// Trust & Security Report
Panabee, LLC
AI content creation suite: AI image generator (art, headshots, logos, stock photos), AI photo editing tools (upscaling, background removal, object removal, colorization), AI writing tools, game asset creation, and API for enterprise integration.
Certifications held
0
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
source: hotpot.aiNo public evidence on vendor-domain pages. Third-party aggregator (Nudge Security) claims SOC 2 compliance, but Hotpot.ai's official privacy policy, terms of service, and API documentation contain no mention of SOC 2 certification or compliance audit reports.
source: hotpot.aiNo public evidence on vendor-domain pages. Third-party aggregator claims ISO 27001 compliance, but vendor's official documentation does not mention this certification.
source: hotpot.aiVendor's privacy policy states data is 'transferred to — and maintained on — computers located outside of your state, province, country' with processing in the United States. No GDPR-specific data protection mechanisms, DPA, or compliance guarantees are documented in official privacy policy or terms.
source: hotpot.aiNo public evidence on vendor-domain pages. Third-party aggregator claims HIPAA compliance, but vendor's official documentation contains no mention of HIPAA eligibility or BAA availability.
source: hotpot.aiNo public evidence on vendor-domain pages. Third-party aggregator claims PCI compliance, but vendor's official documentation does not mention PCI DSS certification.
source: hotpot.aiNo public evidence on vendor-domain pages. Third-party aggregator claims FedRAMP compliance, but vendor's official documentation contains no mention of FedRAMP authorization.
source: hotpot.aiNo public evidence on vendor-domain pages. Third-party aggregator claims CSA STAR Level 1 compliance, but vendor's official documentation does not mention CSA STAR certification.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States (primary processing location stated in privacy policy)
Terms of Service explicitly state: 'We reserve the right to analyze and apply user data, design data, user graphics, interaction data, and other relevant data to improve the Services.' Users are prohibited from using Hotpot services to develop competing AI models. Privacy policy does not explicitly address whether user-generated images or content are used to train Hotpot's AI models, but the terms grant broad rights to 'analyze and apply' user data for service improvement.
// Security controls
Data Residency
Primary processing in United States. Privacy policy states data may be transferred internationally. No EU data residency or GDPR Safe Harbor equivalents documented.
hotpot.aiSelf-Hosted Option
Enterprises can deploy self-hosted containers for air-gapped architecture where 'company data never touches a vendor's system or is exposed to the outside world.'
hotpot.aiEncryption
Privacy policy states: 'No method of transmission over the Internet, or method of electronic storage is 100% secure' — no explicit encryption protocols (TLS, AES, etc.) documented.
hotpot.aiAuthentication
API requires Authorization HTTP header with valid API key. Self-hosted and SaaS options support SSO integration via Okta, Google, and Microsoft.
hotpot.aiImage Compliance Scanning
Hotpot scans images for child safety, flagging sexual or violent depictions.
hotpot.aiInfrastructure Partners
AWS, Oracle, NVIDIA, AWS Inferentia for cloud and ML infrastructure.
hotpot.ai// Products & data scope
data: User-provided text prompts, generated images, usage data for service improvement
Includes art generator, headshots, logos, stock photos, anime, backgrounds. Uses Stable Diffusion API backend.
data: User-uploaded images, editing operations, results
Upscale 10x+, background removal, object removal, colorization, restoration, face enhancement
data: User text input, generated content
Limited details available on writing product suite
data: Game design inputs, asset generation
DnD generator, game backgrounds, character generation
data: SaaS and self-hosted deployment options. API-level data handling depends on deployment model.
Supports SaaS API and self-hosted containers. Self-hosted offers air-gapped option for zero external data exposure.
// What to watch
- OVER-CLAIM ALERT: Third-party aggregator (Nudge Security) claims Hotpot.ai holds SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS, FedRAMP, and CSA STAR Level 1 certifications. These claims are NOT supported by any official Hotpot.ai or Panabee LLC website pages, including privacy policy, terms of service, API documentation, or security pages. No dedicated trust center exists. This represents either outdated aggregator data or a significant identity/over-claim risk.
- NO TRUST CENTER: Hotpot.ai/Panabee LLC does not publish a dedicated security or trust center page, reducing transparency vs. enterprise-grade vendors.
- AI TRAINING AMBIGUITY: Terms of Service grant broad rights to 'analyze and apply user data' for service improvement, but do not explicitly disclose whether user-generated images or content are incorporated into model training data. No opt-out mechanism documented.
- DATA RESIDENCY CONCERN: Privacy policy explicitly allows data transfers outside user's country/state with primary processing in US. No GDPR Safe Harbor, adequacy decision, or Standard Contractual Clause mention.
- NO DPA: Privacy policy and terms do not reference Data Processing Agreements or provide mechanism for enterprises to execute a DPA for GDPR compliance.
- ENCRYPTION LACK OF DETAIL: Privacy policy uses boilerplate language ('no method is 100% secure') without documenting specific encryption standards (TLS version, AES-256, etc.).
// At a glance
Pricing model
Freemium with transaction-based purchasing (users can create content without account). Subscription plans available for power users.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Panabee, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
hotpot.ai