Claude - Detailed Guide

Approval status: Under review - this tool is not currently approved for use. We are reviewing it for potential approval, but cannot commit to if or when this might happen.

(Generated by AI, ChatGPT Deep Research, on June 23rd 2025)

What Claude does

Claude is an AI chat assistant created by Anthropic. You access it through a web browser or mobile app to help with writing, analysis, and research tasks.

Key features:

• Answers questions and explains topics
• Writes and edits documents
• Summarises and analyses content
• Helps with coding and technical tasks
• Supports file uploads for analysis
• Integrates with other platforms

How to access it: Sign in at claude.ai with an email address or use mobile apps.

Available plans:

• Free: Basic access with usage limits
• Pro: Individual subscription with higher limits
• Team: For small groups with collaboration features
• Enterprise: For organisations with advanced security and controls

Control your privacy settings

Your chat privacy

Default protections:

• All chats are private to you
• Delete conversations anytime
• Export your data when needed
• Share specific chats with public links if you choose

Data deletion:

• Deleted chats disappear immediately from your dashboard
• Removed from Anthropic’s systems within 30 days
• You control what stays and what goes

Data usage policy

Important: Anthropic does not use your conversations to train their AI models by default.

What gets used:

• Feedback you choose to provide (thumbs up/down)
• Chats that violate usage policies (for safety monitoring)
• Data you explicitly consent to share

What never gets used:

• Your normal chat conversations
• Uploaded files and documents
• Personal information

Enterprise protections

Additional controls for organisations:

• Custom data retention periods
• Single sign-on integration
• Audit logging for compliance
• Administrator controls over user access

Know your legal position

Terms and policies

Key documents to review:

• Consumer Terms of Service (for personal use)
• Privacy Policy (how data is handled)
• Commercial Terms (for business use)
• Acceptable Use Policy (what’s allowed)

Data controller relationship

For personal accounts: Anthropic controls how your data is processed

For enterprise accounts: Your organisation has more control through commercial agreements

Your rights

Under UK data protection law, you can:

• Access your personal data
• Delete your data
• Export your information
• Object to certain processing
• Request corrections

Understand data storage

Where your data goes

Default location: United States data centres

Important: Your chat data will be processed and stored in the US unless you have a special arrangement.

Data transfers:

• Uses EU-approved protection mechanisms
• Standard Contractual Clauses for personal data
• Adequacy decisions where available

For UK government: Assume data will be under US jurisdiction unless negotiated otherwise.

Data security measures

Data in transit: All communications use HTTPS/TLS encryption

Data at rest:

• All stored data is encrypted on servers
• Access strictly controlled by security policies
• ISO 27001 and SOC 2 certified security practices

Employee access:

• Anthropic staff cannot read your chats
• Access only granted with explicit consent or legal requirements
• All access is logged and monitored

How long data is kept

Your control:

• Keep chats indefinitely or delete anytime
• Deleted chats removed within 30 days
• Export data before deletion if needed

Automatic retention:

• Policy violations: Up to 2 years
• Safety monitoring data: Up to 7 years
• Feedback data: Up to 10 years (anonymised)

Enterprise options:

• Set minimum retention periods (30 days minimum)
• Automatic deletion of old content
• All retention changes are logged

Track usage and monitor access

Audit logging

Available for: Enterprise customers only

What gets logged:

• User sign-ins and access
• Role changes and permissions
• Chat and project activity
• Administrative actions

What is not logged:

• Actual chat content
• Message details
• Conversation transcripts

Access audit logs

For administrators:

1. Use Enterprise admin console
2. Export last 180 days of activity
3. Review user access patterns
4. Monitor compliance events

Log format: CSV or JSON files with timestamps and user IDs

Data export options

Personal data export:

• Account profile information
• Complete chat history
• Available for all user types

Organisation data export:

• Enterprise Primary Owners can export all organisation data
• Team Primary Owners can export team data
• Includes user activity but not chat content

Control user access

Account types and roles

Individual accounts:

• Email-based login
• OAuth with Google or Apple
• Personal control over all settings

Team and Enterprise accounts:

