Last month a managing partner at a Toronto law firm forwarded me a one-line note from her office manager: the team had started using Claude Cowork to tidy up case files, and was that a problem? She wasn’t asking about productivity. She was asking whether client confidentiality had just walked onto a desktop app nobody had approved.
I get a version of that question almost every week now. According to Statistics Canada, 12.2% of Canadian businesses used AI to produce goods or deliver services by the second quarter of 2025, double the 6.1% of a year earlier.
The tools arrived faster than the guardrails, and that gap is the whole reason I wrote this guide. My aim is to help you say yes to Claude Cowork without losing the thing that keeps regulated clients trusting you.
Mike Pearlstein, CISSP, MSc AI, is the founder of Fusion Computing, which has managed IT and security for Canadian SMBs across Toronto, Hamilton, and Metro Vancouver since 2012.
Key takeaways
- Claude Cowork is an agentic assistant that works inside your files and apps, so its risk profile differs from a chat window.
- Plan tier is the first control: only Team and Enterprise carry the “not trained on by default” commitment.
- Cowork stores its work locally, which puts it outside your audit logs and compliance exports. Plan supervision separately.
- Scope folder and connector access tightly before widening it. Over-broad access is the failure we flag most.
- Regulated firms in law, accounting, wealth, and healthcare need a written rule set before the first pilot, not after.
What Claude Cowork actually is, and how it differs from Claude chat
Claude Cowork is Anthropic’s agentic AI for knowledge work, built on the same engine as Claude Code and delivered inside the Claude desktop app for macOS and Windows. A chat window answers questions. Cowork completes tasks: it reads and writes local files, runs steps in an isolated virtual machine on your own computer, calls the connectors you approve, and can run on a schedule. It reached general availability on April 9, 2026.
That distinction matters more than it sounds. When your bookkeeper pastes a question into Claude chat, the model writes back text. When the same person opens Cowork and says “reconcile last month and flag anything odd,” Claude starts opening files, running calculations, and producing a finished spreadsheet. According to Anthropic’s release notes, that capability is live on both Mac and Windows and runs on every paid plan.
I tell clients to picture a sharp new hire who can touch every file you point them at and never asks twice. That framing gets owners thinking about access and supervision instead of features. It’s the same instinct we bring to any AI services engagement, and it’s why we usually start an AI rollout with a scoping conversation rather than a licence purchase.
Cowork also connects to the tools small businesses already run. Anthropic’s Claude for Small Business package ships prebuilt workflows and native links to QuickBooks, Microsoft 365, Google Workspace, HubSpot, and Docusign. That reach is the upside. It’s also exactly why scoping the access is step one, the same way we’d scope a custom business AI platform.
Why this matters for Canadian SMBs right now
AI adoption among Canadian businesses doubled in a single year, and the firms using it are measurably more productive. The pressure to adopt is real, but adoption is uneven by sector, and the slow movers are the regulated ones with the most to lose from a careless rollout. The window to set rules before staff set their own habits is closing.
The sector split is the part owners miss. Statistics Canada put AI use at 31.7% in professional, scientific, and technical services and 30.6% in finance and insurance, against 1.8% in transportation and warehousing. Roughly 14.5% more firms said they planned to adopt within a year. Your competitors and your own staff are already in the tools.
Ottawa is pushing the same way. The Business Development Bank of Canada launched a CA$500 million loan program in 2026 to get smaller firms off the AI sidelines. When financing shows up, adoption accelerates, and so does the shadow version of it where people use personal accounts on company data.
I see that shadow pattern constantly. Someone wires up Cowork on a personal plan because the firm hasn’t offered one, and now client work sits on an unmanaged account. Fusion Computing helps owners get ahead of that by setting the official, governed path before the unofficial one hardens. We treat it as part of the same AI strategy work we do across every industry we serve.
Book a free 30-minute call to scope your Claude Cowork rollout safely →
The first question to ask: where does your data actually go?
