Defra Logo Defra Logo

Defra AI in the Tool Guidance

Guidance on the use of artificial intelligence (AI) tools within the Department for Environment, Food & Rural Affairs (Defra), covering best practices, security considerations, and implementation guidelines.

Claude Code - Detailed Guide

Approval status: Under review - this tool is not currently approved for use. We are reviewing it for potential approval, but cannot commit to if or when this might happen.

(Generated by AI, ChatGPT Deep Research, on June 23rd 2025)

What Claude Code does

Claude Code is an AI coding assistant that works in your terminal. You install it on your computer and use it to help with software development tasks.

Key features:

  • Understands large codebases
  • Generates and fixes code
  • Runs tests and commands
  • Creates pull requests
  • Works with your existing tools (VS Code, Git)

You stay in control - Claude Code asks for permission before making changes to your files or running commands.

How your data stays private

Your code stays on your computer

Claude Code runs locally on your machine. It does not upload your entire codebase to the cloud. Instead, it only sends specific questions and code snippets to get answers.

What this means:

  • Your full codebase is not stored remotely
  • Only the code you ask about is sent for analysis
  • You approve all changes before they happen

Enterprise privacy controls

If your department uses Claude Enterprise, administrators can:

  • Stop users from sending feedback to Anthropic
  • Turn off usage tracking completely
  • Disable error reporting

To disable data sharing, set this environment variable:

CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1

You own your code

Under Anthropic’s commercial terms:

  • You keep ownership of code you write
  • You own the code Claude generates for you
  • Anthropic cannot use your code to train their models without permission

Data processing agreement

Anthropic acts as a data processor for government customers. This means:

  • Your department controls how data is used
  • Anthropic only processes data to provide the service
  • Standard EU data protection clauses apply
  • UK and EU privacy laws are followed

Important: Review these documents before using Claude Code:

  • Commercial Terms of Service
  • Privacy Policy
  • Data Processing Addendum

Where your data is stored

Default server location

By default, Claude processes requests using servers in the United States.

UK data residency options

For departments that need data to stay in the UK or EU:

Option 1: AWS Bedrock

  • Can use AWS regions in the UK
  • Meets government security standards

Option 2: Google Cloud Vertex AI

  • Available in London and Frankfurt regions
  • Keeps data within EU jurisdiction

Action needed: Contact Anthropic to arrange UK/EU data hosting if required.

Data security

Data in transit

All data sent between Claude Code and Anthropic’s servers is encrypted using TLS (Transport Layer Security). This prevents anyone from reading your data while it travels over the internet.

Data at rest

Anthropic encrypts stored data using industry-standard encryption (AES-256). However, Anthropic can still read your prompts and responses to provide the service.

Note: Make sure your computer’s hard drive is encrypted if you store sensitive government data locally.

How long data is kept

Standard retention: 30 days maximum

Enterprise options:

  • Reduce to 7 days or shorter
  • Zero data retention (data deleted immediately after processing)

Exception: If content violates usage policies, Anthropic may keep it for up to 2 years for investigation.

Monitoring and audit logs

What gets logged

Enterprise customers get audit logs that show:

  • Who logged in and when
  • When new conversations started
  • When files were uploaded
  • User actions and timestamps

Important: Logs do not include the actual content of your code or conversations.

Accessing audit logs

Administrators can:

  • Export logs from the Anthropic Console
  • Download 180 days of activity data
  • Integrate with SIEM tools for security monitoring

Real-time monitoring

Claude Code supports OpenTelemetry for real-time logging. You can send usage data to tools like Splunk or CloudWatch.

User access and permissions

Single sign-on (SSO)

Connect Claude Code to your existing login system:

  • Azure Active Directory
  • Google Workspace
  • Other SAML/OAuth providers

This ensures staff use official credentials and two-factor authentication.

Role-based access

Available roles:

  • Primary Owner: Full administrative rights
  • Admin/Owner: Can change settings and export data
  • Developer: Can use Claude Code API
  • Member: Basic chat access only

Domain restrictions: Limit access to your organisation’s email domain to prevent unauthorised sign-ups.

Automatic user management

Use SCIM (System for Cross-domain Identity Management) to:

  • Automatically create accounts for new staff
  • Remove access when people leave
  • Sync with your HR systems

Compliance and certifications

Security certifications

Anthropic holds these certifications:

  • ISO 27001:2022 - Information security management
  • ISO/IEC 42001:2023 - AI risk management
  • SOC 2 Type II - Operational security controls

Data protection compliance

  • GDPR compliant with Data Processing Addendum
  • HIPAA eligible for health data (shows high privacy standards)
  • Uses EU entity (Anthropic Ireland) for European customers

Government security standards

Claude has FedRAMP High approval (US government standard). This demonstrates the security measures needed for sensitive government work.

Before you start using Claude Code

Check these requirements

  1. Data classification: Ensure the data you’ll use is appropriate for cloud processing
  2. Security approval: Get approval from your IT security team
  3. Contract review: Have legal review the Data Processing Addendum
  4. User training: Train staff on appropriate use and data handling
  1. Use enterprise account with your organisation’s domain
  2. Enable audit logging for all user activity
  3. Set data retention to minimum required period
  4. Configure UK/EU hosting if needed for data residency
  5. Integrate with SSO for secure authentication

Getting support

Contact Anthropic through their enterprise support channels for:

  • Security questionnaires
  • Compliance documentation
  • Custom deployment options
  • Training for administrators

Next steps: Work with your IT team to evaluate Claude Code against your department’s security and data policies.

Further reading

Anthropic documentation:

Government guidance:

Support links

All content is available under the Open Government Licence v3.0, except where otherwise stated