If you use Cohere's API to process personal data, a separate Data Processing Addendum applies that sets out additional privacy and data protection obligations.
This analysis describes what Cohere's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The DPA structure is the primary mechanism through which GDPR, CCPA, and other data protection obligations are operationalized in the agreement; enterprise customers processing personal data through the API must ensure the DPA is executed and that its terms are consistent with their privacy compliance obligations.
Interpretive note: The full terms of the DPA are not reproduced in this document; the adequacy of DPA protections for specific jurisdictional requirements depends on the DPA's current content at cohere.com/dpa.
The agreement states that a Data Processing Addendum applies when personal data is processed through the API; enterprise customers handling personal data of employees, customers, or other individuals must execute the DPA and ensure its terms satisfy applicable data protection law in their jurisdiction.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Cohere has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"To the extent that Customer's use of the Services involves the processing of personal data, the parties agree to enter into Cohere's Data Processing Addendum (DPA), which is available at cohere.com/dpa and incorporated into this Agreement by reference upon execution.— Excerpt from Cohere's Cohere SaaS Agreement
(1) REGULATORY LANDSCAPE: The DPA structure directly engages GDPR Articles 28 (processor requirements) and 46 (transfer mechanisms), CCPA's service provider contractual requirements, and equivalent data protection frameworks in other jurisdictions. The Information Commissioner's Office (UK), EU national supervisory authorities, and the California Privacy Protection Agency are relevant enforcement bodies. (2) GOVERNANCE EXPOSURE: High. Failure to execute the DPA before processing personal data through the API may constitute a GDPR violation, as Article 28 requires that controller-processor relationships be governed by a binding written agreement specifying the nature and purpose of processing. The DPA's terms on sub-processor use, data transfer mechanisms, and data subject rights support should be reviewed against organizational compliance requirements. (3) JURISDICTION FLAGS: EU and EEA customers face the highest exposure, as GDPR's Article 28 controller-processor agreement requirement is a hard legal obligation. UK customers post-Brexit must also ensure the DPA satisfies UK GDPR requirements. California customers should confirm the DPA qualifies as a service provider agreement under CCPA. (4) CONTRACT AND VENDOR IMPLICATIONS: The DPA at cohere.com/dpa should be reviewed as part of vendor due diligence before production deployment involving personal data. Key review areas include sub-processor lists, data transfer mechanisms (Standard Contractual Clauses, adequacy decisions), data subject rights response procedures, breach notification timelines, and data deletion obligations. (5) COMPLIANCE CONSIDERATIONS: Data protection officers should complete a DPA execution before any personal data is transmitted via the API, maintain a record of processing activities that includes Cohere as a processor, and review the DPA's sub-processor provisions against organizational requirements for sub-processor approval.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The DPA structure is the primary mechanism through which GDPR, CCPA, and other data protection obligations are operationalized in the agreement; enterprise customers processing personal data through the API must ensure the DPA is executed and that its terms are consistent with their privacy compliance obligations.
The agreement states that a Data Processing Addendum applies when personal data is processed through the API; enterprise customers handling personal data of employees, customers, or other individuals must execute the DPA and ensure its terms satisfy applicable data protection law in their jurisdiction.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cohere.