// Trust & Security Report
Cohere Inc.
Enterprise AI platform offering generative models (Command, Transcribe, North), retrieval models (Embed, Rerank), and workplace systems (North, Compass) for text, code, and speech tasks with options for private deployment, custom fine-tuning, and on-premises hosting.
Certifications held
6
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trustcenter.cohere.com“Cohere undergoes an annual SOC 2 Type II audit covering Service Organization Controls (Type II) Trust Services Principles.”
Verify on cohere.com“Cohere obtained ISO 27001 certification (cybersecurity standards) on June 27, 2025, demonstrating commitment to meet the highest global standards in cybersecurity.”
Verify on cohere.com“Cohere obtained ISO 42001 certification (responsible AI standards) on June 27, 2025, demonstrating commitment to the highest global standards in responsible AI.”
Verify on trustcenter.cohere.com“Cohere has designed its services with Privacy-by-Design in mind and has Data Processing Agreements with Standard Contractual Clauses. The company conducted a Transfer Impact Assessment addressing Schrems II ruling for EU data transfers.”
Verify on trustcenter.cohere.com“California Consumer Privacy Act compliance measures are in place.”
Verify on trustcenter.cohere.com“Cohere holds UK Cyber Essentials, a government-backed cybersecurity standard certification.”
> Show 6 unconfirmed / not-held certifications
source: cohere.comCohere may execute a Business Associate Agreement (BAA) for custom model development engagements only; the BAA does not cover Cohere's SaaS services. Organizations should not submit Protected Health Information through hosted products.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Canada, United States, United Kingdom. Standard Contractual Clauses used for GDPR-compliant transfers outside EU/EEA.
By default, Cohere collects and de-identifies content submitted for research and development. Enterprise customers can opt out of model training at any time through dashboard settings. Trial and research users' data may be used for model improvement. Enterprise customers should consult separate Enterprise Data Commitments and Data Processing Addendums for specific terms. Cohere provides a Model Training Privacy Notice for detailed information.
// Security controls
Encryption in transit
Supported; verified through continuous monitoring by Secureframe
trustcenter.cohere.comData control & deletion
On SaaS platform, prompts and generations are automatically deleted after 30 days unless legal requirements or flagged misuse require longer retention; enterprise customers can opt out of model training.
cohere.comDeployment options
VPC (Virtual Private Cloud), on-premises, third-party cloud deployment (where Cohere receives no customer inputs), or managed Model Vault
cohere.comAnnual penetration testing
Cohere conducts annual third-party penetration testing and simulated adversarial attacks
cohere.comTraining data lineage tracking
Cohere maintains training data lineage tracking to prevent poisoning
cohere.comContinuous monitoring
https://trustcenter.cohere.com/
// Products & data scope
data: Customer inputs and outputs. Can opt out of training use. 30-day auto-deletion on SaaS.
High-performance models for agentic, multimodal, multilingual AI. Supports 49 languages.
data: Audio inputs and transcription outputs. Subject to same data commitments as Command.
Speech-to-text model for audio transcription. Supports 14 languages.
data: Customer data within North platform. Deployable privately or in VPC.
Enterprise-ready workplace productivity platform with customizable AI capabilities.
data: Customer business data and search queries. Deployable privately.
Intelligent search and discovery system for surfacing business insights.
data: Customer text embeddings for search/retrieval. Subject to standard data commitments.
Multimodal semantic search and retrieval tool. Built with customer data in customer environment.
data: Search ranking operations. Data subject to standard commitments.
Semantic boost for search relevance ranking.
data: Customer proprietary training data. Can include HIPAA data under BAA for custom models only.
Cohere develops custom models on behalf of enterprise customers. HIPAA BAA available for custom development, not SaaS.
// What to watch
- HIPAA scope is narrow: BAA available for custom model development only, not for SaaS services. Healthcare users should NOT submit PHI to hosted products without custom engagement.
- ISO 42001 certification (June 2025) is excellent but relatively recent—verify current status for future assessments.
- Data residency flexible but requires explicit deployment choice; default SaaS may process data across Canada/US/UK.
- No evidence of CSA STAR, FedRAMP, PCI DSS, or ISO 27017/27018—appropriate for general AI use but may limit some verticals (financial, healthcare, government).
- Model training opt-out available for enterprise but is an opt-out (not default privacy), and applies to enterprise only—trial/research users default to permissive training.
// At a glance
Pricing model
SaaS subscriptions with pay-as-you-go API pricing; enterprise custom pricing available
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Cohere Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.cohere.com