Guidance for Legal Professionals

Uploading Files to Anthropic's Claude for Analysis Under Zero Data Retention

Understanding the two methods of sending documents to Claude — and why the distinction matters for protecting client confidentiality under Rule 1.6.

If your firm uses an application built on Anthropic's Claude API to analyze documents such as depositions, contracts, or correspondence, it is critical to understand that not all methods of sending files to Claude are covered by a Zero Data Retention agreement. The way the application is built determines whether your client's data is protected.

I. The Two Methods of Sending Documents

There are two fundamentally different ways a software application can deliver a document to Claude for analysis. Though the end result may look the same to you as the user, the underlying mechanics — and the data retention implications — are very different.

Use with Caution

The Files API

Think of this as uploading an attachment to a cloud drive. Your document is sent to Anthropic's servers, where it is stored and can be referenced across multiple conversations over time.

Because the file persists on Anthropic's infrastructure, this method falls outside Zero Data Retention coverage.

⬤ NOT covered by ZDR

Recommended for ZDR

Inline via the Messages API

Instead of uploading the file for storage, the application extracts the document's text (or encodes the PDF) and sends it directly within the conversation request — similar to pasting text into a message.

Claude reads the content, responds, and nothing is retained. The data passes through and is discarded.

⬤ Covered by ZDR

II. How It Works in Practice

To make this concrete, imagine your firm's application needs to analyze a 50-page deposition transcript. Here is how each method moves the data:

Data Flow Comparison
Method A — Files API (Not ZDR-Eligible)
Your App Uploads file to Anthropic File is stored on servers
Method B — Inline via Messages API (ZDR-Eligible)
Your App Sends content in the request Processed & discarded

The key difference: in Method A, the document lives on Anthropic's servers until it is deleted. In Method B, the content exists only for the duration of the request and is not retained afterward.

III. The Practical Tradeoff

The ZDR-eligible approach (Method B) has one practical consequence worth understanding: because the document is not stored on Anthropic's side, each time you want to ask Claude a new question about the same deposition, the application must send the full document text again.

For a well-designed application, this happens automatically and invisibly — you would not notice any difference as a user. It may result in modestly higher usage costs, as the application transmits the document content with every request. But it is the architecture that keeps your client's data within ZDR protection.

This is a design decision your developer makes when building the application. It is not something you would toggle on or off yourself.

IV. Important Caveats

ZDR Does Not Mean Zero Risk

Even under a valid ZDR agreement using eligible endpoints, Anthropic retains the right to store inputs and outputs in two narrow circumstances. These carve-outs do not make ZDR inadequate, but you should not represent to clients that Anthropic stores absolutely nothing under any circumstances. The accurate statement is that Anthropic does not retain data except in narrow, defined situations. That distinction is worth documenting.

Exception 1: Where Required by Law

If a court order, subpoena, or other legal obligation compels Anthropic to produce data, they retain the ability to do so. This is the same kind of carve-out you would find in virtually any cloud vendor or SaaS agreement — no company will contractually promise to violate a legal obligation.

Examples
Anthropic receives a federal subpoena in connection with a criminal investigation into one of its users. Law enforcement believes someone used Claude to help plan a fraud scheme, and the subpoena demands all records associated with that user's API account during a specific time period. Anthropic needs the legal ability to comply — even for ZDR accounts.
A regulatory agency issues a lawful data preservation order while investigating potential violations. Anthropic must be able to honor that order rather than destroy responsive material.
In practice, this exception is not about Anthropic deciding on its own to keep your data. It is about Anthropic not being forced to choose between honoring your ZDR agreement and complying with the law.

Critical Clarification: This Exception Is Primarily Forward-Looking

An important question arises: if ZDR means data is discarded immediately after processing, how can Anthropic hand anything over in response to a subpoena that arrives after the fact? The answer is that, in most cases, it cannot. You cannot produce what you do not have, and that is well-established law. A party served with a subpoena or discovery request is not sanctioned for failing to produce documents it never retained or that were destroyed under a routine, good-faith retention policy that predated the obligation to preserve.