Cowork runs its steps in an isolated virtual machine on the user’s own computer, and it only touches the files, folders, and connectors the user grants. The reasoning still runs through Anthropic’s service, so local execution does not mean nothing leaves the building. The control that matters is scope: decide what Cowork can reach before you turn it loose.
Here’s where I slow clients down. Local execution is genuinely useful, because the drafts and working files stay on the machine instead of a third party’s servers. The prompts and the content Claude needs to reason over still travel to Anthropic, the way any cloud AI works. Both things are true at once, and a regulated firm has to plan for both.
Running locally is not the same as staying private. The model still reasons in the cloud, so the one control a firm fully owns is the scope of what the agent can open.
Mike Pearlstein, CISSP, Fusion Computing
So the practical question is never whether Cowork is safe. It’s what this install can actually open. If someone points it at a synced OneDrive root, the answer is the entire firm. If they point it at one project folder, the answer is one project. We size that access the way we’d size any permission in a cybersecurity review: least privilege first, widen only on evidence.
When I walk an owner through this, the lightbulb is usually the folder map. We list what lives where, mark what’s client or regulated data, and only then decide what a desktop agent should ever see. That ten-minute exercise prevents most of the incidents I get called about later.
Your plan tier is a compliance decision, not a billing one
Claude Cowork runs on Pro, Max, Team, and Enterprise plans. The line that matters for any firm touching client data is the training default: on Team and Enterprise plans your content is not used to train Anthropic’s models by default, and those plans add owner and admin controls that personal plans lack. For regulated work, the plan tier is the first thing to get right.
Here’s the side by side I show clients.
| Question | Pro and Max (personal) | Team and Enterprise (business) |
|---|---|---|
| Content used to train models by default? | Governed by personal privacy settings, not the business default | No, not by default |
| Central admin controls | None | Owner and admin controls for access and features |
| Audit logs | Not available | Available on Enterprise (metadata, not chat content) |
| Compliance API | Not available | Available on Enterprise |
| Right fit for | Personal productivity, non-client data | Any firm handling client or regulated data |
The first change we make for a regulated client piloting Cowork is almost always the plan tier. A law or accounting firm running client matters on a personal Max account is the risk I remediate before anything else. According to Anthropic’s privacy commitments, the “not trained on by default” promise lives on the business plans, which is exactly where regulated firms belong.
One catch is worth flagging: enabling Cowork is an organization-wide switch. Owners can toggle it off for everyone, but granular controls by user or role aren’t available yet. You can’t currently allow it for marketing and block it for the litigation team. We factor that into the rollout for firms that need a hard wall, and into the AI governance work we do for advisory practices.
The oversight gap nobody mentions: Cowork sits outside your audit logs
Cowork stores its conversation history locally on each user’s computer, and that data is not captured by audit logs, the Compliance API, or data exports. Team and Enterprise owners can stream Cowork events to a SIEM through OpenTelemetry for visibility into tool calls and file access, but Anthropic is explicit that this does not replace audit logging for compliance. The work happens where your central oversight cannot see it.
This is the part I haven’t seen any vendor blog explain, and it’s the single biggest reason a regulated firm should plan before it pilots. According to Anthropic’s guidance on using Cowork on Team and Enterprise plans, the local history “is not subject to Anthropic’s standard data retention policies and cannot be centrally managed or exported by admins.”
Think about what that breaks. A Law Society audit, a CIRO record-keeping request, a PHIPA access request, or a litigation hold all assume the firm can produce what happened. If a paralegal drafted a memo through Cowork, that session lives on a laptop, not in a place your compliance officer can search. The audit logs that are available on Enterprise capture metadata, not the content of the work.
Treat every folder a desktop AI agent can reach as already disclosed. Scope the access first, monitor what you can through OpenTelemetry, and write the supervision rule before the first pilot, because the platform will not keep that record for you.
