AI Provider Trust Registry evidence verified as of 2026-07-05

Registry / Claude via Google Vertex AI

Claude via Google Vertex AI

developer: Anthropic platform: Google Cloud Vertex AI category: cloud distribution

Anthropic's Claude models served as partner models on Google Cloud Vertex AI (Model Garden). Vendor-trust and data-handling dimensions below describe Google Cloud / Vertex AI as the serving platform; EU AI Act dimensions describe Anthropic as the model developer.

Watch-outs 2

The cells where this offering is not a clean public yes. This is what to check before you sign.

Vendor trust
SOC 2 Type II Is a SOC 2 Type II report available for this offering?
Yes, public confidence: high · verified 2026-07-05

Google's services-in-scope page lists both "Vertex AI Platform" and "Generative AI on Vertex AI" as covered by Google Cloud's SOC 1/2/3 reports. SOC 2 Type II reports are downloadable self-serve via Google's Compliance Reports Manager (Google account required, no sales gate); SOC 3 is fully public. Scope is the Google Cloud platform level; the report does not attest Anthropic's own controls.

tier: self_serve · route: public · default: enabled ·

reports: ['SOC 1', 'SOC 2', 'SOC 3'] · services_in_scope: ['Vertex AI Platform', 'Generative AI on Vertex AI']

source · archived copy

ISO 27001 Is there an ISO/IEC 27001 certification covering this offering?
Yes, public confidence: high · verified 2026-07-05

"Vertex AI Platform" and "Generative AI on Vertex AI" are listed in scope for Google Cloud's ISO/IEC 27001 (plus 27017/27018) certification. Certificates are available via cloud.google.com/security/compliance/iso-27001 and the Compliance Reports Manager.

tier: self_serve · route: public · default: enabled ·

related_certs: ['ISO 27017', 'ISO 27018'] · services_in_scope: ['Vertex AI Platform', 'Generative AI on Vertex AI']

source · archived copy

ISO 42001 Is there an ISO/IEC 42001 (AI management system) certification?
Yes, public confidence: medium · verified 2026-07-05

Google has publicized ISO/IEC 42001:2023 certification of its AI management system covering Google Cloud Platform (announced via Google Cloud blog "Google Cloud's commitment to responsible AI is now ISO/IEC certified"). However, ISO 42001 does not appear in the per-service services-in-scope matrix, so explicit coverage of Vertex AI partner models (Claude) within the certificate scope could not be verified publicly; confirm certificate scope via Compliance Reports Manager. Anthropic separately holds its own ISO 42001 for first-party services, but that does not attach to this Vertex offering.

tier: self_serve · route: public · default: enabled ·

certified_scopes_publicized: ['Google Cloud Platform', 'Google Workspace', 'Gemini app']

source

Trust center Is there a maintained trust center / compliance portal?
Yes, public confidence: high · verified 2026-07-05

Google Cloud maintains a public compliance resource center with per-standard pages, a services-in-scope matrix, and the Compliance Reports Manager for self-serve download of audit reports (SOC, ISO) without NDA for most reports.

tier: self_serve · route: public · default: enabled ·

reports_portal: https://cloud.google.com/security/compliance/compliance-reports-manager

source

Data handling
HIPAA BAA Will they sign a HIPAA Business Associate Agreement covering this offering?
Partial confidence: medium · verified 2026-07-05

Google Cloud offers a self-serve BAA covering its entire infrastructure, and Vertex AI Platform functionality (e.g. Vertex AI Workbench, Agent Engine) appears among HIPAA-included products. However, public evidence that Anthropic Claude partner models specifically are HIPAA-included functionality on Vertex AI was not found; Google documentation cautions that not all Model Garden LLMs support HIPAA. Graded partial pending confirmation that Claude models are on the HIPAA-included functionality list. Human review recommended.

tier: self_serve · route: public · default: requires_config ·

baa_acceptance: self-serve via admin console (support.google.com/cloud/answer/6329727)

source · archived copy

GDPR DPA Is there a public DPA with SCCs and a published subprocessor list?
Yes, public confidence: high · verified 2026-07-05

Google's Cloud Data Processing Addendum is public, incorporated into the Google Cloud agreement, addresses GDPR/European Data Protection Law (transfer mechanisms including SCCs are handled in the CDPA's appendices), commits to ISO 27001 for audited services, and defines the subprocessor regime (Section 11) with a published subprocessor list. Vertex AI is an audited service under the CDPA via the services-in-scope list.

