When a small team chooses between Claude and ChatGPT for internal AI use, the decision often comes down to features and price. But for teams operating under GDPR, state privacy laws, or sector-specific regulation, the governance posture of each vendor is the more important factor.
This comparison covers the dimensions that matter for compliance teams: data retention, DPA availability, EU data residency, HIPAA, training data practices, and incident notification.
At a glance: Both Anthropic and OpenAI offer DPAs at the API level. Anthropic defaults to shorter data retention. Neither currently offers HIPAA BAA coverage for small teams. For most GDPR-regulated teams, both are defensible, but you must document your procurement decision.
TL;DR: Claude (Anthropic) and ChatGPT (OpenAI) differ meaningfully on GDPR compliance posture: Anthropic offers a DPA to all API customers, EU data residency options, and a 30-day data retention default. OpenAI matches on DPA availability but defaults to longer retention. For regulated teams, both are defensible, but your procurement process must document which you chose and why.
The Comparison Table
| Dimension | Claude (Anthropic) | ChatGPT (OpenAI) |
|---|---|---|
| DPA available | Yes, all API customers | Yes, API, Team, and Enterprise |
| Default data retention | 30 days (API) | 30 days (API); varies by product |
| EU data residency | Available (Enterprise) | Available (Enterprise) |
| Training on your data | No (API), opt-out not needed | No (API), opt-out not needed |
| HIPAA BAA | Not available | Enterprise only |
| SOC 2 Type II | Yes | Yes |
| Incident notification | Yes (per DPA) | Yes (per DPA) |
| Sub-processors list | Published | Published |
Data Retention: What the Defaults Mean
Anthropic (Claude): API calls are retained for 30 days by default for trust and safety purposes. You can request zero retention via the API by enabling zero-data retention mode, which routes prompts through a path that does not store inputs or outputs. This requires explicit configuration, it is not the default.
OpenAI (ChatGPT): API usage is not used to train models by default. Retention periods vary by product tier: API data is retained for up to 30 days; ChatGPT Free retains conversations indefinitely unless users delete them; ChatGPT Team and Enterprise offer shorter retention and admin controls.
For compliance teams: The API retention defaults are similar. The difference is in the consumer products (ChatGPT Free/Plus) which most compliance teams should not use for work data regardless.
DPA Availability
Both vendors offer Data Processing Agreements, but coverage varies by product tier:
Anthropic: DPA available to all API customers. Claude.ai Business and Enterprise plans also include DPA. The DPA covers Anthropic as a data processor, appoints a sub-processor list, and includes standard contractual clauses for EU transfers.
OpenAI: DPA available for API customers, ChatGPT Team, and ChatGPT Enterprise, all paid business products are covered. ChatGPT Free and Plus users do not receive a DPA, employee use of personal ChatGPT accounts for work data is not covered.
Practical implication: If your team is using ChatGPT via personal accounts (even paid Plus accounts), that data is not covered by a DPA. Policy must explicitly require API-level access or ChatGPT Team/Enterprise, not personal accounts.
EU Data Residency
Neither vendor offers EU-only data residency as a default on standard plans.
Anthropic: EU data residency available for Enterprise customers. Standard API and Claude.ai plans process data in the US.
OpenAI: EU data residency available for ChatGPT Enterprise. Standard API processes data in the US.
For GDPR compliance: Both vendors publish standard contractual clauses (SCCs) in their DPAs, which is the legal mechanism for EU→US data transfers under GDPR. EU data residency is a higher-assurance option but not required for GDPR compliance if SCCs are properly documented.
Training Data Practices
Both vendors commit, at the API level, not to train on customer data.
Anthropic: API usage is not used to train models. Consumer product (Claude.ai Free) may use interactions for model improvement unless users opt out.
OpenAI: API usage is not used to train models. ChatGPT consumer products (Free, Plus) may use conversations for model training unless users opt out in settings.
What this means for your policy: The distinction between API-level use and consumer product use is critical. Teams that use Claude.ai Free or ChatGPT Free for work are not covered by the API training opt-out. Your AI acceptable use policy must specify which product tier is approved.
HIPAA Coverage
Neither vendor offers HIPAA BAA coverage that is accessible to small teams.
Anthropic: No HIPAA BAA currently available for any Claude product tier.
OpenAI: HIPAA BAA available for ChatGPT Enterprise only. ChatGPT Team, API, and consumer plans are not covered.
If your team handles PHI and needs an AI tool, neither Claude nor ChatGPT is appropriate without enterprise-level contracts that most small teams cannot access. Alternatives with more accessible BAA coverage include Microsoft Azure OpenAI Service and AWS Bedrock.
Incident Notification
Both vendors include security incident notification provisions in their DPAs. Standard provisions require notification within 72 hours of discovery of a breach affecting customer data, aligned with GDPR Article 33 timelines.
For a comparison across 15 vendors on these dimensions, use the AI Vendor Scorecard to filter by your specific requirements.
Which Should You Choose?
