No Model Training on Customer Data Without Opt-In

What it is

Cohere states that it will not use the data you send through its platform (such as prompts and documents) to train its AI models unless you specifically agree to allow it.

Why it matters (compliance & governance perspective)

This provision directly addresses a common concern for enterprise customers deploying AI: whether proprietary business data submitted as prompts or documents could be incorporated into shared model training. The document states this requires explicit opt-in rather than an opt-out.

Consumer impact (what this means for users)

Enterprise customers can submit prompts, completions, and documents to Cohere's platform with the assurance, per this document, that such data will not be used to train Cohere's models unless the customer has expressly opted in. The practical protection depends on whether this commitment is enforceable under the executed service agreement.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 28 processor obligations, which require that a data processor act only on documented instructions from the controller. If enterprise customer data includes personal data, using it for model training without a documented legal basis and controller instruction would implicate GDPR obligations. The FTC Act's prohibition on unfair or deceptive practices is also relevant if commitments made on this page are not operationally implemented. Relevant enforcement authorities include EU data protection authorities, the UK ICO, and the FTC. (2) GOVERNANCE EXPOSURE: High. The commitment not to use customer data for model training without opt-in is a foundational assurance in enterprise AI procurement. If this commitment is not reflected in the executed master service agreement or data processing addendum, its enforceability is uncertain. Organizations with strict data governance policies should confirm this commitment is contractually binding. (3) JURISDICTION FLAGS: EU and EEA customers face heightened exposure because GDPR Article 28 requires that processing restrictions be documented in a binding data processing agreement, not merely disclosed on a commitments page. California enterprise customers should assess whether CCPA processor obligations align with this commitment. Regulated sectors (healthcare, financial services) should evaluate against sector-specific data handling requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that the no-training commitment is expressly included in the master service agreement or a separately executed data processing addendum. A commitments page that is not incorporated by reference into the contract may not constitute a binding obligation. Vendor risk assessments should document this confirmation. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit whether the opt-in mechanism for model training is clearly defined, documented, and auditable. Data mapping exercises should classify customer prompt and completion data and verify that processing is restricted to the stated permitted purposes. Any changes to this commitment should trigger contract amendment review and potentially customer notification obligations.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Customer Data Ownership medium
• Logical Data Isolation medium
• Data Residency Options high
• No Sharing of Customer Data with Third Parties for Commercial Purposes medium
• Data Deletion Rights medium
• Security Certifications and Compliance low

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.