• User: Can create chats and projects
• Admin: Can invite and remove team members
• Owner: Can manage billing and settings
• Primary Owner: Full organisational control

Authentication options

Standard login: Email-based verification (no passwords stored)

Enterprise login:

• Single Sign-On (SSO) integration
• Connect to your identity provider (Okta, Google Workspace, etc.)
• Enforce organisational login policies
• Just-in-time user provisioning

Access controls

For administrators:

• Control who can join your organisation
• Set user roles and permissions
• Manage billing and security settings
• Configure data retention policies

Security inheritance:

• Inherits your organisation’s SSO policies
• Enforces two-factor authentication through identity provider
• Maintains session management rules
• Automatic access removal when accounts are disabled

Check compliance requirements

Security certifications

Claude has achieved these formal certifications:

Information security:

• ISO 27001:2022 - Information security management
• SOC 2 Type I and II - Operational security controls

AI governance:

• ISO 42001:2023 - AI management systems

Government security:

• FedRAMP High - US government cloud security (via AWS Bedrock)
• DoD Impact Level 4/5 - US defence security standards

Healthcare compliance

• HIPAA-compliant configuration available
• Business Associate Agreements supported
• Additional security controls for health data

Data protection compliance

GDPR and UK GDPR:

• Privacy Policy addresses EU/UK requirements
• Data Processing Addendum for commercial customers
• User rights fully supported
• EU-approved transfer mechanisms

Key compliance features:

• Lawful basis for processing clearly defined
• User consent and withdrawal mechanisms
• Data subject rights procedures
• Breach notification processes

UK government considerations

Strengths:

• Strong international security certifications
• No use of data for AI training by default
• User control over data deletion and retention
• Enterprise security controls available

Considerations:

• Default data processing in United States
• No UK-specific government certifications
• May require Data Protection Impact Assessment
• Custom arrangements needed for UK data residency

Before you start using Claude

Get approval first

1. IT security review - Have your security team assess the service
2. Legal review - Check terms against your data handling policies
3. Data classification - Ensure your data is appropriate for US processing
4. Privacy assessment - Complete DPIA if handling personal data

Choose the right plan

For government use, consider:

• Team or Enterprise for better security controls
• Enterprise for audit logging and SSO
• Free/Pro only for non-sensitive research

Set up securely

For organisations:

1. Use Enterprise plan for maximum control
2. Configure SSO with your identity provider
3. Set appropriate data retention policies
4. Train users on appropriate use guidelines
5. Enable audit logging for compliance

For individual users:

1. Use strong email security for login
2. Be cautious about what data you share
3. Regularly review and delete old conversations
4. Understand the data will be processed in the US

Create usage guidelines

Appropriate uses:

• Research and information gathering
• Document drafting and editing
• Code analysis and explanation
• Creative brainstorming
• Data summarisation (non-sensitive)

Avoid using for:

• Classified information
• Personal data without proper controls
• Security credentials or passwords
• Decision-making on sensitive matters
• Information that must stay in UK jurisdiction

Getting help and support

Official resources

Anthropic documentation:

• Claude.ai Help Centre
• Privacy Policy
• Terms of Service

UK government guidance:

• Data Protection Act 2018
• NCSC Cloud Security Principles
• GOV.UK AI Guidance

Support channels

For technical issues:

• Help documentation and FAQs
• Contact support through Claude.ai
• Community forums and discussions

For enterprise customers:

• Dedicated support channels
• Account management support
• Security and compliance guidance

Training considerations

Key topics for government users:

• Understanding AI limitations and biases
• Data protection and privacy considerations
• When to use and when to avoid AI assistance
• Effective prompt writing techniques
• Reviewing and verifying AI outputs

Next steps

1. Start with assessment - Review security and legal requirements
2. Choose appropriate plan - Select based on your security needs
3. Pilot carefully - Test with non-sensitive content first
4. Train users - Ensure staff understand proper use
5. Monitor usage - Use audit logs and regular reviews
6. Scale thoughtfully - Expand access based on experience

Key decision: Determine if US data processing is acceptable for your use case, or if you need to negotiate special arrangements.

Remember: AI is a tool to support human judgment, not replace it. Always review and verify AI-generated content before using in official contexts.