Mike Pearlstein, CISSP, Fusion Computing
The fix isn’t to ban the tool. It’s to build the visibility yourself. For clients who need it, Fusion Computing wires Cowork’s OpenTelemetry stream into the same monitoring we run for managed detection and response, so security teams at least see tool calls and approvals even though the transcript stays local.
Get a CISSP-led review of which AI tools can reach your client data →
A secure-adoption framework we use with clients
A safe Cowork rollout for a Canadian SMB comes down to seven controls: pick a business plan, scope folder and connector access to least privilege, keep Claude in “ask before acting” mode for sensitive work, write an acceptable use policy, stream events to a SIEM through OpenTelemetry, keep a human approving consequential actions, and review Anthropic’s data handling against your regulator. Set these before the pilot.
Here’s the checklist we actually run. None of it is exotic, and most of it takes an afternoon.
- Choose Team or Enterprise. The training default and admin controls come with the business plans.
- Scope access tightly. Point Cowork at one working folder, not a synced drive root. Widen only when there’s a reason.
- Default to “ask before acting.” Reserve the faster “act without asking” mode for low-stakes, non-client folders. Claude always asks before deleting files.
- Write an acceptable use policy. Name what data is allowed in, who may run it, and what’s off limits. Our guide on what belongs in an AI acceptable use policy is the template I hand clients.
- Turn on OpenTelemetry monitoring. It’s the one visibility path you have into Cowork activity. Use it.
- Keep a human on consequential actions. Anything that sends, deletes, files, or pays gets a person in the loop.
- Check the vendor terms against your regulator. Map Anthropic’s data handling to PIPEDA, PHIPA, or your professional body before go-live.
I also reset one expectation in every kickoff. Cowork makes a team faster on the easy 30% of the work, the file cleanup, the first-draft memo, the reconciliation pass. AI triages, humans own. It doesn’t take accountability when something goes wrong, sign the compliance record, or own the client relationship.
The firms that treat it as a co-worker with a supervisor do well. The ones that treat it as a replacement for judgment are the ones I worry about. Fusion Computing builds the supervised version, often as an extension of a co-managed IT engagement.
What this looks like in your industry
The secure-adoption pattern is the same everywhere, but the sensitive data and the regulator change by vertical. A law firm guards privilege, a clinic guards health information under PHIPA, an advisor guards records under CIRO rules, and a manufacturer guards trade secrets. The control set stays constant; what you scope and supervise depends on what you hold.
We’ve published a vertical-by-vertical Cowork guide for each of these, each with the regulator and the workflows that fit. Pick yours:
- Law firms. Privilege and Law Society confidentiality. See Claude Cowork for law firms.
- Accounting firms. CPA confidentiality and QuickBooks workflows. See Claude Cowork for accounting firms.
- Wealth management. CIRO record-keeping and client PII. See Claude Cowork for wealth management.
- Healthcare clinics. PHIPA and personal health information. See Claude Cowork for healthcare clinics.
- Manufacturers. Trade secrets and supplier data. See Claude Cowork for manufacturers.
- Architecture and engineering. Project files and design IP. See Claude Cowork for A&E firms.
- Construction. Bid confidentiality and contracts. See Claude Cowork for construction firms.
- Transport and logistics. Customer contracts and rate data. See Claude Cowork for transport and logistics.
- Ontario municipalities. MFIPPA and public records. See Claude Cowork for municipalities.
- Non-profits. Donor data and grant reporting. See Claude Cowork for non-profits.
- Financial services. Client data and PIPEDA. See Claude Cowork for financial services.
Common mistakes Canadian SMBs make rolling out Cowork
Most Cowork problems trace to five mistakes: pointing it at too broad a folder, running client data on a personal plan, assuming local storage means nothing leaves, skipping a written policy, and letting it act without a human on sensitive steps. None of these are exotic, and all of them are cheap to prevent before the first task runs.
