Registry / Cohere via AWS Bedrock
Cohere via AWS Bedrock
Cohere's Command and Embed model families served as third-party foundation models on Amazon Bedrock. Vendor-trust and data-handling dimensions reflect AWS Bedrock (the serving platform); EU AI Act dimensions reflect Cohere as the GPAI model developer.
Watch-outs 1
The cells where this offering is not a clean public yes. This is what to check before you sign.
- Art. 53 summary: No public evidence Art. 53 summary not published for Cohere Command models.
Platform-level (AWS). The SOC services-in-scope list is public; the SOC 2 Type II report itself is retrieved via AWS Artifact, a self-serve portal with click-through confidentiality terms (no sales gate). Third-party model traffic on Bedrock runs inside AWS's audited boundary.
tier: self_serve · route: trust_center_nda ·
scope_note: Amazon Bedrock in scope for SOC 1, 2, and 3 (excludes Amazon Bedrock Marketplace)
Platform-level (AWS). AWS's ISO certification page lists Amazon Bedrock in scope for the ISO 27001:2022 family; certificates are also available via AWS Artifact.
tier: self_serve · route: public ·
standards: ['ISO/IEC 27001:2022', 'ISO/IEC 27017:2015', 'ISO/IEC 27018:2019', 'ISO/IEC 27701:2019'] · scope_note: Amazon Bedrock in scope (excludes Amazon Bedrock Marketplace)
Platform-level (AWS). AWS holds accredited ISO/IEC 42001:2023 certification; AWS announcements name Amazon Bedrock among the certified AI services (alongside Amazon Q Business, Textract, Transcribe), and AWS reports a clean first surveillance audit (Nov 2025). However, the public FAQ page does not enumerate in-scope services on-page, the service list is in the certificate, retrieved via AWS Artifact. Confidence medium until the certificate scope is confirmed from Artifact.
tier: self_serve · route: trust_center_nda ·
certifier: Schellman Compliance, LLC (ANAB-accredited)
Platform-level (AWS). AWS maintains a public compliance portal (compliance programs, services-in-scope matrix, FAQs) plus AWS Artifact for self-serve download of audit reports and certificates. This grades the platform's portal, not Cohere's own trust center.
tier: self_serve · route: public ·
report_portal: https://aws.amazon.com/artifact/
Platform-level (AWS). Amazon Bedrock is on the AWS HIPAA Eligible Services list; customers must execute an AWS Business Associate Addendum before processing PHI (requires_config: the BAA must be accepted and workloads configured per AWS guidance, eligibility is not automatic protection). Covers Cohere model invocations as Bedrock traffic.
tier: self_serve · route: public · default: requires_config ·
baa_mechanism: AWS BAA accepted self-serve via AWS Artifact
Platform-level (AWS). The AWS GDPR DPA is incorporated into the AWS Service Terms and applies automatically, including EC Standard Contractual Clauses; AWS publishes a sub-processors page. No separate signature needed for the standard DPA.
tier: self_serve · route: public · default: enabled ·
sccs: EC SCCs (June 2021) incorporated into AWS Service Terms, apply automatically · subprocessor_list: https://aws.amazon.com/compliance/sub-processors/
Platform-level commitment for this offering: Bedrock states customer content is not used to improve base models and is not shared with model providers (i.e., Cohere never sees prompts/completions). Bedrock's Model Deployment Account design gives providers no access to inference infrastructure or logs. Bedrock's newer data-retention modes include a provider_data_share opt-in required by certain models; Cohere models are not listed among those requiring it, default behavior for Cohere models remains no provider sharing.
tier: self_serve · route: public · default: enabled ·
commitment: Inputs and model outputs are not shared with any model providers; content is not used to improve the base models
Platform-level (AWS Bedrock). Retention is documented and a zero-data- retention mode ('none') is configurable at account or project level via API; under 'default' mode AWS may retain data for abuse detection. requires_config: new accounts default to 'inherit' (model default), so ZDR must be explicitly set. Cohere models' allowed_modes are not publicly enumerated in the docs (only Anthropic examples are shown), confidence medium on Cohere-specific ZDR eligibility; Cohere models are not listed among models requiring provider_data_share.
tier: self_serve · route: public · default: requires_config ·
modes: ['default', 'provider_data_share', 'none', 'inherit'] · zdr_mode: data_retention_mode: none, no request/response data written to durable storage by AWS or shared with the model provider · enforcement: IAM/SCP condition key bedrock:DataRetentionMode can enforce ZDR org-wide
Platform-level (AWS Bedrock). Bedrock is a regional service, customers pick the region and content is encrypted and stored at rest in-region. Cohere models are available in EU regions, but availability varies by model; verify the specific Command/Embed model's regions on the AWS 'models at a glance' page. Caveat: optional cross-region inference profiles process (and, where retention applies, store) data in other regions within the chosen geography, keep it disabled or EU-scoped for strict residency.
tier: self_serve · route: public · default: requires_config · geography: EU available
cohere_eu_example: Cohere Embed v4: on-demand in eu-west-1; EU cross-region inference profile spans eu-central-1/2, eu-north-1, eu-south-1/2, eu-west-1/2/3 · at_rest_commitment: Customer content processed by Amazon Bedrock is encrypted and stored at rest in the AWS Region where you are using Amazon Bedrock (Bedrock FAQ)
Developer-level dimension (two-level rule): the GPAI Code of Practice is a model-provider obligation, so this cell describes Cohere, not AWS. Cohere is named on the European Commission's signatory list for the GPAI Code of Practice with no chapter limitation. AWS/Amazon is separately a signatory, but for Cohere-on-Bedrock the relevant GPAI provider is Cohere.
route: public ·
chapters: full code (no chapter restriction noted for Cohere; xAI is the noted Safety & Security-only signatory)
Developer-level dimension: Article 53(1)(d) applies to Cohere as the GPAI provider, not to AWS. No public summary of training content using the EC's mandatory template (published 2025-07-24) was found for Cohere's Command models on cohere.com, docs.cohere.com, or via the EC. Cohere's model documentation (e.g., docs.cohere.com/docs/command-a-plus) contains a narrative training-data disclosure (public, proprietary, vendor, and synthetic sources), but it is not the EU template and does not reference Article 53. Models already on the market before 2025-08-02 benefit from the 2027-08-02 transitional deadline; newer models (post-Aug-2025 releases) should have one, worth human re-check.
transitional_deadline: models placed on market before 2025-08-02 have until 2027-08-02 to publish
no public source
Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.