Choose Claude if:
- Your team prioritizes shorter default retention and zero-data-retention API mode
- You need a DPA for GDPR and are working at the API or Claude.ai Business level
- You prefer Anthropic's Constitutional AI training approach for high-stakes use cases
Choose ChatGPT if:
- Your team already uses OpenAI infrastructure (GPT API, embeddings, fine-tuning)
- You need ChatGPT Enterprise's admin controls, SSO, and audit logs
- Your team is primarily using the product for content and the free-tier training risk is acceptable
Document your decision either way. The choice between Claude and ChatGPT is defensible for most GDPR use cases, what regulators and auditors want to see is that you made an informed, documented decision rather than defaulting to whichever tool employees already had on their phones.
Sub-Processor Risk: What You Are Inheriting
Neither Anthropic nor OpenAI processes your data in isolation. Both use sub-processors, cloud infrastructure providers, security tooling, and operational services, who have their own access to data transiting the main platform.
Anthropic sub-processors: Anthropic publishes a sub-processor list covering infrastructure (AWS), analytics, and security services. The list is updated periodically; DPA customers are notified of material changes.
OpenAI sub-processors: OpenAI similarly publishes its sub-processor list covering Microsoft Azure infrastructure, analytics, and security. For ChatGPT Enterprise customers, Microsoft's own GDPR commitments extend to OpenAI's infrastructure.
Why this matters for compliance teams: Under GDPR, your vendor's sub-processors become your sub-processors for the purposes of cross-border transfer obligations. If Anthropic's sub-processor processes EU personal data in a jurisdiction without an adequacy decision, your DPA must include that transfer mechanism, and you are responsible for confirming it does. The practical step: when reviewing either vendor's DPA, read the sub-processor section and check that each sub-processor either operates in an adequate country or is covered by SCCs.
Product Tier Breakdown: Compliance Implications
The compliance posture of each vendor varies significantly by product tier. The comparison table above reflects API-level access. Here is how it changes by tier:
| Product | DPA | Data retention | Training on data | HIPAA BAA |
|---|---|---|---|---|
| Claude API | Yes | 30 days default | No | No |
| Claude.ai Free | No | Indefinite (conversation history) | May be used for improvement | No |
| Claude.ai Pro | No DPA | Per Anthropic consumer terms | May be used for improvement | No |
| Claude.ai Business/Enterprise | Yes | Configurable | No | No |
| ChatGPT API | Yes | 30 days default | No | No |
| ChatGPT Free | No | Indefinite unless deleted | May be used for training | No |
| ChatGPT Plus | No DPA | Per OpenAI consumer terms | May be used (opt-out available) | No |
| ChatGPT Team | Yes | 30 days | No | No |
| ChatGPT Enterprise | Yes | Configurable | No | Yes |
The pattern: free and consumer tiers of both tools are not compliant options for regulated data. Teams that allow employees to use personal ChatGPT Plus or Claude.ai Pro accounts for work data are operating outside DPA coverage, with no training opt-out guarantee.
Your acceptable use policy must specify the approved tier by name, not just "Claude" or "ChatGPT."
Audit Trail: What Each Vendor Provides
For compliance teams that need to demonstrate AI tool oversight to regulators or auditors, the audit trail features differ:
Claude (Business/Enterprise): Usage logs accessible via the Anthropic console; API request logs available; no native export of prompt/response content (by design, for privacy).
ChatGPT Team/Enterprise: Conversation exports available; admin dashboard shows user-level usage; SSO integration for access control; audit logs for admin actions.
For teams subject to SEC examination (registered investment advisers, broker-dealers), the audit trail capability matters, examiners have asked about AI tool oversight records. ChatGPT Enterprise's exportable conversation history gives more surface-level auditability; Claude's approach prioritizes data minimization but provides less granular logging.
Document which logging capabilities you are using and why, regardless of vendor. The record that you assessed and chose deliberately will serve you better than a superior feature set you cannot explain.
The Bottom Line
Neither Claude nor ChatGPT is the universal compliance winner. Claude's no-training-on-prompts default and strong data minimization posture make it easier to use with sensitive data without policy exceptions. ChatGPT Enterprise's broader enterprise adoption means more auditors and procurement teams have seen its documentation, which reduces friction in regulated environments where vendor familiarity matters.
For most small teams, the practical decision comes down to two questions: which product tier fits your budget while maintaining training opt-out, and which vendor will provide a signed DPA with the specific GDPR Article 28 clauses your legal counsel requires. Run both vendors through the AI Vendor Evaluation Checklist, the answers will determine the right choice for your context faster than any feature comparison.
Your Next Steps
- Get a DPA signed before any work data goes into either tool, AI Vendor Evaluation Checklist
- Document which product tier is approved in your AI acceptable use policy, AI Acceptable Use Policy Template
- Run the full side-by-side comparison across all 15 vendors, AI Vendor Scorecard
- Check your full regulatory exposure, AI Compliance Quiz
