← Blog

Security

Fable and Mythos audits: clauses your Dutch DPO blocks

Anthropic's 30-day data retention requirement for Fable and Mythos changed which clauses we approve, which we red-line, and which die in legal review.

Jacob Molkenboer· Founder · A Brand New Company· 14 Mar 2025· 9 min
Manila legal folder with forest-ink wax seal and chartreuse ribbon on ivory paper, red rubber stamp beside it.

It is a Tuesday morning in Amsterdam. The DPO has a draft DPIA open on one screen and Anthropic's updated terms on the other. She asks one question: where does the prompt data live, for how long, and who at Anthropic can read it. The next forty minutes are about answering that on paper she can put in a binder.

This conversation got harder in May. Anthropic moved Fable and Mythos onto a mandatory 30-day retention window for prompts and tool outputs, and the Hacker News thread on it stayed on the front page for most of a day. Before the policy change, we could ask for zero-day retention as part of an enterprise contract. Now we cannot. The clients who were close to rolling out an agent suddenly have a new line item in their risk register. The agencies who drafted DPIAs in good faith now have to update them.

We run audits on every Fable or Mythos deployment we ship. After the retention change, we rewrote the checklist. What follows is what is on it, ordered by what a Dutch DPO will block first.

What changed and why your contract needs a rewrite

The short version: Anthropic now stores prompts, tool calls, and model outputs for 30 days, with stated reasons of abuse detection, safety classifier improvement, and incident response. There is no contractual switch a customer can flip to get to zero days. Enterprise customers still get a separate data processing addendum and the standard sub-processor commitments, but the retention floor is now 30 days for everyone.

If your client's DPIA from 2025 said "no prompt data is retained by the model provider," that DPIA is now incorrect. The question is not whether to update it. The question is which clauses you redraft, which you reject outright, and which you let stand because they are tolerable.

The four clauses a Dutch DPO will block first

Dutch DPOs have a sequence. They ask about lawful basis, then transfer mechanism, then retention, then sub-processors. When we sit across from a DPO whose CEO wants a customer-support agent live by Q3, these are the clauses that come out of the meeting red.

The first is automatic training opt-in. The DPO will not sign anything that gives any model provider a path to train on a customer's prompts, even in aggregated form. Anthropic's commercial terms already say they do not train on commercial API data. Good. But many client-side wrappers (Zapier, Make, internal middleware) have their own toggles for "improve the assistant," and those defaults vary. We turn them off in writing, in the agent config, and in screenshots saved to the audit folder.

The second is prompt content as personal data with no DPA-level coverage. If a chat agent handles customer email, the prompt is personal data under GDPR Article 4. The DPA between the client and Anthropic covers it. The DPA between the client and the integration vendor often does not. We have seen Drupal modules that proxy prompts through a third party with no DPA in place at all. That clause dies on contact.

The third is the sub-processor list. Anthropic publishes a sub-processor list that includes the underlying cloud provider and a handful of operational vendors. The DPO will want to see it next to the client's existing sub-processor register and check for overlap. If there is a new sub-processor that the client has not notified its customers about, the rollout pauses until that notification goes out. Always.

The fourth is the retention clock itself. The 30 days is non-negotiable from Anthropic, so the DPO blocks not the clause but the absence of compensating controls. We add three: a prompt-side redaction layer that strips obvious PII before the API call, an explicit data-minimisation rule in the agent system prompt, and a logged audit trail on our side so we can answer a data-subject access request without going to Anthropic at all. Without those three, the 30-day window is a problem. With them, it becomes a documented residual risk.

Warning

If you have not updated your client's DPIA since May 2026, it is wrong. The 30-day retention floor for Fable and Mythos invalidates the old "zero retention" assumption, and the data-subject access request workflow needs to be rewritten to match.

The three clauses risk committees actually approve

A sub-€30M SaaS risk committee is a different room than a DPO meeting. The committee is reading the same DPA, but they are also reading a P&L. They ask three questions: what does this break if it fails, what does it cost us if we get sued, and what is the upside.

The clauses that survive that room, in our experience:

  • Standard contractual clauses with a documented transfer impact assessment. The data leaves the EU. The committee accepts this if the TIA is on file and the encryption-at-rest claim is verifiable. Anthropic publishes the relevant cert; we attach it to the audit.
  • Sub-processor change notification with a 30-day objection window. The committee likes 30 days because they have time to react. Anthropic's DPA provides this. We have not had a committee object to it.
  • Incident notification within 72 hours of confirmed breach. This is the GDPR floor and the committee already lives with it across every other vendor. The clause causes no friction.

