Claude Code Security and GDPR: What Every European Team Needs to Configure Before Going Further
What data leaves your environment, how to sign the DPA, set up audit logging, and configure Claude Code safely for EU compliance.
TL;DR: What data leaves your environment, how to sign the DPA, set up audit logging, and configure Claude Code safely for EU compliance.
Your engineering team has started using Claude Code, or your CTO is about to approve the rollout. The productivity case is clear. But before any code from your systems travels to an external API, you need to answer three questions your data protection officer will eventually ask: what leaves your environment, under what legal basis, and what controls are in place?
For a 30-person software consultancy operating across Germany, Poland, and the Netherlands, those questions are not hypothetical. GDPR audit cycles are tightening. The EU AI Act came into force and its enforcement posture is hardening through 2026. And the reputational cost of a data incident tied to an AI coding tool is disproportionately large for a professional services firm that sells trust as part of its value proposition.
This guide covers four practical areas: what Claude Code actually sends to Anthropic's API and what it does not, how to establish your GDPR legal basis via the Data Processing Agreement, how to manage intellectual property risk for source code, and a five-point security configuration that a regulated software team can implement in an afternoon. Every section is written for engineering leads and IT decision-makers who need to act, not just understand.
What Actually Leaves Your Environment
Claude Code operates as a local client that sends context windows to the Anthropic API over HTTPS. When you ask it to edit a file, explain a function, or run a refactor, the relevant code snippets and your instructions are transmitted as API payloads. They are processed by Anthropic's infrastructure and responses are returned.
What this means in practice for a growing software team: any code that appears in the context window is leaving your local machine or your CI environment and traversing the internet. Anthropic's current API terms confirm that prompts are not used to train models, but the transmission itself is real and subject to your data governance obligations.
The critical implication: never let secrets, credentials, personally identifiable information, or patient records appear in a Claude Code session. A developer who opens a .env file containing database passwords and then asks Claude to "fix the connection string" has just sent those credentials to an external API. For a fintech team or a healthcare software provider, that is a contractual breach, a potential GDPR incident, and a security event simultaneously.
Claude Code does not silently exfiltrate files. It only sends what appears in the active context. The controls that matter are the ones that prevent sensitive content from entering that context in the first place.
Your GDPR Legal Basis: The Data Processing Agreement
If any personal data could plausibly appear in the code your team works on, GDPR Article 28 requires a Data Processing Agreement between your organisation and Anthropic before that data is processed. Anthropic offers a DPA for API customers. You must request and sign this before routing any personal data through Claude Code sessions.
For most software teams at European companies, the relevant scenario is not direct handling of names or emails, but indirect exposure: database migration scripts referencing real user schemas, test fixtures containing actual customer data, or analytics code that processes identifiable records. Even if your developers believe they are working with anonymised data, the DPA should be in place as a baseline.
A second option for regulated industries is routing API calls through Amazon Bedrock, which hosts Claude models and operates within AWS's EU data residency infrastructure. This allows teams to keep data processing within EU regions under an existing AWS DPA, which many enterprise teams already have. The trade-off is that Bedrock access requires additional AWS setup and does not always expose the latest Claude model versions at launch.
Decision criterion: if your company processes personal data of EU residents in any of its software systems, and developers interact with that codebase using Claude Code, sign the Anthropic DPA before the next sprint starts. It is a one-time administrative action that removes a significant compliance exposure.
IP Risk: Who Owns the Code Claude Touches
For a professional services firm delivering bespoke software to clients, intellectual property boundaries matter. When client code passes through an AI coding tool, your contract with that client may require you to ensure no third party retains rights to that code.
Anthropic's no-training policy means code sent to the API is not incorporated into model weights. However, your legal team should review two things: the specific API terms in force at the time of use, and any client contracts that contain broad restrictions on third-party processing of source code.
In regulated industries such as financial services or healthcare software development, an explicit IP clause in your Anthropic contract is a reasonable precaution. Larger European software teams have begun including AI tool usage policies in client engagement letters, disclosing which tools may process code in the course of delivery. This is good practice and eliminates ambiguity.
Audit Logging with Claude Code Hooks
Claude Code's hooks system lets you intercept and log every tool call before and after execution. This is the primary mechanism for building a local audit trail without relying on any external service.
