Enterprise Claude Deployment — A Technical Reference for CTOs

Most enterprises that want to use Claude get stuck at procurement rather than at product. The assistant works in trials. Integration is possible. User adoption is real. The problem is a single architectural fact. The standard way Claude reaches a laptop sends prompts, responses, and attached files to Anthropic's infrastructure in the United States. For a regulated institution in Dublin, Frankfurt, Singapore, or Toronto, anywhere data protection rules or contractual obligations prohibit processing outside a specific jurisdiction, that fact alone is a procurement blocker. Anthropic's answer to this constraint is Cowork on third-party, usually abbreviated to Cowork 3P. It is a deployment mode that routes all inference through a provider you control, leaving conversation history on user devices rather than Anthropic-operated backend servers. This hub explains how it works, which providers you can choose from, which guarantees apply to which routes, and the governance implications each route carries.

If you are reading this because your procurement team has flagged Claude as non-compliant with your data residency or "no data to Anthropic" requirements, this series answers the question: which deployment route permits your compliance posture and what does each route require operationally, financially, and legally.

What Cowork 3P actually is

Anthropic documents Cowork 3P in one sentence on the Cowork 3P overview page:

Cowork on third-party (3P) is a deployment mode of Claude Desktop that routes all model inference through a provider you configure.

This is not a separate product or a beta. It is a configuration of the standard Claude Desktop application that directs model calls to an inference endpoint your organisation owns or contracts with, rather than to Anthropic's public API. The web application that normally loads from claude.ai is bundled inside the desktop app so no traffic reaches Anthropic's servers there either. Conversation history, file attachments, and tool outputs are written to the user's local device rather than an Anthropic-operated backend. The interface is identical to standard Cowork. The routes the traffic takes are fundamentally different.

The four deployment categories

Anthropic supports four categories of inference providers for Cowork 3P. The organisation explicitly signals in its documentation that these four are not interchangeable for compliance purposes:

Organizations select from Google Cloud Vertex AI, Amazon Bedrock, Azure Foundry, or compatible gateways.

Amazon Bedrock routes Claude inference through AWS's managed inference layer inside your AWS account. Authentication uses AWS Identity and Access Management. Data stays in your AWS region. Audit trails flow through CloudTrail. For organisations with a deep AWS commitment, Bedrock feels like an extension of existing infrastructure.

Google Cloud Vertex AI runs Claude as a managed service inside Google Cloud, available in 35 global regions with no infrastructure provisioning required. It carries full FedRAMP High certification and is one of only two routes with Anthropic's explicit guarantee that conversation data never reaches Anthropic systems. For public sector and GCP-committed enterprises, Vertex is frequently the default choice.

Azure AI Foundry provides Claude through Microsoft's serverless deployment model, integrated with Azure infrastructure and Microsoft Entra ID authentication. It offers European data residency via Sweden Central and US regions via East US 2.

Compatible custom gateways implement Anthropic's Messages API and may be deployed on Snowflake Cortex, Databricks, or other data-platform-native infrastructure. This category allows inference to run inside your data warehouse, eliminating a separate API call and data movement.

The compliance boundary: which routes guarantee "no data to Anthropic"

Before proceeding with any route decision, you must understand a material distinction that Anthropic flags explicitly in its Cowork 3P documentation. The guarantee that conversation data does not reach Anthropic applies only to two routes.

The data-residency, compliance, and "no conversation data sent to Anthropic" statements throughout these pages apply only when inferenceProvider is vertex or bedrock. They do not apply when using Azure Foundry or a gateway. Equivalent guarantees for Azure Foundry are coming; we will update these pages when they are available.

Read plainly, this carries two implications. On Bedrock and Vertex, as of 2026-04-22, Anthropic's documented position is that conversation data does not reach Anthropic's systems. Prompts, responses, and files route only to the configured provider endpoint. Conversation history remains on the user's device. This is the guarantee profile that regulated enterprises buying on "no data to Anthropic" requirements are evaluating.

On Azure Foundry and on gateway routes (including data-platform-native inference such as Snowflake Cortex Code), the same guarantee does not currently apply. Anthropic states that equivalent guarantees for Foundry are planned, but planned is not the same as available.

The operational consequence is straightforward. If your compliance posture depends on the assertion that conversation data never reaches Anthropic, Bedrock and Vertex are your only options today. Foundry remains viable for organisations whose compliance questions live elsewhere, such as regional data processing, encryption, or audit trails, rather than depending on the "no data to Anthropic" boundary. Gateways can be the right choice for specific warehouse providers under specific contractual terms, but neither carries the Anthropic guarantee in this area yet. For a CTO mapping routes to requirements, this boundary is the first filter to apply.

Five decision dimensions for enterprise procurement

Evaluating Claude deployment across the four routes requires weighing five independent decision criteria simultaneously. No single route optimises across all five. Cost per token varies by provider and commitment model. International residency and regional availability differ materially. Bedrock covers fewer regions than Vertex, which covers fewer than Foundry or data platforms. Security controls like encryption at rest, customer-managed keys, and air-gap compatibility are available on some routes but not others. Governance approaches diverge sharply because MDM deployment and credential rotation work differently on each provider. Procurement and contractual terms are still stabilising, especially for Foundry and data platforms, which means some vendors have not yet published standardised DPA language or audit rights.

Cost modelling begins with published token rates but expands to hidden components. Bedrock publishes pricing; Vertex requires a conversation with Google; Azure and Snowflake do not publish rates at all. Once you move past headline tokens, private networking costs, encryption key management, data egress, and warehouse sizing reshape the comparison. Chapter 6 unpacks the cost analysis across all four routes and shows how to build a comparison when vendors hold pieces of pricing in different places.

