Where Does Your Data Go? What Claude's Self-Hosted Sandboxes and MCP Tunnels Mean for Your Team
TL;DR
Anthropic just shipped two features for Claude Managed Agents that answer the question every cautious business asks before letting AI near its systems: where does our data actually go, and who controls the environment it runs in? Self-hosted sandboxes let Claude's AI agents do their work inside a computer environment you control — your own infrastructure or a provider you choose — instead of on Anthropic's servers. MCP tunnels let those agents safely reach your private internal systems — your database, your internal tools, your ticketing system — without you having to expose any of them to the public internet. Together they mean a company can put Claude to work on sensitive, internal data while keeping that data inside its own walls. Here's what each one is, why this matters even if you'll never touch the technical setup, and how to think about it for your team.
The Problem These Features Solve
The single biggest blocker to using AI on real business work isn't capability — it's “I'm not comfortable putting that data into someone else's system.”
If you've hesitated to let AI touch your most sensitive work — customer records, financial data, internal documents, anything covered by a contract or a regulation — you're not being paranoid. You're being responsible. The most useful AI tasks are usually the ones that involve your most sensitive data, and that's exactly the data you can't casually paste into a chat window or send to a third party.
This creates a frustrating gap. The work that would benefit most from automation is the work that's hardest to hand over, because handing it over has historically meant the data leaving your control. So teams end up using AI for the safe, low-value tasks and keeping the high-value, sensitive ones manual. That's backwards — and it's the gap these two features are built to close.
The short version: Anthropic separated the “thinking” part of an AI agent from the “touching your data” part. The thinking can stay on Anthropic's side. The touching-your-data part now moves into an environment you control. That one architectural change is what unlocks the work you've been holding back.
First, a Quick Reminder: What a Managed Agent Is
A Claude Managed Agent is an AI worker that runs a multi-step task on its own — not a chatbot you go back and forth with.
If you've been following along, you'll recognize this. A regular Claude chat is a conversation: you ask, it answers, you ask again. A Managed Agent is different — you give it a job, and it goes off and does it across many steps, using the tools you've connected, and reports back when it's done. It can run on a schedule, remember what it learned last time, and even delegate to other agents.
To do real work, an agent needs two things. First, a place to actually run — a small computer environment where it can open files, run calculations, and execute the steps of its task. That's the sandbox. Second, a way to reach your business systems — the data and tools it needs to be useful. That's where MCP comes in (more on that below). The two new features improve exactly these two things: where the agent runs, and how it reaches your systems. Both now stay under your control.
Self-Hosted Sandboxes, in Plain Language
A sandbox is the private workspace where an agent does its work. “Self-hosted” means that workspace now lives on infrastructure you control, not on Anthropic's.
Think of a sandbox as a sealed room where the agent goes to do messy work — pulling data into spreadsheets, running scripts, generating files, trying things and correcting itself. It's sealed so that whatever the agent does in there can't spill out and affect anything else. Every serious AI agent platform runs work in a sandbox for safety.
Until now, that sealed room sat on Anthropic's servers. For a lot of tasks, that's perfectly fine. But for sensitive work, it meant your files and data had to travel into Anthropic's environment for the agent to handle them. For some companies — in healthcare, finance, law, or anyone with strict contracts about where data can live — that was a dealbreaker.
Self-hosted sandboxes flip this. Now the sealed room runs inside your own environment — on your own infrastructure, or with a managed provider you choose (Anthropic names options like Cloudflare, Daytona, Modal, and Vercel that handle the technical heavy lifting for you). Your sensitive files, your software packages, and your internal services stay inside boundaries you set, under your security rules.
Here's the clever part of the design. The agent's “brain” — the part that plans the task, manages context, and recovers from errors — stays on Anthropic's infrastructure, where it's maintained and kept up to date. Only the “hands” — the actual touching of your files and data — move into your environment. You get Anthropic's smarts running the show, but your sensitive data never has to leave your house to get the work done.
MCP Tunnels: Letting Agents Reach Your Private Systems Safely
An MCP tunnel is a secure private pipe that lets a Claude agent use your internal systems as tools — without you exposing those systems to the open internet.