The clause that risk committees flag, and that we have to negotiate around, is the audit-rights clause. Anthropic, like every hyperscaler, will not give a customer the right to walk into a data centre and inspect. They offer SOC 2 reports and ISO 27001 attestations instead. For a committee that has only ever bought SaaS from companies the size of Salesforce, that is fine. For a committee that came from on-prem regulated industries (banking, healthcare), it is not. In those cases we add a layer of our own logging and our own ISO-aligned process between the agent and the model, and the committee accepts that as compensating.

The default config we now ship

After running this audit on the last eight deployments, we standardised the config. We ship every Fable or Mythos agent with this baseline, then loosen it per client where the DPO signs off.

# abn-agent-baseline.yaml
provider: anthropic
model: fable-1.5-2026-05
data_handling:
  retention_days: 30           # Anthropic floor, documented
  training_opt_in: false       # commercial API default, asserted in writing
  region: eu-west              # explicit, even when default
  zdr_requested: false         # no longer available, do not pretend

redaction:
  pre_call:
    - pattern: '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b'
      replace: '[email]'
    - pattern: '\b(?:\d[ -]*?){13,19}\b'
      replace: '[card]'
    - pattern: '\b\d{4}\s?[A-Z]{2}\b'      # NL postcode
      replace: '[postcode]'
  log_pre_redaction: false     # never log the raw payload

audit:
  store_prompts_locally: true
  local_retention_days: 14     # shorter than Anthropic's, by design
  hash_for_dsar_lookup: true   # so we can answer access requests
  redact_before_storing: true

Two notes on this file. First, the redaction layer runs on our side before the API call. That is the difference between "Anthropic stores PII for 30 days" and "Anthropic stores tokens that used to be PII for 30 days." The DPO cares about that distinction. Second, our own local audit log is intentionally shorter than Anthropic's retention. If we keep prompt hashes for fourteen days, we can answer a data-subject access request inside the GDPR one-month window without escalating to Anthropic. After fourteen days, the hashes are gone and we have no data to surrender.

The kickoff conversation that actually works

The audit checklist is the artefact. The conversation is the harder part. We open every Fable or Mythos kickoff with three sentences, delivered in this order.

  1. Prompts are retained by Anthropic for 30 days. This is a floor, not a negotiation.
  2. We strip the predictable PII before the prompt leaves your network, and we keep our own short-window audit log so you can answer access requests without involving Anthropic.
  3. Your DPIA needs a redraft, and we will pay for the legal review if the project goes forward.

That third sentence is what makes the rest of the meeting move. Most clients have a sunk-cost DPIA from a vendor that quoted them in 2025. If we own the cost of redoing it, the room shifts from defensive to constructive in about ninety seconds. The legal cost is small. The cost of a six-week stall is not.

The CISO discussion follows a similar pattern. We link out to the relevant EDPB guidance on AI systems and the Dutch DPA's page on AI and algorithms so the CISO can see we are reading from the same sources they are.

One thing to do this week

If you have a Fable or Mythos deployment live, open the agent's network logs and answer one question: in the last seven days, what is the longest unredacted string of PII that left your stack and reached Anthropic. If you can answer that in under five minutes, your logging is good. If you cannot, that is the audit task for next Monday.

When we wired up the customer-support agent for a Dutch logistics client last month, the answer was a full street address inside a forwarded email. We shipped the redaction layer above the same week and re-ran the audit. The DPO signed. The story repeats for almost every team we work with on AI agents, and the checklist above is the shortest path through it.

Key takeaway

Anthropic's 30-day retention floor for Fable and Mythos turns 'no prompt data retained' into a contract lie. Redact before the call, log on your side, redraft the DPIA.

FAQ

Can we still get zero data retention with Fable or Mythos?

No. As of May 2026 Anthropic enforces a 30-day retention floor for both products. Enterprise contracts no longer include a zero-day option, regardless of plan size.

Does the 30-day retention mean Anthropic trains on our prompts?

No. Anthropic's commercial API terms state they do not train on commercial API data. The 30-day window is for abuse detection, safety classifier review, and incident response.

Do we still need a DPIA if the agent only touches internal data?

Yes if the internal data includes employee personal data, which it almost always does. GDPR Article 35 requires a DPIA for any processing that presents a high risk.

What is the fastest way to satisfy a Dutch DPO on a Fable rollout?

Ship a redaction layer that runs before the API call, keep a short local audit log, and bring an updated DPIA to the meeting. That turns the 30-day floor into documented residual risk.

securityai agentsstrategyoperationsintegrationsbusiness

Building something?

Start a project