International residency and regional availability are critical for regulated enterprises. Bedrock operates in six published regions. Vertex operates in 35 global regions. Foundry operates in two, East US 2 and Sweden Central. Data-platform routes depend on where your warehouse runs. Chapter 7 maps each route against GDPR, UK GDPR, HIPAA, and Singapore MAS requirements, and shows how to design a deployment topology for multi-region organisations.

Security controls fall into eight categories: data egress, telemetry, encryption in transit and at rest, customer-managed keys, audit logging, and identity control. Not every route offers every control. Bedrock and Vertex offer customer-managed encryption keys; Foundry support requires verification. Bedrock provides CloudTrail; Foundry provides diagnostic logs. Chapter 8 documents the security controls and egress profiles across all routes so your security team can build an inventory against your requirements.

Governance shifts from standard cloud administration because Cowork 3P has no runtime configuration reload. Policy changes require a device restart. This turns governance into a planned maintenance exercise rather than a hot deployment. Credential rotation, policy updates, and rate limits all require a restart window. Chapter 9 explains how to operate governance, MDM deployment, and change control effectively within this architecture and how MDM becomes your policy enforcement instrument.

Procurement and contractual terms are where technical choices meet compliance reality. Data Processing Agreements must address processor obligations, sub-processor disclosure, audit rights, and breach notification. Liability clauses, indemnification, and SLA terms are often absent from vendor documentation but essential for regulated enterprises. Chapter 10 walks through the procurement, legal terms, and contracting checklist, escalation paths, and the specific contract language your organisation should require.

How to use this hub

Chapter 1 explains the Cowork 3P architecture at the level needed to understand why data routes the way it does and which Anthropic guarantees apply where. Read this first. It sets the mental model for everything that follows.

Chapters 2-5 go provider-by-provider. Chapter 2 covers the Bedrock route and why AWS-committed enterprises choose it. Chapter 3 covers the Foundry route and its current guarantee gap. Chapter 4 covers the Vertex AI route and FedRAMP readiness. Chapter 5 covers data-platform-native deployments like Snowflake Cortex where inference runs inside your warehouse.

Chapters 6-10 are decision-support chapters organised by decision dimension rather than by route. Chapter 6 is cost analysis across all four routes. Chapter 7 is international and regional residency requirements. Chapter 8 is security controls and egress profiles. Chapter 9 is governance, MDM deployment, and change control. Chapter 10 is procurement, legal terms, and contracting. Use these chapters to build your evaluation criteria, then return to the route-specific chapters to understand how each route meets those criteria.

How to read the chapters

Every chapter follows the same structure. The opening paragraphs orient you to the problem the chapter solves. A contents list links to every section. Primary sources appear at the end with verification dates. All external links open in a new tab. Every factual claim traces to a primary-source URL that you can verify independently. The verification date for all claims in this hub is 2026-04-22. Claims that carry time-sensitive information, such as pricing, regional availability, and feature parity, include that date explicitly and link to the primary source so you can check for updates.

A note on timing and change

Azure Foundry's compliance guarantee status is under review as of this writing. Google announced the Gemini Enterprise Agent Platform as the evolution of Vertex AI on 22 April 2026, the same day this hub was verified. The technical substrate for Claude on Vertex continues to apply, but the roadmap wrapper is changing. Anthropic may publish new guarantees on any route at any time. Always verify current terms at the Anthropic Cowork 3P overview page before committing to procurement. The primary sources listed throughout this hub allow you to track when documentation changes.

Chapter index

1. Deployment Architecture and the Cowork 3P Model. What Cowork 3P is, how the four providers differ, which guarantees apply where, and why configuration is read once at launch.
2. AWS Bedrock as a Claude Deployment Target. Why AWS-committed enterprises choose Bedrock, available models, the data guarantee, PrivateLink, compliance certifications, and when Bedrock is the right choice.
3. Azure Foundry as a Claude Deployment Target. The Foundry guarantee gap and why it matters, available models, regional constraints, and when Foundry is viable despite the guarantee gap.
4. Google Vertex AI as a Claude Deployment Target. FedRAMP High certification, global regions, the Anthropic data guarantee, VPC Service Controls, and the Gemini Enterprise Agent Platform announcement.
5. Data-Platform Routes, Snowflake Cortex and the Category. What data-platform-native inference means, Snowflake Cortex as reference, the guarantee boundary, and when warehouse-native inference is the right choice.
6. Cost Modelling Across Deployment Routes. Published token rates, hidden cost components, and how to build a comparison model when vendors publish pricing in different places.
7. International Deployment and Data Residency. GDPR, UK data protection, HIPAA, Singapore MAS requirements, regional availability, and how to design topologies for multi-region enterprises.
8. Security Controls and Compliance Posture. The controls matrix across all four routes, encryption, audit logging, telemetry, and how to build a controls inventory.
9. Governance, Usage Policy, and Cost Control. MDM-delivered configuration, the planned-not-reactive model, credential rotation windows, and how to operate governance at scale.
10. Procurement and Contract Negotiation. DPA checklist, processor obligations, audit rights, Enterprise Discount Programme terms, and escalation paths when negotiation stalls.

Nothing in this article is legal advice. It names regulatory frameworks and describes how each deployment route affects compliance posture. Compliance interpretation for your specific regulatory context, jurisdiction, and client contracts must be reviewed with qualified legal counsel. Verify current Anthropic documentation at https://claude.com/docs/cowork/3p/overview before making a procurement decision.