First, the “MCP” part. MCP (Model Context Protocol) is the standard way Claude connects to outside tools and data — the same plumbing behind every connector you've seen for things like QuickBooks, HubSpot, or Google Workspace. It's essentially a universal adapter that lets Claude talk to other software.
The catch is that a lot of the most valuable business systems aren't out on the public internet at all. Your internal customer database, a private API your developers built, an internal knowledge base, your ticketing system — these usually sit safely behind your company's firewall, locked away from the outside world on purpose. To let an AI agent use them, you'd traditionally have to open a door in that firewall, which is exactly the kind of thing that makes security teams break out in a cold sweat.
MCP tunnels solve this elegantly. Instead of you opening a door inward, you deploy a small, lightweight piece of software inside your network that makes a single secure connection outward to Claude. No inbound doors, no public web addresses for your internal systems, and the traffic is encrypted the whole way. Through that tunnel, your private database, internal APIs, and knowledge bases become tools the agent can use — while staying invisible and unreachable to everyone else on the internet.
The practical effect: the agent can finally work with the systems that actually run your business, not just the cloud apps that happen to have a public connector. And it does so without you weakening your security posture by an inch.
Why This Matters Even If You'll Never Set It Up
You don't need to understand the plumbing to benefit. What matters is that “the data has to leave our control” is no longer a valid reason to keep AI away from your most valuable work.
Most of the people reading this will never personally configure a sandbox or deploy a tunnel — that's a job for whoever handles your IT or a partner who sets it up for you. But the implication is something every leader should absorb, because it removes the most common and most legitimate objection to deploying AI seriously.
For months, the honest answer to “can we use AI on our customer data / financial records / internal documents?” was often “not safely, because it would have to go to a third party.” That answer is now out of date. The architecture exists to keep that data inside your own walls while still putting Claude to work on it. The objection that kept your highest-value use cases on the shelf no longer holds.
This is also the difference between AI as a toy and AI as infrastructure. Toys run on public, low-stakes data. Infrastructure runs on the sensitive core of your business — under your control, inside your boundaries, meeting your compliance rules. These features are part of what moves Claude from the first category into the second for companies that need it.
What This Looks Like in Practice
Concrete examples of work that was previously off-limits and is now on the table.
- A clinic automating patient paperwork. Patient data can't leave the clinic's controlled environment for regulatory reasons. With a self-hosted sandbox, a Claude agent can process intake forms, summarize records, and prep documents — all inside the clinic's own environment, with the data never crossing the boundary.
- A finance team reconciling against an internal system. The company's core financial database lives behind the firewall and will never be put on the public internet. An MCP tunnel lets a Claude agent query it as a tool to flag discrepancies and draft month-end notes — without the database ever being exposed.
- A support team drafting answers from a private knowledge base. The internal wiki and ticketing system are private by design. Through a tunnel, the agent can read both to draft accurate, context-aware replies — while those systems stay invisible to the outside world.
- A law firm reviewing sensitive documents. Client files are subject to strict confidentiality. A self-hosted sandbox keeps the documents inside the firm's controlled environment while the agent summarizes, compares, and extracts key terms.
The pattern in all four: the AI does genuinely useful work on genuinely sensitive data, and the data never has to leave a boundary the company controls. That combination is the unlock.
How This Fits With Everything Else Claude's Agents Can Do
This isn't a standalone feature — it's the security and control layer underneath all the agent capabilities you've already heard about.
Claude's Managed Agents have been getting steadily more capable: they can remember what they learned in past sessions, review and improve their own work, run on a schedule without anyone pressing a button, delegate to teams of specialist agents, and securely log into your tools. Each of those answers a “what can it do?” question.
Self-hosted sandboxes and MCP tunnels answer a different and arguably more important question for a cautious business: “where does it run, and can I trust it with our real data?” They're the foundation that makes all the flashier capabilities safe to actually deploy on work that matters. An agent that can run on a schedule and improve itself is impressive — but you'll only point it at your most valuable, sensitive processes once you're confident the data stays under your control. That's what this layer provides.
Put simply: the earlier updates made the agents smarter and more autonomous. This one makes them deployable on the work you actually care about.
The Mistakes Teams Make Here
A few common misreadings that lead teams to either over-engineer or under-use this.
