Registry / compare
Cohere API vs Cohere via AWS Bedrock
The same dimension can grade differently depending on who serves the model. Every cell links to its source; grades are evidence grades, not endorsements.
| Dimension | Cohere API | Cohere via AWS Bedrock |
|---|---|---|
| SOC 2 Type II | ◐Yes, sales-gated Trust center states Cohere undergoes an annual SOC 2 Type II audit; obtaining the report requires a signed mutual NDA via the trust center. cohere.com/security also states the... | ●Yes, public Platform-level (AWS). The SOC services-in-scope list is public; the SOC 2 Type II report itself is retrieved via AWS Artifact, a self-serve portal with click-through... |
| ISO 27001 | ●Yes, public ISO/IEC 27001 (ISMS) certification listed on the trust center; certificate is requestable there without a stated NDA requirement. Cohere announced achieving ISO 27001 together... | ●Yes, public Platform-level (AWS). AWS's ISO certification page lists Amazon Bedrock in scope for the ISO 27001:2022 family; certificates are also available via AWS Artifact. |
| ISO 42001 | ●Yes, public ISO/IEC 42001 (AI management system) certification listed on the trust center alongside ISO 27001; AIMS certificate requestable there. One of the earlier model developers to... | ●Yes, public Platform-level (AWS). AWS holds accredited ISO/IEC 42001:2023 certification; AWS announcements name Amazon Bedrock among the certified AI services (alongside Amazon Q Business,... |
| Trust center | ●Yes, public Maintained trust center (trustcenter.cohere.com) listing SOC 2 Type II, ISO 27001, ISO 42001, UK Cyber Essentials, GDPR/CCPA/HIPAA posture, a public subprocessor list, pen-test... | ●Yes, public Platform-level (AWS). AWS maintains a public compliance portal (compliance programs, services-in-scope matrix, FAQs) plus AWS Artifact for self-serve download of audit reports... |
| HIPAA BAA | ○No public evidence Documented negative for this offering: the trust center FAQ states Cohere "may execute a Business Associate Agreement (BAA) for custom model development engagements" but that... | ●Yes, public Platform-level (AWS). Amazon Bedrock is on the AWS HIPAA Eligible Services list; customers must execute an AWS Business Associate Addendum before processing PHI... |
| GDPR DPA | ◔Partial Subprocessor list is public on the trust center (Google Cloud, FullStory, LaunchDarkly, New Relic, Retool, Sentry, Segment, SendGrid, Vercel - all USA). The DPA itself... | ●Yes, public Platform-level (AWS). The AWS GDPR DPA is incorporated into the AWS Service Terms and applies automatically, including EC Standard Contractual Clauses; AWS publishes a... |
| No-training default | ◔Partial No commitment not to train by default on the SaaS API: Cohere states customers "can opt out from your prompts and generations being used to train Cohere models" via dashboard... | ●Yes, public Platform-level commitment for this offering: Bedrock states customer content is not used to improve base models and is not shared with model providers (i.e., Cohere never sees... |
| Retention / ZDR | ◐Yes, sales-gated Retention is publicly documented: logged prompts and generations are automatically deleted after 30 days (exceptions for legal requirements and flagged misuse).... | ●Yes, public Platform-level (AWS Bedrock). Retention is documented and a zero-data- retention mode ('none') is configurable at account or project level via API; under 'default' mode AWS may... |
| Residency | ◑Yes, platform-only No region pinning on the first-party hosted API: the trust center states all infrastructure is on Google Cloud Platform servers in US-Central with no servers outside the US.... | ●Yes, public Platform-level (AWS Bedrock). Bedrock is a regional service, customers pick the region and content is encrypted and stored at rest in-region. Cohere models are available in EU... |
| GPAI Code | ●Yes, public Cohere appears on the European Commission's GPAI Code of Practice signatory list as a full-code signatory (no chapter limitation, unlike xAI's Safety & Security-only... | ●Yes, public Developer-level dimension (two-level rule): the GPAI Code of Practice is a model-provider obligation, so this cell describes Cohere, not AWS. Cohere is named on the European... |
| Art. 53 summary | ○No public evidence No public summary of training content using the EU Commission's mandatory Article 53(1)(d) template was found on cohere.com or docs.cohere.com as of 2026-07-05. Model... | ○No public evidence Developer-level dimension: Article 53(1)(d) applies to Cohere as the GPAI provider, not to AWS. No public summary of training content using the EC's mandatory template... |