AI Provider Trust Registry evidence verified as of 2026-07-05

Registry / Cohere API

Cohere API

developer: Cohere platform: Cohere (first-party) category: first party

Cohere's first-party SaaS API platform serving the Command model family (plus Embed/Rerank), hosted on Google Cloud in the US. Cohere holds SOC 2 Type II, ISO 27001 and ISO 42001, and signed the EU GPAI Code of Practice; training on API data is opt-out rather than off by default, and the hosted API offers no EU residency or HIPAA BAA coverage.

Watch-outs 7

The cells where this offering is not a clean public yes. This is what to check before you sign.

Vendor trust
SOC 2 Type II Is a SOC 2 Type II report available for this offering?
Yes, sales-gated confidence: high · verified 2026-07-05

Trust center states Cohere undergoes an annual SOC 2 Type II audit; obtaining the report requires a signed mutual NDA via the trust center. cohere.com/security also states the API platform is SOC 2 Type II compliant.

tier: self_serve · route: trust_center_nda ·

audit_cadence: annual

source

ISO 27001 Is there an ISO/IEC 27001 certification covering this offering?
Yes, public confidence: high · verified 2026-07-05

ISO/IEC 27001 (ISMS) certification listed on the trust center; certificate is requestable there without a stated NDA requirement. Cohere announced achieving ISO 27001 together with ISO 42001 in mid-2025 (company announcement used as lead only).

tier: self_serve · route: public ·

source

ISO 42001 Is there an ISO/IEC 42001 (AI management system) certification?
Yes, public confidence: high · verified 2026-07-05

ISO/IEC 42001 (AI management system) certification listed on the trust center alongside ISO 27001; AIMS certificate requestable there. One of the earlier model developers to hold 42001.

tier: self_serve · route: public ·

source

Trust center Is there a maintained trust center / compliance portal?
Yes, public confidence: high · verified 2026-07-05

Maintained trust center (trustcenter.cohere.com) listing SOC 2 Type II, ISO 27001, ISO 42001, UK Cyber Essentials, GDPR/CCPA/HIPAA posture, a public subprocessor list, pen-test reports, and NDA-gated document requests (SOC 2 report, DPA).

tier: self_serve · route: public ·

source

Data handling
HIPAA BAA Will they sign a HIPAA Business Associate Agreement covering this offering?
No public evidence confidence: high · verified 2026-07-05

Documented negative for this offering: the trust center FAQ states Cohere "may execute a Business Associate Agreement (BAA) for custom model development engagements" but that the BAA "does not cover Cohere hosted products and applications such as Cohere's SaaS services" - i.e. no BAA for the hosted Cohere API. A Nov 2025 cohere.com blog announced BAA availability for healthcare custom-model work (lead only, not cited).

source · archived copy

GDPR DPA Is there a public DPA with SCCs and a published subprocessor list?
Partial confidence: high · verified 2026-07-05

Subprocessor list is public on the trust center (Google Cloud, FullStory, LaunchDarkly, New Relic, Retool, Sentry, Segment, SendGrid, Vercel - all USA). The DPA itself incorporates the 4 June 2021 SCCs and a post-Schrems II transfer impact assessment, but a copy requires a signed NDA (request via trust center / [email protected]), so the DPA is not public. Partial = published subprocessors + gated DPA.

tier: self_serve · route: trust_center_nda ·

sccs: 2021-06-04 EU Commission SCCs incorporated · subprocessors_public: True

source · archived copy

No-training default Is there a public commitment not to train on customer API data by default?
Partial confidence: medium · verified 2026-07-05

No commitment not to train by default on the SaaS API: Cohere states customers "can opt out from your prompts and generations being used to train Cohere models" via dashboard settings, i.e. training use is on unless the customer toggles it off (opt-out, not opt-in). Cohere says it filters/strips common personal information before any training use. For private/cloud-partner deployments Cohere receives no prompts or generations at all. Confidence medium because the default-on state is implied by the opt-out framing rather than stated as "default".

tier: self_serve · route: public · default: requires_config ·

opt_out_location: dashboard Settings > Data Controls

source · archived copy

Retention / ZDR Is retention documented, and is zero-data-retention available?
Yes, sales-gated confidence: high · verified 2026-07-05

Retention is publicly documented: logged prompts and generations are automatically deleted after 30 days (exceptions for legal requirements and flagged misuse). Zero-data-retention exists but is restricted - "we only allow ZDR for enterprise customers who can make additional commitments about their usage" - so ZDR is enterprise/sales-gated and not a self-serve configuration.

tier: enterprise_only · route: sales_contract · default: requires_approval ·

retention_days: 30

source · archived copy

Residency Can data be pinned to a region (especially the EU)?
Yes, platform-only confidence: medium · verified 2026-07-05

No region pinning on the first-party hosted API: the trust center states all infrastructure is on Google Cloud Platform servers in US-Central with no servers outside the US. Cohere's pitched "deployment flexibility" (EU or in-region residency) is achieved via private deployments or cloud-partner platforms (Bedrock, Azure, OCI, SageMaker), which are separate offerings - hence yes_platform_only.

geography: US-only (hosted API)

hosted_api_region: GCP US-Central

source

EU AI Act
GPAI Code Is the model developer on the EC's GPAI Code of Practice signatory list?
Yes, public confidence: high · verified 2026-07-05

Cohere appears on the European Commission's GPAI Code of Practice signatory list as a full-code signatory (no chapter limitation, unlike xAI's Safety & Security-only signature). Provider-level obligation of Cohere as model developer; first-party offering so developer = platform.

route: public · geography: EU

chapters: all

source · archived copy

Art. 53 summary Has the model developer published the Art. 53 training-data summary?
No public evidence confidence: medium · verified 2026-07-05

No public summary of training content using the EU Commission's mandatory Article 53(1)(d) template was found on cohere.com or docs.cohere.com as of 2026-07-05. Model documentation (e.g. the Command A+ page at docs.cohere.com/docs/command-a-plus) carries a general training-data description but does not reference the EU template or Article 53. Models placed on the EU market before 2025-08-02 have a transitional deadline of 2027-08-02, so absence is not necessarily non-compliance.

geography: EU

no public source

Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.