A minimal hooks configuration that logs all file writes and bash executions to a local file looks like this:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash|Write|Edit|MultiEdit",
"hooks": [
{
"type": "command",
"command": "echo \"[$(date -u +%Y-%m-%dT%H:%M:%SZ)] PreToolUse: $CLAUDE_TOOL_NAME\" >> /var/log/claude-audit.log"
}
]
}
],
"PostToolUse": [
{
"matcher": "Bash|Write|Edit|MultiEdit",
"hooks": [
{
"type": "command",
"command": "echo \"[$(date -u +%Y-%m-%dT%H:%M:%SZ)] PostToolUse: $CLAUDE_TOOL_NAME exit=$CLAUDE_TOOL_EXIT_CODE\" >> /var/log/claude-audit.log"
}
]
}
]
}
}
Place this in your project's .claude/settings.json. Every file write, edit, and bash execution Claude Code performs will produce a timestamped log entry on the local machine. For a 20-person development team deploying to regulated environments, this log becomes evidence of what automated actions occurred during a session, which is increasingly relevant in GDPR audit responses and internal change management processes.
Pipe this log to your existing SIEM or log aggregation system if your compliance posture requires it.
Five-Point Security Configuration for Regulated Teams
These five controls can be implemented in a single afternoon and cover the primary exposure vectors for European teams in regulated sectors.
1. Exclude secrets from context with .claudeignore. Create a .claudeignore file in your project root following the same syntax as .gitignore. Add entries for .env, .env.*, secrets/, credentials/, config/local.*, and any directories containing certificates or API keys. Claude Code will not read or include these files in context.
.env
.env.*
secrets/
credentials/
*.pem
*.key
config/local.*
2. Never open .env files in a Claude Code session. This deserves a standalone policy statement for your team, not just a technical control. Train developers to close environment files before invoking Claude Code. Add it to your onboarding checklist.
3. Run Claude Code inside a Docker container for full isolation. For the most sensitive codebases, running Claude Code inside a container with a read-only mount of the source tree prevents it from accessing the broader filesystem. This is the recommended pattern for a financial services development team where the blast radius of a misconfigured session must be bounded.
4. Enable hooks-based audit logging. Use the configuration shown above. Route output to a persistent log path monitored by your operations team.
5. Sign the Anthropic Data Processing Agreement. As noted above, this is a prerequisite, not an optional extra. Request it through Anthropic's API customer support before your next sprint planning session.
EU AI Act Considerations
Claude Code is a general-purpose AI system. For most European software teams, it does not meet the criteria for classification as a high-risk AI system under the EU AI Act. The high-risk categories include AI used in hiring decisions, creditworthiness assessment, access to essential services, and medical device functionality. Using an AI coding assistant to write or refactor software does not fall into these categories.
Where teams should exercise additional caution is if Claude Code is being used to generate code that will itself be used in a high-risk AI system, for example, a scoring model or an automated decision system. In that case, the broader AI Act obligations on the system being built apply, even if the tool used to build it does not independently trigger those obligations.
Frequently Asked Questions
Is Claude Code GDPR-compliant for European teams out of the box?
Not automatically. GDPR compliance depends on your organisation having a signed Data Processing Agreement with Anthropic before any personal data is processed, as well as internal controls that prevent personal data from appearing in context windows. Claude Code itself does not enforce data minimisation on your behalf. The technical and organisational measures are your responsibility as the data controller. Signing the DPA and implementing a .claudeignore policy are the two minimum steps.
Does Anthropic train on the code my team sends through the API?
Anthropic's current API terms state that prompts and outputs submitted via the API are not used to train models. This applies to the direct API and to Claude Code, which uses the same API. That said, your legal team should verify this against the current version of the terms at the time of your contract, and consider whether client confidentiality obligations require any additional contractual assurance beyond Anthropic's standard terms.
Does using Claude Code for software development trigger EU AI Act obligations?
For standard development workflows, no. Claude Code is a general-purpose AI tool used by developers. The EU AI Act's high-risk classification does not apply to AI coding assistants in typical use. Obligations would arise if your team is building a product that itself falls under a high-risk category, such as a system making automated decisions about credit, employment, or medical treatment. In that case, the obligations apply to the system you are building, and you should document Claude Code as part of your development toolchain in your conformity assessment.
