Browse the bible
Foundations
Getting started
Capabilities
Security & governance
Workflows
Prompt library
Rollout playbook
Troubleshooting
Reference
Security & governance

Claude Cowork data residency and retention

Where Claude Cowork data is processed, how long it's kept, and whether it's used to train the model. Plan-by-plan retention table and the training opt-out walk.

Updated 2026-04-25Read 5 min

TL;DR. Anthropic processes Cowork inference in US and EU regions; Enterprise customers can negotiate region pinning. Default retention is around 5 years on Pro and Max with a 30-day opt-out; Team and Enterprise are organisation-controlled with no training as the default and zero-retention available contractually. Turn on the training opt-out before any real data touches a Pro or Max pilot.

The three questions buyers ask#

  • Where is the data processed? US and EU, with region pinning available on Enterprise contracts.
  • How long is it kept? Plan-dependent. Roughly 5 years by default on Pro/Max with a 30-day opt-out; org-controlled on Team and Enterprise.
  • Is it used to train the model? Default yes on Pro/Max with a per-user opt-out; default no on Team and Enterprise.

The rest of this page backs those three answers up.

Region and processing#

  • Anthropic's primary inference regions are US and EU. Verify against the current Trust Center page before you put it in a procurement document.
  • Enterprise customers can negotiate region pinning at contract. This is the right move for any client with strict EU residency requirements.
  • The desktop app processes some content locally before sending excerpts to inference — but assume the relevant content reaches Anthropic's region.
  • For UK / EU residency-sensitive customers, the Enterprise plan is the standard answer. Pro and Max are not the right floor for tight residency requirements.

Retention by plan#

PlanDefault retentionOpt-outNotes
Pro~5 years30 days, per-user togglePer-user; you turn it on before any real data lands
Max~5 years30 days, per-user toggleSame as Pro
TeamOrg-controlledYes; default no trainingAdmin console
EnterpriseOrg-controlled; zero-retention availableContractualDefault do not train; zero-retention is contracted

Numbers verified against Anthropic's data privacy controls page in late April 2026. Re-verify on each monthly review of this page.

Training opt-out and how it actually works#

  • The opt-out toggle prevents your prompts and outputs from being used to improve future Claude models.
  • Opt-out applies forward. Data already used for training is not retroactively removed.
  • For Team and Enterprise, the default is "do not train." No per-user toggle needed.
  • Tinkso recommends enabling opt-out at the start of any Pro / Max pilot before any real data goes in. This is a one-click action that survives every subsequent procurement question.

If your security team asks "can you prove the opt-out is on?" — yes, the toggle state is visible in account settings and reflected in the audit posture.

Memory data#

  • Memory entries are stored under the user's account.
  • Same retention and training posture as the rest of the conversation data.
  • Deletion is per-entry via the Memory UI. There is no bulk-export-and-delete tooling at GA, which is the one Memory limitation worth flagging in a security review.

If your team puts sensitive data into Memory, the cleanup path is manual. Plan accordingly — or better, do not put sensitive data in Memory in the first place.

MCP connector data#

  • Each connector handles its own data flow according to its vendor's terms.
  • Cowork does not store the connector's responses outside the conversation context unless told to.
  • If a connector returns regulated data — PII, PHI, financial — the data is in the prompt; treat the inference call as in scope for that data class.

This is where most regulated-deployment design happens: which connectors return what data, and which inference calls accordingly inherit which compliance posture.

Cross-border considerations#

  • US / UK mid-market customers should review the EU vs US processing question even if all employees are stateside. Supplier and customer data may pull GDPR scope into play.
  • Enterprise customers with strict residency can negotiate region pinning at contract.
  • Tinkso engagements include a 30-minute residency check during pre-flight for any client in regulated industries — see Pre-flight checklist.

Tinkso's take#

Retention defaults trip up more procurement reviews than any other Cowork question. We brief every client to enable opt-out on day one of a Pro / Max pilot, and to upgrade to Team or Enterprise before scale. The cost delta is small; the security-review delta is enormous.

The other recurring trip-up: clients assume "do not train" and "zero retention" are the same thing. They are not. Zero retention is a contractual posture only available on Enterprise; do-not-train is widely available. Read your contract.

Try this#

In account settings, find the Data Privacy Controls page. Turn on the "do not train" opt-out for every pilot user before they touch a real document. Take a screenshot. That screenshot is the artifact your security partner will ask for in week one.

Related

Read next

← PreviousClaude Cowork security model — what's protected, what's notNext →Claude Cowork access and folder policy

Need help applying this?

Book a 30-minute call. We'll ask where you are, what your team needs, and which systems Cowork should touch.

Book a 30-min callcowork@tinkso.com
Last reviewed: 25 April 2026 · The Cowork Bible · Tinkso