Registry / Cohere API
Cohere API
Cohere's first-party SaaS API platform serving the Command model family (plus Embed/Rerank), hosted on Google Cloud in the US. Cohere holds SOC 2 Type II, ISO 27001 and ISO 42001, and signed the EU GPAI Code of Practice; training on API data is opt-out rather than off by default, and the hosted API offers no EU residency or HIPAA BAA coverage.
Watch-outs 7
The cells where this offering is not a clean public yes. This is what to check before you sign.
- SOC 2 Type II: Yes, sales-gated Report access requires a signed mutual NDA.
- HIPAA BAA: No public evidence BAA only covers custom model development, not hosted SaaS services.
- GDPR DPA: Partial DPA requires NDA; subprocessors listed.
- No-training default: Partial Training on API data is opt-out by default.
- Retention / ZDR: Yes, sales-gated Zero-data-retention is enterprise/sales-gated.
- Residency: Yes, platform-only Region pinning only available via private deployments or cloud-partner platforms.
- Art. 53 summary: No public evidence Art. 53 training-data summary not published per EU Commission template.
Trust center states Cohere undergoes an annual SOC 2 Type II audit; obtaining the report requires a signed mutual NDA via the trust center. cohere.com/security also states the API platform is SOC 2 Type II compliant.
tier: self_serve · route: trust_center_nda ·
audit_cadence: annual
ISO/IEC 27001 (ISMS) certification listed on the trust center; certificate is requestable there without a stated NDA requirement. Cohere announced achieving ISO 27001 together with ISO 42001 in mid-2025 (company announcement used as lead only).
tier: self_serve · route: public ·
ISO/IEC 42001 (AI management system) certification listed on the trust center alongside ISO 27001; AIMS certificate requestable there. One of the earlier model developers to hold 42001.
tier: self_serve · route: public ·
Maintained trust center (trustcenter.cohere.com) listing SOC 2 Type II, ISO 27001, ISO 42001, UK Cyber Essentials, GDPR/CCPA/HIPAA posture, a public subprocessor list, pen-test reports, and NDA-gated document requests (SOC 2 report, DPA).
tier: self_serve · route: public ·
Documented negative for this offering: the trust center FAQ states Cohere "may execute a Business Associate Agreement (BAA) for custom model development engagements" but that the BAA "does not cover Cohere hosted products and applications such as Cohere's SaaS services" - i.e. no BAA for the hosted Cohere API. A Nov 2025 cohere.com blog announced BAA availability for healthcare custom-model work (lead only, not cited).
Subprocessor list is public on the trust center (Google Cloud, FullStory, LaunchDarkly, New Relic, Retool, Sentry, Segment, SendGrid, Vercel - all USA). The DPA itself incorporates the 4 June 2021 SCCs and a post-Schrems II transfer impact assessment, but a copy requires a signed NDA (request via trust center / [email protected]), so the DPA is not public. Partial = published subprocessors + gated DPA.
tier: self_serve · route: trust_center_nda ·
sccs: 2021-06-04 EU Commission SCCs incorporated · subprocessors_public: True
No commitment not to train by default on the SaaS API: Cohere states customers "can opt out from your prompts and generations being used to train Cohere models" via dashboard settings, i.e. training use is on unless the customer toggles it off (opt-out, not opt-in). Cohere says it filters/strips common personal information before any training use. For private/cloud-partner deployments Cohere receives no prompts or generations at all. Confidence medium because the default-on state is implied by the opt-out framing rather than stated as "default".
tier: self_serve · route: public · default: requires_config ·
opt_out_location: dashboard Settings > Data Controls
Retention is publicly documented: logged prompts and generations are automatically deleted after 30 days (exceptions for legal requirements and flagged misuse). Zero-data-retention exists but is restricted - "we only allow ZDR for enterprise customers who can make additional commitments about their usage" - so ZDR is enterprise/sales-gated and not a self-serve configuration.
tier: enterprise_only · route: sales_contract · default: requires_approval ·
retention_days: 30
No region pinning on the first-party hosted API: the trust center states all infrastructure is on Google Cloud Platform servers in US-Central with no servers outside the US. Cohere's pitched "deployment flexibility" (EU or in-region residency) is achieved via private deployments or cloud-partner platforms (Bedrock, Azure, OCI, SageMaker), which are separate offerings - hence yes_platform_only.
geography: US-only (hosted API)
hosted_api_region: GCP US-Central
Cohere appears on the European Commission's GPAI Code of Practice signatory list as a full-code signatory (no chapter limitation, unlike xAI's Safety & Security-only signature). Provider-level obligation of Cohere as model developer; first-party offering so developer = platform.
route: public · geography: EU
chapters: all
No public summary of training content using the EU Commission's mandatory Article 53(1)(d) template was found on cohere.com or docs.cohere.com as of 2026-07-05. Model documentation (e.g. the Command A+ page at docs.cohere.com/docs/command-a-plus) carries a general training-data description but does not reference the EU template or Article 53. Models placed on the EU market before 2025-08-02 have a transitional deadline of 2027-08-02, so absence is not necessarily non-compliance.
geography: EU
no public source
Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.