// Trust & Security Report

    Panabee, LLC logo

    Panabee, LLC

    AI content creation suite: AI image generator (art, headshots, logos, stock photos), AI photo editing tools (upscaling, background removal, object removal, colorization), AI writing tools, game asset creation, and API for enterprise integration.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No public evidence on vendor-domain pages. Third-party aggregator (Nudge Security) claims SOC 2 compliance, but Hotpot.ai's official privacy policy, terms of service, and API documentation contain no mention of SOC 2 certification or compliance audit reports.

    source: hotpot.ai
    ISO 27001
    NOT CONFIRMED

    No public evidence on vendor-domain pages. Third-party aggregator claims ISO 27001 compliance, but vendor's official documentation does not mention this certification.

    source: hotpot.ai
    GDPR
    NOT CONFIRMED

    Vendor's privacy policy states data is 'transferred to — and maintained on — computers located outside of your state, province, country' with processing in the United States. No GDPR-specific data protection mechanisms, DPA, or compliance guarantees are documented in official privacy policy or terms.

    source: hotpot.ai
    HIPAA
    NOT CONFIRMED

    No public evidence on vendor-domain pages. Third-party aggregator claims HIPAA compliance, but vendor's official documentation contains no mention of HIPAA eligibility or BAA availability.

    source: hotpot.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence on vendor-domain pages. Third-party aggregator claims PCI compliance, but vendor's official documentation does not mention PCI DSS certification.

    source: hotpot.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor-domain pages. Third-party aggregator claims FedRAMP compliance, but vendor's official documentation contains no mention of FedRAMP authorization.

    source: hotpot.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor-domain pages. Third-party aggregator claims CSA STAR Level 1 compliance, but vendor's official documentation does not mention CSA STAR certification.

    source: hotpot.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States (primary processing location stated in privacy policy)

    Terms of Service explicitly state: 'We reserve the right to analyze and apply user data, design data, user graphics, interaction data, and other relevant data to improve the Services.' Users are prohibited from using Hotpot services to develop competing AI models. Privacy policy does not explicitly address whether user-generated images or content are used to train Hotpot's AI models, but the terms grant broad rights to 'analyze and apply' user data for service improvement.

    // Security controls

    Data Residency

    Primary processing in United States. Privacy policy states data may be transferred internationally. No EU data residency or GDPR Safe Harbor equivalents documented.

    hotpot.ai

    Self-Hosted Option

    Enterprises can deploy self-hosted containers for air-gapped architecture where 'company data never touches a vendor's system or is exposed to the outside world.'

    hotpot.ai

    Encryption

    Privacy policy states: 'No method of transmission over the Internet, or method of electronic storage is 100% secure' — no explicit encryption protocols (TLS, AES, etc.) documented.

    hotpot.ai

    Authentication

    API requires Authorization HTTP header with valid API key. Self-hosted and SaaS options support SSO integration via Okta, Google, and Microsoft.

    hotpot.ai

    Image Compliance Scanning

    Hotpot scans images for child safety, flagging sexual or violent depictions.

    hotpot.ai

    Infrastructure Partners

    AWS, Oracle, NVIDIA, AWS Inferentia for cloud and ML infrastructure.

    hotpot.ai

    // Products & data scope

    AI Image GeneratorAI Image Generation

    data: User-provided text prompts, generated images, usage data for service improvement

    Includes art generator, headshots, logos, stock photos, anime, backgrounds. Uses Stable Diffusion API backend.

    AI Photo EditorAI Image Editing

    data: User-uploaded images, editing operations, results

    Upscale 10x+, background removal, object removal, colorization, restoration, face enhancement

    AI Writing ToolsAI Writing

    data: User text input, generated content

    Limited details available on writing product suite

    Game Asset CreatorGame Content

    data: Game design inputs, asset generation

    DnD generator, game backgrounds, character generation

    Hotpot APIEnterprise API

    data: SaaS and self-hosted deployment options. API-level data handling depends on deployment model.

    Supports SaaS API and self-hosted containers. Self-hosted offers air-gapped option for zero external data exposure.

    // What to watch

    • OVER-CLAIM ALERT: Third-party aggregator (Nudge Security) claims Hotpot.ai holds SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS, FedRAMP, and CSA STAR Level 1 certifications. These claims are NOT supported by any official Hotpot.ai or Panabee LLC website pages, including privacy policy, terms of service, API documentation, or security pages. No dedicated trust center exists. This represents either outdated aggregator data or a significant identity/over-claim risk.
    • NO TRUST CENTER: Hotpot.ai/Panabee LLC does not publish a dedicated security or trust center page, reducing transparency vs. enterprise-grade vendors.
    • AI TRAINING AMBIGUITY: Terms of Service grant broad rights to 'analyze and apply user data' for service improvement, but do not explicitly disclose whether user-generated images or content are incorporated into model training data. No opt-out mechanism documented.
    • DATA RESIDENCY CONCERN: Privacy policy explicitly allows data transfers outside user's country/state with primary processing in US. No GDPR Safe Harbor, adequacy decision, or Standard Contractual Clause mention.
    • NO DPA: Privacy policy and terms do not reference Data Processing Agreements or provide mechanism for enterprises to execute a DPA for GDPR compliance.
    • ENCRYPTION LACK OF DETAIL: Privacy policy uses boilerplate language ('no method is 100% secure') without documenting specific encryption standards (TLS version, AES-256, etc.).

    // At a glance

    Pricing model

    Freemium with transaction-based purchasing (users can create content without account). Subscription plans available for power users.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Panabee, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    hotpot.ai

    > Browse all vendor trust reports