The “we’re too small for this to matter” reflex is the one I push back on hardest. A 12-person firm holds the same privileged files a 200-person firm does, and the regulator doesn’t scale its expectations to your headcount. If anything, the small shop is more exposed, because it rarely has a compliance officer watching. Compliance doesn’t skip you because you’re small.
The second trap is the over-broad folder, which I mentioned earlier because it’s genuinely the most frequent thing Fusion Computing flags in an AI readiness review. Staff point Cowork at an entire synced cloud drive instead of one project folder, and a single task can now read the whole firm. Scope it down and most of the risk evaporates.
Want an AI acceptable use policy your regulator will actually accept? →
The last one’s quiet but serious: assuming the audit log has you covered. It doesn’t, as the oversight section explained. If your supervision plan depends on reconstructing what an AI did, build that visibility on purpose. If you want a second set of eyes on your setup, talk to us, or read how we approach managed IT for regulated firms.
Claude Cowork is worth adopting, and the firms that set the rules this quarter will be the ones using it calmly a year from now while their competitors are still arguing about whether it’s allowed. Pick a business plan, scope the access, write the policy, and keep a human in the loop. That’s the whole game.
Fusion Computing helps Canadian businesses across Toronto and the GTA, Hamilton, and Metro Vancouver with managed IT, cybersecurity, and Microsoft 365.
Frequently Asked Questions
Is Claude Cowork safe for business data?
Claude Cowork can be safe for business data when it runs on a Team or Enterprise plan with access scoped to specific folders. The work runs locally in an isolated virtual machine, though prompts still reach Anthropic for reasoning. Safety depends on setup: limit what the agent can open, keep a human approving sensitive actions, and write a usage policy before staff begin.
What plan do I need for Claude Cowork?
Claude Cowork runs on the Pro, Max, Team, and Enterprise plans. For any firm handling client or regulated data, Team or Enterprise is the right choice. Those business plans do not use your content to train Anthropic’s models by default and add owner and admin controls. Personal Pro and Max plans follow individual privacy settings and lack central administration.
Does Anthropic train its models on Cowork data?
On Team and Enterprise plans, Anthropic does not use your content to train its models by default. Personal Pro and Max plans follow the individual privacy settings on the account, which differ from the business default. For a regulated firm, that difference is the main reason to standardise on a business plan before running any client work through Cowork.
Can my administrator see what Claude Cowork did?
Not through the usual tools. Cowork stores its conversation history locally on each user’s computer, and that activity is not captured by audit logs, the Compliance API, or data exports. Team and Enterprise owners can stream Cowork events to a SIEM through OpenTelemetry to see tool calls and file access, but Anthropic notes this does not replace audit logging for compliance.
Is Claude Cowork allowed under PHIPA, CIRO, or Law Society rules?
No regulator names Claude Cowork directly, so the answer depends on how a firm sets it up. PHIPA, CIRO record-keeping, and Law Society confidentiality duties all expect a firm to control and account for client information. Because Cowork sessions stay local and outside central audit logs, a regulated firm should scope access tightly, keep its own supervision record, and document the controls before use.
How is Claude Cowork different from ChatGPT agents for business?
Claude Cowork and the agentic features in other assistants share a goal: complete multi-step tasks rather than answer single questions. Cowork runs on the same engine as Claude Code, works inside local files on macOS and Windows, and keeps its session history on the user’s machine. The practical differences for a business are the data-handling defaults, the admin controls, and where each tool stores its activity.
Does Claude Cowork work on Windows or only Mac?
Claude Cowork works on both macOS and Windows through the Claude desktop app, and it reached general availability on both on April 9, 2026. It is not available on the web or on mobile. Some capabilities, such as computer use, arrived first as research previews on Pro and Max, so confirm the current feature list for your platform inside the app.
Not Sure Where Your IT Stands?
Tell us about your setup and biggest IT headache. We’ll let you know if we’re a fit and what it would cost. No pressure, no strings.