- Assuming you need this for everything. Most everyday AI work — drafting, brainstorming, working with public or low-sensitivity material — is perfectly safe on the standard setup. Self-hosted sandboxes and tunnels are for the sensitive, internal-systems tier. Don't let “we should self-host” become an excuse to delay using AI for the 80% of work that doesn't need it.
- Assuming it's a do-it-yourself weekend project. This is real infrastructure. For most companies with 20–200 people, the right move is to have someone who knows what they're doing set it up once, correctly, rather than improvising it internally.
- Thinking “control” means “Anthropic is shut out entirely.” The agent's brain still runs on Anthropic's infrastructure — that's by design, and it's how you get the best behavior. What stays in your control is the sensitive data and the environment it's handled in. Understand the split so you set expectations accurately.
- Waiting for “perfect” before doing anything. You don't have to solve your whole data-governance strategy before you start. Pick one sensitive, high-value process, set it up properly for that, and learn from it.
What Your Team Should Do This Week
Three steps to turn this from a headline into a decision.
1. Make a list of the work you've been holding back
Write down the tasks you've wanted to automate with AI but didn't, specifically because the data was too sensitive or lived in an internal system. That list is your roadmap — it's exactly the work these features are designed to unlock. If the list is long, you've been leaving a lot of value on the table.
2. Identify which systems hold that data
For each item, note where the data actually lives — an internal database, a private app, a cloud tool, a folder of files. This tells you whether you need a self-hosted sandbox (sensitive data and files), an MCP tunnel (a private internal system the agent needs to reach), or both. You don't need to solve it yet; you just need the map.
3. Get the right person in the room
Because this touches infrastructure and security, loop in whoever owns your IT and data decisions — or a partner who can set it up correctly. The goal of the conversation isn't to become experts overnight; it's to confirm that the thing blocking your highest-value AI use cases is now solvable, and to pick the first one to do properly.
FAQ
What's the difference between a self-hosted sandbox and an MCP tunnel?
A self-hosted sandbox is about where the agent runs — it moves the agent's working environment onto infrastructure you control, so sensitive files and data are handled inside your own boundaries. An MCP tunnel is about how the agent reaches your systems — it gives the agent a secure private pipe to your internal databases and tools without exposing them to the public internet. Many sensitive use cases use both together.
Does this mean our data never goes to Anthropic at all?
The sensitive data and the environment it's handled in stay under your control. What still runs on Anthropic's side is the agent's “brain” — the planning, context management, and error recovery. That split is intentional: you get Anthropic's best agent behavior while keeping your sensitive files and systems inside your own boundaries.
Do we need a technical team to use this?
To set it up, yes — this is genuine infrastructure, not a checkbox. But you can use managed providers that handle the hard parts, or have a partner set it up for you once. Most of your team will never touch the configuration; they'll just be able to use AI on work that was previously off-limits.
Is this only for big enterprises?
No. The need shows up at any size — a 30-person clinic, accounting firm, or law office can have data just as sensitive as a large company's. The deciding factor isn't headcount; it's whether you have valuable work involving data you're not comfortable sending to a third party. If you do, this is for you.
Are these features ready to use today?
Self-hosted sandboxes are available in public beta on the Claude Platform, and MCP tunnels are available as an earlier-stage preview you can request access to. “Beta” means it works and you can start, but you'll want someone competent to set it up rather than treating it as fully turnkey.
How is this different from just using a normal Claude connector?
A normal connector links Claude to a cloud service that's already reachable on the internet, like a SaaS app with a public API. An MCP tunnel is for systems that are deliberately not on the public internet — your internal database or private tools behind a firewall. The tunnel lets the agent use them as tools without you having to expose them. It's the same MCP standard, applied to your private systems.
What's the one thing I should take away?
That “the data has to leave our control” is no longer a reason to keep AI away from your most valuable work. The architecture now exists to keep sensitive data inside your own walls while still putting Claude to work on it — which means the high-value, sensitive tasks you've been holding back are finally on the table.
Want help figuring out which of your sensitive, high-value processes you can finally automate with Claude — and how to set it up safely? The Deployed Kickstart gets your team hands-on with Claude in a single day, mapped to your real workflows. The Partner program gives you ongoing support to roll it out across the business, including the secure, internal-systems use cases that matter most.