tier: self_serve · route: public · default: enabled ·

addendum: Cloud Data Processing Addendum (CDPA) · subprocessor_list: https://cloud.google.com/terms/subprocessors

source · archived copy

No-training default Is there a public commitment not to train on customer API data by default?
Yes, public confidence: high · verified 2026-07-05

Google Cloud Service Terms Section 17 (Training Restriction) commits that Google will not use customer data to train or fine-tune AI/ML models without customer permission or instruction; the Vertex AI generative AI data governance page states prompts, responses, and adapter training data are not used to train foundation models by default, and that customer prompts/responses are not shared with third parties, including partner-model providers such as Anthropic. Archived snapshot is of the pre-migration cloud.google.com URL for the same page.

tier: self_serve · route: public · default: enabled ·

contractual_basis: Google Cloud Service Terms, Section 17 "Training Restriction"

source · archived copy

Retention / ZDR Is retention documented, and is zero-data-retention available?
Yes, public confidence: medium · verified 2026-07-05

Retention is documented - by default Vertex AI caches generative AI inputs/outputs for up to 24 hours in the serving data center to reduce latency; customers can disable caching at the project level to achieve zero data retention. Optional request-response logging (e.g. 30-day retention, stored in the customer's project) is off by default. The 24-hour caching documentation is written primarily for Google foundation models; for Claude partner models, Anthropic-style prompt caching is an explicit per-request opt-in, but the project-level ZDR configuration is the documented control. ZDR requires configuration - it is NOT the default (hence default: requires_config).

tier: self_serve · route: public · default: requires_config ·

zdr_mechanism: disable data caching at project level · optional_logging_days: 30 · default_cache_ttl_hours: 24

source · archived copy

Residency Can data be pinned to a region (especially the EU)?
Yes, public confidence: medium · verified 2026-07-05

Vertex AI documents data-at-rest residency by region and a separate ML-processing residency commitment supported only in US and EU locations. Claude models are reachable via regional endpoints (including EU regions), US/EU multi-region endpoints that keep processing within the chosen geography (per Google Cloud's announcement of multi-region endpoints for Claude), and a global endpoint that explicitly does NOT guarantee processing location - customers with residency requirements must choose regional/multi-region endpoints. Confidence medium because the residency page could not be fully retrieved and Claude-specific region lists were corroborated via Google Cloud announcements rather than quoted from the docs page.

tier: self_serve · route: public · default: requires_config · geography: EU available (regional and EU multi-region endpoints)

at_rest: region-pinnable · claude_endpoints: ['regional (incl. EU, e.g. europe-west1)', 'US/EU multi-region', 'global (no residency guarantee)'] · ml_processing_residency: US and EU locations only

source

EU AI Act
GPAI Code Is the model developer on the EC's GPAI Code of Practice signatory list?
Yes, public confidence: high · verified 2026-07-05

Two-level layering - the GPAI Code of Practice is a model-provider obligation, so this cell grades Anthropic (the developer), which appears on the EC signatory list as a full-code signatory (announced July 21, 2025); only xAI is noted as a partial (Safety & Security chapter) signatory. Google, the serving platform here, is separately also a full-code signatory, so both layers of this offering sit under the Code.

route: public · geography: EU

google_signed: full code (all chapters) · anthropic_signed: full code (all chapters)

source · archived copy

Art. 53 summary Has the model developer published the Art. 53 training-data summary?
No public evidence confidence: medium · verified 2026-07-05

Developer-level (Anthropic) obligation under Art 53(1)(d). The EC's mandatory template for the public summary of training content was published 2025-07-24. As of 2026-07-05, searches of anthropic.com (including the Transparency Hub, which describes training data only in general terms, e.g. "a proprietary mix of publicly available information") and the web found no Anthropic training-content summary published on the EU template. Models placed on the market before 2025-08-02 have until 2027-08-02; models placed after should have one, so absence of evidence here is notable and worth periodic re-checking. Human review recommended.

geography: EU

deadline_new_models: 2025-08-02 · template_published_by_ec: 2025-07-24 · deadline_pre_existing_models: 2027-08-02

no public source

Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.