise agreements reinforce this in contractual language.
Default: no training on API customer data Contractual confirmation available in enterprise DPA Distinct from consumer Claude.ai feedback mechanisms Verify that any third-party API middleware or integrations do not reintroduce data sharing
Consumer Product Training Terms
Caution
Details Claude.ai consumer accounts may be subject to feedback and improvement data use. Employees using personal Claude.ai accounts for work tasks may inadvertently contribute organizational data to product improvement. Policy enforcement is required.
Employees must use organizational API deployment, not personal accounts Personal account use for work is a policy violation under Section 1 Acceptable Use Policy training should address this distinction explicitly
Review Category 4

SSO mamp; Access Controls

SSO / SAML Support
Pass
Finding Anthropic's Claude for Enterprise supports SAML 2.0 SSO integration. API access relies on API key authentication. Enterprise console access can be federated through organizational identity providers.
SAML 2.0 supported for enterprise console Compatible with Okta, Azure AD, and major IdPs API keys managed separately; scope and rotation controls available
Admin Controls
Pass
Finding Enterprise console provides admin controls for user provisioning, usage monitoring, and policy configuration. Role-based access is available at admin and member levels.
User provisioning and deprovisioning from admin console Usage dashboards with per-user and per-project visibility System prompt controls and model access restrictions available Audit logging for console actions
Review Category 5

Encryption

Encryption in Transit
Pass
Finding All API communications are encrypted in transit using TLS 1.2 minimum. TLS 1.3 is supported and preferred. No unencrypted API endpoints are available.
TLS 1.2 minimum, TLS 1.3 preferred Certificate transparency enforced HSTS enabled on all endpoints
Encryption at Rest
Pass
Finding Data stored by Anthropic (account data, usage logs) is encrypted at rest using AES-256. AWS KMS is used for key management. Encryption key management practices are covered in the SOC 2 report.
AES-256 encryption at rest AWS KMS for key management Customer-managed keys not available as of review date
Recommendations

Conditions for Approval

Anthropic is recommended for approval as an AI vendor subject to the following conditions being met before organizational deployment:

Hanalei R. mmdash; Cybersecurity mamp; AI Governance Specialist

hanalei.dev mnbsp;mmiddot;mnbsp; LinkedIn

Portfolio artifact. For illustrative and professional demonstration purposes.