The document we hand to the security and procurement teams who actually have to sign.

Data handling. GDPR posture. Intellectual property. AI Act / ISO 42001 / NIST AI RMF alignment. Vendor risk. Insurance certificates. Named references. Read in 15 minutes by a senior security buyer who doesn't have time for marketing copy.

01 · Company essentials

Legal entity	Cohorte SAS
Country of registration	France
Registered office	Paris, France
Secondary office	Rabat, Morocco
Year founded	2024
Headcount	~6 (founder, coordinator, partnerships lead, mentor network)
Tax residency	France
Insurance status	Active. Certificates available within 24h of NDA signature.
Audited financials	Available under NDA

02 · Data handling posture

What we do, do not do, and refuse to do with client data.

Data extraction	Cohorte never extracts, copies, or transfers client production data to its own infrastructure. Period.
Data retention	Cohorte does not retain client production data. Any data shared during scoping is held only for the duration of the engagement and deleted at close.
Training on client data	Cohorte does not train, fine-tune, or otherwise use client data to improve any model, product, or course. Contractual term in every MSA.
Training environment	Training exercises use the client's own infrastructure, sample data we cannot retain, or public datasets. Default is the client's infrastructure.
Cross-client repurposing	No work product is repurposed across clients. Engagement IP is firewalled.
On-premise / on-site delivery	Supported. AI Readiness assessment and 2 of 4 Team Bootcamp sessions can be delivered inside your firewall.
AI tools used in delivery	Enterprise-tier AI tools (Anthropic, OpenAI, Google, Microsoft) under no-retain configuration. Stack documented per engagement.
Subprocessors	Documented per engagement. Standard MSA includes the list and right to object.

03 · GDPR & data residency

Controller / Processor	License: Processor for learner identification data. Training engagements: generally Joint Controller for operational data and Processor for sample data the customer shares.
Data residency · License	EU (Frankfurt) by default. UK or Switzerland on request.
Data residency · Bootcamp	EU (Paris / Frankfurt). Video transcoding routed via Mux, EU region.
Standard Contractual Clauses	Module 2 and Module 3 available where applicable.
DPA	Cohorte standard DPA available on request. We sign customer's DPA where reasonable.
Data subject rights	Within 30 days. Process documented in DPA.
Cross-border transfers	Minimised. Where present, SCCs in place; transfer logic documented per engagement.
Breach notification	Within 24 hours of confirmed breach.

04 · Intellectual property & work product

Who owns what, after the engagement closes.

Methodology (LUMEN, TrustGate)	Cohorte retains rights. Methodology is also publicly available; customers may apply it indefinitely without Cohorte's involvement.
Open-source reference stack	github.com/Cohorte-ai. Released under permissive licenses (MIT or Apache 2.0). Customers may fork, modify, deploy at will.
Curriculum content	Cohorte retains copyright. Customers receive a license to use within their organisation for the duration of the License or program.
Engagement deliverables	Customer owns the deliverables produced for their engagement.
Customer's internal IP	Customer's. Cohorte never claims ownership of customer's pre-existing or engagement-derived business IP.
Joint IP	By default, none is created. Where it would be, explicit agreement is signed before the work begins.
Right to reference	Cohorte does not name a customer publicly without written consent.

05 · Regulatory alignment

The frameworks the curriculum maps to, by section number. Not just by name.

EU AI Act	Article 9 (risk management), 10 (data governance), 12 (logging), 13 (transparency), 14 (human oversight), 15 (accuracy / robustness / cybersecurity), 17 (quality management). Mapping included as appendix to every Team Bootcamp and AI Readiness proposal.
ISO/IEC 42001	Clauses 4-10. Cohorte curriculum touches each. Independent ISO 42001 certification supported by the AI Readiness playbook.
NIST AI RMF	Govern · Map · Measure · Manage. Function-by-function mapping in the AI Readiness playbook.
SR 11-7 (US Fed)	Model risk management. Cohorte's verification curriculum is the technical layer underneath SR 11-7 §III independent-validation expectations.
PRA SS1/23 (UK)	Principles 1-4. Mapped in the FS vertical proposal.
DORA (EU)	ICT third-party risk management. DORA-aligned documentation provided where Cohorte is an ICT third party.
GDPR Article 22	Cohorte teaches how to design AI systems that respect Article 22, including the human-in-the-loop discipline that exempts an AI-assisted decision from Article 22 obligations.

