Governance & Compliance Basics
8 walkthroughs to get you started with Governance & Compliance - 5 basic and 3 intermediate.
Prerequisites
- Admin or workspace-owner access to the Claude Console for your organization.
- A rough inventory of what kinds of data your team already pastes into Claude (customer records, source code, internal financials, and so on).
- Familiarity with your organization's own compliance obligations - which regulations apply (SOC2, GDPR, HIPAA, or none of these) shapes how tight these settings need to be.
Basic Examples
1. Locate the Data Retention Setting
Find the workspace-level setting that controls how long conversation data is stored.
In the Claude Console, this lives under workspace or organization settings, typically alongside privacy and data controls.
- The retention window applies to the whole workspace, not to individual conversations.
- Confirm the current value before assuming it matches your organization's needs - do not assume the default is already conservative.
- Write down the current setting somewhere your compliance team can reference it later.
Related: How Claude Handles Data Retention and Training Opt-Outs - the mental model behind this setting
2. Enable the Training Opt-Out for the Workspace
Turn on the setting that excludes your organization's conversations from being used to train future Claude models.
- This is a separate toggle from retention - setting one does not automatically set the other.
- Once enabled, it applies to conversations going forward within that workspace.
- Regulated or proprietary-data teams should treat this as a baseline setting to check on day one, not an afterthought.
Related: How Claude Handles Data Retention and Training Opt-Outs - explains why these are two separate settings
3. Check What Audit Logs Are Already Recording
Open the audit log view in the Claude Console and review a sample of recent entries.
- Audit logs capture admin actions and access events - who did what, and when.
- Look for entries related to settings changes, user additions, and permission changes as a first pass.
- If the log is empty or sparse, that itself is worth noting - it may mean logging has not been reviewed since setup.
Related: What Audit Logs Capture in the Claude Console - a full breakdown of what shows up here
4. Identify Your Organization's Applicable Compliance Standards
Before configuring anything further, determine which compliance frameworks actually apply to your organization - SOC2, GDPR, both, or neither in a formal sense.
- SOC2 is about security controls and operational trust; GDPR is about personal data rights and processing.
- Not every organization needs to treat every setting as if the strictest regulation applies.
- Document this decision so future settings changes have a stated reason behind them.
Related: Understanding Claude's SOC2 and GDPR Compliance Posture - what these standards actually require
5. Draft a One-Page "What Not to Paste" Note for Your Team
Write a short, plain-language note telling employees what categories of data are off-limits to paste into Claude - customer PII, credentials, unreleased financials, and similar.
- Keep it to one page; long policies get skimmed or ignored.
- Frame it around categories of data, not an exhaustive banned-terms list, since it needs to generalize.
- Distribute it during onboarding, not buried in a settings wiki nobody visits.
Related: Writing PII Handling Guidance for Teams Pasting Sensitive Data - a full procedural guide for this
Intermediate Examples
6. Review Retention and Training Settings Against a Specific Regulated Project
Take one active project involving regulated or sensitive data and walk through whether the current retention window and training opt-out actually fit that project's requirements.
- Compare the project's data sensitivity against the workspace's current settings, not the other way around.
- If the project needs a tighter setting than the rest of the workspace uses, decide whether to tighten workspace-wide or handle the project separately.
- Record the decision and the reasoning, since this becomes useful evidence during a compliance review.
Related: Data Handling Controls Every Admin Should Configure - the fuller checklist this walkthrough is drawn from
7. Run a Quarterly Audit Log Review
Set a recurring calendar reminder to review the audit log for unusual admin activity - unexpected settings changes, unfamiliar access events, or permission escalations.
- Treat this as a standing process, not a one-time check during setup.
- Compare against a short list of "who should be doing what" so anomalies are easy to spot.
- Escalate anything that doesn't match an expected change to whoever owns security at your organization.
Related: What Audit Logs Capture in the Claude Console - what to expect in each entry
8. Build a Pre-Rollout Compliance Checklist Before Expanding to a New Team
Before adding a new department or business unit to your Claude workspace, walk through retention, training opt-out, audit logging, and DLP posture as a single pre-launch review.
- Treat expansion to a new team the same way you'd treat a new vendor onboarding - as a trigger to re-verify settings.
- Use a written checklist rather than relying on memory, since teams onboard infrequently enough that steps get forgotten.
- Revisit the checklist after rollout to confirm the settings held as expected.
Related: Compliance Checklist Before Rolling Out Claude Enterprise-Wide - the full pre-launch checklist this walkthrough previews
Stack versions: Written against the Claude model lineup current as of ~June 2026 - Claude Fable 5, Claude Opus 4.8, Claude Sonnet 5 (the default), and Claude Haiku 4.5. Model names, pricing, and product features move quickly - verify current specifics at platform.claude.com/docs before relying on them.