AI Provider Trust Registry evidence verified as of 2026-07-05

Registry / compare

Cohere API vs Cohere via AWS Bedrock

The same dimension can grade differently depending on who serves the model. Every cell links to its source; grades are evidence grades, not endorsements.

Dimension Cohere API Cohere via AWS Bedrock
SOC 2 Type II Yes, sales-gated Trust center states Cohere undergoes an annual SOC 2 Type II audit; obtaining the report requires a signed mutual NDA via the trust center. cohere.com/security also states the... Yes, public Platform-level (AWS). The SOC services-in-scope list is public; the SOC 2 Type II report itself is retrieved via AWS Artifact, a self-serve portal with click-through...
ISO 27001 Yes, public ISO/IEC 27001 (ISMS) certification listed on the trust center; certificate is requestable there without a stated NDA requirement. Cohere announced achieving ISO 27001 together... Yes, public Platform-level (AWS). AWS's ISO certification page lists Amazon Bedrock in scope for the ISO 27001:2022 family; certificates are also available via AWS Artifact.
ISO 42001 Yes, public ISO/IEC 42001 (AI management system) certification listed on the trust center alongside ISO 27001; AIMS certificate requestable there. One of the earlier model developers to... Yes, public Platform-level (AWS). AWS holds accredited ISO/IEC 42001:2023 certification; AWS announcements name Amazon Bedrock among the certified AI services (alongside Amazon Q Business,...
Trust center Yes, public Maintained trust center (trustcenter.cohere.com) listing SOC 2 Type II, ISO 27001, ISO 42001, UK Cyber Essentials, GDPR/CCPA/HIPAA posture, a public subprocessor list, pen-test... Yes, public Platform-level (AWS). AWS maintains a public compliance portal (compliance programs, services-in-scope matrix, FAQs) plus AWS Artifact for self-serve download of audit reports...
HIPAA BAA No public evidence Documented negative for this offering: the trust center FAQ states Cohere "may execute a Business Associate Agreement (BAA) for custom model development engagements" but that... Yes, public Platform-level (AWS). Amazon Bedrock is on the AWS HIPAA Eligible Services list; customers must execute an AWS Business Associate Addendum before processing PHI...
GDPR DPA Partial Subprocessor list is public on the trust center (Google Cloud, FullStory, LaunchDarkly, New Relic, Retool, Sentry, Segment, SendGrid, Vercel - all USA). The DPA itself... Yes, public Platform-level (AWS). The AWS GDPR DPA is incorporated into the AWS Service Terms and applies automatically, including EC Standard Contractual Clauses; AWS publishes a...
No-training default Partial No commitment not to train by default on the SaaS API: Cohere states customers "can opt out from your prompts and generations being used to train Cohere models" via dashboard... Yes, public Platform-level commitment for this offering: Bedrock states customer content is not used to improve base models and is not shared with model providers (i.e., Cohere never sees...
Retention / ZDR Yes, sales-gated Retention is publicly documented: logged prompts and generations are automatically deleted after 30 days (exceptions for legal requirements and flagged misuse).... Yes, public Platform-level (AWS Bedrock). Retention is documented and a zero-data- retention mode ('none') is configurable at account or project level via API; under 'default' mode AWS may...
Residency Yes, platform-only No region pinning on the first-party hosted API: the trust center states all infrastructure is on Google Cloud Platform servers in US-Central with no servers outside the US.... Yes, public Platform-level (AWS Bedrock). Bedrock is a regional service, customers pick the region and content is encrypted and stored at rest in-region. Cohere models are available in EU...
GPAI Code Yes, public Cohere appears on the European Commission's GPAI Code of Practice signatory list as a full-code signatory (no chapter limitation, unlike xAI's Safety & Security-only... Yes, public Developer-level dimension (two-level rule): the GPAI Code of Practice is a model-provider obligation, so this cell describes Cohere, not AWS. Cohere is named on the European...
Art. 53 summary No public evidence No public summary of training content using the EU Commission's mandatory Article 53(1)(d) template was found on cohere.com or docs.cohere.com as of 2026-07-05. Model... No public evidence Developer-level dimension: Article 53(1)(d) applies to Cohere as the GPAI provider, not to AWS. No public summary of training content using the EC's mandatory template...