06 · Security posture

SSO	Okta, Azure AD, Google Workspace SSO on Curriculum License platform.
MFA	Required for all Cohorte staff on internal systems.
Encryption in transit	TLS 1.2 minimum. TLS 1.3 default on all customer-facing platforms.
Encryption at rest	AES-256 on data stores used for Curriculum License platform.
Audit logs	Access, completion, exports on Curriculum License platform.
Penetration testing	Annual external pen test of customer-facing platforms (schedule starts Q4 2026). Reports available under NDA.
Vulnerability management	Continuous dependency monitoring. Patches: critical within 72h, high within 7 days, medium within 30 days.
Internal access controls	Principle of least privilege. Time-bounded, logged per engagement.
Background checks	Performed on all Cohorte staff and embedded mentors prior to first engagement.
Certifications	ISO 27001 alignment in progress (target audit 2027). SOC 2 readiness on the same roadmap.

07 · Insurance & liability

Coverage	Limit	Notes
Professional Indemnity	€2,000,000 aggregate	Active. Certificate within 24h. Higher limits negotiable.
Public Liability	€5,000,000 aggregate	Active. Covers on-site delivery.
Cyber Liability	€1,000,000 aggregate	Active. Data-breach response and notification costs.
Errors & Omissions	Included under PI	—
Liability cap (default MSA)	Annual fees in last 12 months	Standard market term. Negotiable per engagement.
Indemnification (IP)	Standard MSA term	Cohorte indemnifies against third-party IP claims based on Cohorte methodology or curriculum.

08 · References

The named people who will take a reference call. Each is reachable after the customer signs a mutual NDA. Reference calls scheduled within 5 business days. Cohorte does not redact behind "global top-50 European bank" copy.

PwC France & Maghreb

Patrick Monteiro, CIO

Sponsor of the PwC AI Factory (60+ AI systems, 4,000+ Copilot users, +80% adoption in 6 months). Reference call covers operating model, governance design, scale.

OPIT

Riccardo Ocleppo, CEO

Sponsor of the AI tutoring engagement (−60% professor support, +40% student progression). Reference call covers pedagogical impact, faculty adoption, institutional integration.

By sector

Additional, under NDA

Cohorte identifies a named reference per sector (FS, PS, HE) where the engagement context warrants it. List extended quarterly.

09 · Procurement checklist

What we send you, in what order, when you ask.

Artifact	Lead time	Notes
Insurance certificates	24 hours after NDA	Direct from broker on letterhead.
Audited financials	5 business days under NDA	Latest fiscal year.
Cohorte standard MSA	Immediate	Industry-standard. Customer redlines welcome.
Cohorte standard DPA	Immediate	GDPR-aligned. We sign customer's DPA where reasonable.
Vendor questionnaire	5 business days	SIG-Lite / CAIQ supported.
InfoSec policy summary	3 business days	Public summary plus controls map.
References	5 business days	Named contact, scheduled call.
Subprocessor list	Immediate	Per-engagement, MSA exhibit.
BCDR plan	5 business days	Customer-facing summary; full plan under additional NDA.

Talk to Charafeddine directly. No sales gate.

Procurement on the discovery call from week one. Insurance certs in 24h. SIG-Lite / CAIQ returned in 5 business days. We make the security review the fast part of the engagement.

Email Charafeddine

← Previous Pricing Back to → All catalogues