The "required by law" carve-out is therefore best understood as serving three practical functions:

Function 1 — Prospective Preservation
The most practical function of this carve-out is to allow Anthropic to begin retaining data going forward once a legal obligation arises. For example, if Anthropic receives a litigation hold notice or a preservation order related to a specific account, the carve-out gives Anthropic the contractual right to start capturing and storing that account's inputs and outputs from that point on — even though the account is covered by ZDR. Without this language, a ZDR customer could argue that Anthropic breached the ZDR contract by preserving their data, even in response to a court order.
Function 2 — Data Already Retained for Other Reasons
Some data may still exist even on a ZDR account. If content was flagged by the safety classifier (Exception 2), it may have been stored for up to two years. Account metadata, billing records, and safety classifier logs are also retained outside of ZDR. A subpoena could reach any of that existing material.
Function 3 — National Security and Surveillance Orders
Certain legal processes — such as National Security Letters or FISA court orders — can compel prospective collection and may include gag orders preventing the provider from notifying the account holder. The carve-out ensures Anthropic can comply with these without being in breach of the ZDR agreement.

What This Means for Your Risk Assessment

The forward-looking nature of this exception may provide some comfort: for past conversations that were processed and discarded under ZDR before any legal obligation arose, that data is gone. The carve-out is not a backdoor to wholesale data retention. It is a contractual mechanism that allows Anthropic to comply with legal obligations without breaching its ZDR commitments — primarily by preserving data going forward from the point a legal obligation attaches. This is a useful point to include in client disclosures when explaining how ZDR works.

Exception 2: Usage Policy Violations

Before Claude processes any request, Anthropic runs it through an automated safety screening system — essentially a content filter. If that filter determines the content violates Anthropic's usage policy, Anthropic may store both the input and the output for up to two years so it can investigate misuse, enforce its policies, and potentially report illegal activity.

Examples
Someone uses the API to ask Claude to generate instructions for synthesizing a controlled substance. The safety system flags this as a policy violation, and Anthropic retains the input and output to investigate and potentially suspend the account.
A user submits requests designed to generate realistic phishing emails impersonating a financial institution. The content is flagged, and Anthropic preserves the record for enforcement purposes.
A user submits content involving the exploitation of minors. Even if submitted in an analytical or legal context — for example, a prosecutor using Claude to help organize evidence in a child exploitation case — the safety classifier is automated and may flag it based on the nature of the content itself, regardless of the user's legitimate purpose. In that scenario, Anthropic could retain the data for up to two years.

Why Exception 2 Matters for Legal Practitioners

The safety filter does not know you are a prosecutor, a defense attorney, or a compliance officer working a difficult case. It responds to content patterns. If your firm handles matters involving subject matter that could trigger safety flags — child exploitation, terrorism, weapons, fraud schemes — there is a nonzero chance that legitimately submitted legal material could be flagged and retained, even under ZDR.

This does not mean you cannot use Claude for that work. It means you should factor this possibility into your risk assessment and your client disclosures, particularly for matters involving sensitive or extreme subject matter.

A Note on Safety Classifier Results

Separate from the two exceptions above, Anthropic always retains a record of the safety filter's assessment — meaning a notation such as "this request was reviewed and passed" or "this request was flagged." Importantly, this is the filter's score or classification, not the actual text of your client's document.

Think of it like an airport security log that records "bag scanned, no issues detected" without recording what was inside the bag. The log confirms a screening occurred; it does not contain the screened content.

V. What to Ask Your Developer or Vendor

Due Diligence Checklist

Does the application send document content inline with the Messages API, or does it use the Files API to upload and store documents on Anthropic's servers?
Does the application use any Anthropic API features that fall outside ZDR eligibility (e.g., batch processing, the Files API, or other persistent storage features)?
Can the developer provide written confirmation that the application is architected to use only ZDR-eligible endpoints for all client data?
Is prompt caching enabled? If so, understand that while Anthropic states it may be compatible with ZDR (because raw text is not stored), cached data does persist for a short window (5–60 minutes).
Has your organization executed a ZDR addendum with Anthropic? The agreement must be in place — ZDR is not a default setting.
Do you have a process for periodically re-verifying that the application's architecture still conforms to ZDR requirements as Anthropic updates its API offerings?