Technical teams tend to treat procurement and legal review as a gate at the end of an AI project. That ordering is backwards and expensive: contract questions can reshape platform choice, and platform choice reshapes the contract questions. This guide describes the landscape in general terms so you can engage the right people early. It is emphatically not legal advice — marketplace terms, data-processing agreements, and AI-specific contract provisions vary by provider, by agreement, and by jurisdiction, and your counsel needs to review the actual documents that apply to you.
Why the 3P path changes the paperwork
Buying Claude directly from Anthropic (the 1P path) means onboarding Anthropic as a vendor: security review, contract negotiation, a new name in the payment system. Consuming Claude through Amazon Bedrock, Google Vertex AI, Microsoft Foundry, or Claude Platform on AWS typically routes the purchase through your existing relationship with that cloud provider — the usage appears on the cloud bill you already pay, under commercial terms connected to agreements you already signed. For many enterprises this is the decisive advantage of 3P: the difference between a procurement cycle measured in weeks and one measured in quarters. But "connected to agreements you already signed" is exactly the phrase legal will want to unpack, which brings us to the questions worth preparing for.
The questions legal will ask — and how to prepare
Which terms actually govern this usage? Marketplace and model-provider terms vary and can layer on top of your existing cloud agreement. Do not assume your enterprise agreement automatically covers a new AI service exactly as it covers storage or compute; have counsel confirm what applies, including any model-specific or AI-specific terms the platform attaches.
What happens to our data? Expect questions about processing location, retention, and whether inputs are used for anything beyond serving your requests. Your data-processing agreement (DPA) with the cloud provider — the contract addendum governing how they handle personal data on your behalf — may need review for whether and how it covers the AI service. Bring your privacy team in alongside legal; the data flow basics article covers what to verify technically so the contract review is grounded in how the service actually works.
What about compliance certifications? Running Claude inside your cloud largely inherits your cloud provider's compliance posture, which is genuinely useful in audits — but the specifics of which certifications cover which services in which regions are the provider's to confirm, not yours to assume. Never let a deck or a wiki page stand in for the provider's own compliance documentation.
Who is responsible for the outputs? Questions about intellectual property in generated content and liability for model mistakes are contract- and jurisdiction-specific. Flag them for counsel; do not answer them from a blog post — including this one.
Who signs what, in practice
Sort the signatures into three piles. Commercial terms — marketplace subscriptions and committed-use commitments — run through your cloud provider relationship and land with whoever owns that budget; note that committed-use discounts are negotiated with the cloud provider, not with Anthropic. Data and privacy terms — the DPA and any AI-service addenda — belong to legal and the privacy office. Internal governance — the acceptable-use policy, security sign-off, and risk acceptance for the specific use case — is signed inside your own house, typically by security and the business owner. Knowing which pile a document belongs to keeps the process moving; the classic stall is a commercial document waiting on a privacy reviewer, or vice versa.
Keep a decision file
Write down what was reviewed, what was decided, and who accepted which risk: the platform chosen and why, the terms counsel reviewed, the DPA status, the use cases approved and any that were explicitly declined. Six months later, when an auditor, a customer security questionnaire, or a new general counsel asks "on what basis are we doing this?", a thin folder of dated decisions is the difference between an afternoon and a re-review of the whole program.
Where to go next
Compliance inheritance explains what running inside your cloud does and does not cover in audits, and data residency preps you for the region and processing-location questions legal will raise. For the commercial side, see committed-use discounts.