// Trust & Security Report

    Cohere Inc. logo

    Cohere Inc.

    Enterprise AI platform offering generative models (Command, Transcribe, North), retrieval models (Embed, Rerank), and workplace systems (North, Compass) for text, code, and speech tasks with options for private deployment, custom fine-tuning, and on-premises hosting.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Cohere undergoes an annual SOC 2 Type II audit covering Service Organization Controls (Type II) Trust Services Principles.

    Verify on trustcenter.cohere.com
    ISO 27001
    HELD

    Cohere obtained ISO 27001 certification (cybersecurity standards) on June 27, 2025, demonstrating commitment to meet the highest global standards in cybersecurity.

    Verify on cohere.com
    ISO 42001 (AI Management System)
    HELD

    Cohere obtained ISO 42001 certification (responsible AI standards) on June 27, 2025, demonstrating commitment to the highest global standards in responsible AI.

    Verify on cohere.com
    GDPR
    HELD

    Cohere has designed its services with Privacy-by-Design in mind and has Data Processing Agreements with Standard Contractual Clauses. The company conducted a Transfer Impact Assessment addressing Schrems II ruling for EU data transfers.

    Verify on trustcenter.cohere.com
    CCPA
    HELD

    California Consumer Privacy Act compliance measures are in place.

    Verify on trustcenter.cohere.com
    UK Cyber Essentials
    HELD

    Cohere holds UK Cyber Essentials, a government-backed cybersecurity standard certification.

    Verify on trustcenter.cohere.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA (Business Associate Agreement)
    NOT CONFIRMED

    Cohere may execute a Business Associate Agreement (BAA) for custom model development engagements only; the BAA does not cover Cohere's SaaS services. Organizations should not submit Protected Health Information through hosted products.

    source: cohere.com
    PCI DSS
    NOT CONFIRMED

    no public evidence of PCI DSS certification

    source: trustcenter.cohere.com
    ISO 27017
    NOT CONFIRMED

    no public evidence of ISO 27017 certification

    source: trustcenter.cohere.com
    ISO 27018
    NOT CONFIRMED

    no public evidence of ISO 27018 certification

    source: trustcenter.cohere.com
    FedRAMP
    NOT CONFIRMED

    no public evidence of FedRAMP certification

    source: trustcenter.cohere.com
    CSA STAR
    NOT CONFIRMED

    no public evidence of CSA STAR certification

    source: trustcenter.cohere.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Canada, United States, United Kingdom. Standard Contractual Clauses used for GDPR-compliant transfers outside EU/EEA.

    By default, Cohere collects and de-identifies content submitted for research and development. Enterprise customers can opt out of model training at any time through dashboard settings. Trial and research users' data may be used for model improvement. Enterprise customers should consult separate Enterprise Data Commitments and Data Processing Addendums for specific terms. Cohere provides a Model Training Privacy Notice for detailed information.

    // Security controls

    Encryption in transit

    Supported; verified through continuous monitoring by Secureframe

    trustcenter.cohere.com

    Data control & deletion

    On SaaS platform, prompts and generations are automatically deleted after 30 days unless legal requirements or flagged misuse require longer retention; enterprise customers can opt out of model training.

    cohere.com

    Deployment options

    VPC (Virtual Private Cloud), on-premises, third-party cloud deployment (where Cohere receives no customer inputs), or managed Model Vault

    cohere.com

    Annual penetration testing

    Cohere conducts annual third-party penetration testing and simulated adversarial attacks

    cohere.com

    Threat detection

    Advanced threat detection systems monitor for suspicious activity

    cohere.com

    Training data lineage tracking

    Cohere maintains training data lineage tracking to prevent poisoning

    cohere.com

    Bug bounty program

    Responsible vulnerability disclosure program in place

    cohere.com

    Continuous monitoring

    https://trustcenter.cohere.com/

    // Products & data scope

    CommandGenerative Models

    data: Customer inputs and outputs. Can opt out of training use. 30-day auto-deletion on SaaS.

    High-performance models for agentic, multimodal, multilingual AI. Supports 49 languages.

    TranscribeGenerative Models

    data: Audio inputs and transcription outputs. Subject to same data commitments as Command.

    Speech-to-text model for audio transcription. Supports 14 languages.

    NorthWorkplace Systems

    data: Customer data within North platform. Deployable privately or in VPC.

    Enterprise-ready workplace productivity platform with customizable AI capabilities.

    CompassWorkplace Systems

    data: Customer business data and search queries. Deployable privately.

    Intelligent search and discovery system for surfacing business insights.

    EmbedRetrieval Models

    data: Customer text embeddings for search/retrieval. Subject to standard data commitments.

    Multimodal semantic search and retrieval tool. Built with customer data in customer environment.

    RerankRetrieval Models

    data: Search ranking operations. Data subject to standard commitments.

    Semantic boost for search relevance ranking.

    Custom Model Development (Enterprise)Services

    data: Customer proprietary training data. Can include HIPAA data under BAA for custom models only.

    Cohere develops custom models on behalf of enterprise customers. HIPAA BAA available for custom development, not SaaS.

    // What to watch

    • HIPAA scope is narrow: BAA available for custom model development only, not for SaaS services. Healthcare users should NOT submit PHI to hosted products without custom engagement.
    • ISO 42001 certification (June 2025) is excellent but relatively recent—verify current status for future assessments.
    • Data residency flexible but requires explicit deployment choice; default SaaS may process data across Canada/US/UK.
    • No evidence of CSA STAR, FedRAMP, PCI DSS, or ISO 27017/27018—appropriate for general AI use but may limit some verticals (financial, healthcare, government).
    • Model training opt-out available for enterprise but is an opt-out (not default privacy), and applies to enterprise only—trial/research users default to permissive training.

    // At a glance

    Pricing model

    SaaS subscriptions with pay-as-you-go API pricing; enterprise custom pricing available

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Cohere Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trustcenter.cohere.com

    > Browse all vendor trust reports