Thank you for your interest in Pandorabots. We provide an industry-leading web service for building, deploying, and hosting chatbots, i.e., conversational AI software applications. By accessing or using the Pandorabots Platform, you are agreeing to the Terms of Service and other Policies outlined below.
The Enterprise Tier is governed by a separately negotiated Enterprise Cloud Services Agreement, which supersedes these Terms (including heightened Privacy, Security, Service Levels, and other customizations).
Last Modified: January 9, 2018
Pandorabots, Inc. ("Pandorabots", "we", "our", or "us") provides an online software platform (the "Pandorabots Platform") that enables developers and other users to build, host, and deploy natural language conversational agents (“Chatbot(s)”) for devices and software applications.
These Terms of Service (these "Terms") include the legal terms that we require all developers and other users to accept and implement as a condition of accessing our web services located at https://www.pandorabots.com/ and other websites owned and/or operated by Pandorabots, Inc. (the "Website(s)"), and/or accessing or using the application programming interfaces provided on or in connection with the Pandorabots Platform ("API(s)"), including any documentation, materials, code, data (such as Talklogs as defined below), files (such as AIML and Other Files as defined below) and other information or materials made available to you by Pandorabots on or in connection with the APIs (collectively, "Pandorabots Content") to develop Chatbots for use in your products or devices (“Devices”) and/or your software applications ("Application(s)").
The Pandorabots Platform includes a sandbox environment and developer portal designed to allow you to access, upload, download, edit, create, store, and interpret files and data in connection with building, hosting, and deploying your Chatbot(s). Files contained in each Chatbot may include files written in Artificial Intelligence Markup Language (“AIML Files”), and SETS, MAPS, SUBSTITUTIONS, and SYSTEM files (collectively, “Other Files”). For more information on AIML and Other Files, please see the online documentation . Data may include analytics and Talklogs, which may include “Inputs” to, and “Outputs” from, your Chatbot(s) (“Talklogs”). "Inputs" are typically text inputs, whether typed or converted from speech utterance or spoken phrase to text, by an individual sent from your Application to Pandorabots servers for processing; "Outputs" are the responses returned to your Application by the Pandorabots Platform.
PLEASE READ THESE TERMS CAREFULLY TO ENSURE THAT YOU UNDERSTAND EACH PROVISION. THESE TERMS CONTAIN A MANDATORY INDIVIDUAL ARBITRATION AND CLASS ACTION/JURY TRIAL WAIVER PROVISION THAT REQUIRES THE USE OF ARBITRATION ON AN INDIVIDUAL BASIS TO RESOLVE DISPUTES, RATHER THAN JURY TRIALS OR CLASS ACTIONS. Pandorabots reserves the right to make unilateral modifications to these terms and will provide notice of these changes as described below.
BY USING OR CONTINUING TO USE THE PANDORABOTS APIS OR BY CLICKING "Sign Up" YOU AGREE TO USE THE PANDORABOTS APIS AND OTHER PANDORABOTS CONTENT SOLELY IN ACCORDANCE WITH THESE TERMS OF SERVICE, AND YOU AGREE THAT YOU ARE BOUND BY AND ARE A PARTY TO THESE TERMS. YOU WARRANT THAT YOU ARE AT LEAST EIGHTEEN (18) YEARS OLD AND THAT YOU HAVE THE LEGAL CAPACITY TO AGREE TO AND BE BOUND BY THESE TERMS. IF YOU ACCESS OR USE THE PANDORABOTS APIS, OTHER PANDORABOTS CONTENT, OR THE PANDORABOTS PLATFORM ON BEHALF OF A COMPANY, PRINCIPAL OR OTHER ENTITY, YOU REPRESENT THAT YOU HAVE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND THAT THESE TERMS ARE FULLY BINDING UPON THEM. IN SUCH CASE, THE TERM "YOU" WILL REFER TO YOU AND SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS OF SERVICE, YOU MAY NOT ACCESS OR USE THE APIS OR OTHER PANDORABOTS CONTENT.
Information you provide to Pandorabots’ website(s)
We may collect and store personal information you provide to our Service when you register for an account or provide to us in some other manner, including your name, email address, phone number, user name and password, when you register for our Service, request a demo or contact us for information about our Service. If we provide forums, blogs or bulletins that allow for user-generated content, we may also collect and retain personal information that you provide in relation to such content. We may also collect any communications between you and Pandorabots, as well as any information you provide if you take part in any interactive features of the Service (e.g., games, contests, promotions, surveys, etc.).
Information we receive from social networking sites
When you interact with our site through various social media, such as when you login through Facebook, Twitter, Google, Github, or Yahoo, or interact with us on Facebook, Twitter, Medium, Youtube, Github, or other social media, we may receive information from the social network including your profile information, profile picture, gender, user name, user ID associated with your social media account, age range, language, country, friends list, and any other information you permit the social network to share with third parties. The data we receive is dependent upon your privacy settings with the social network. You should always review, and if necessary, adjust your privacy settings on third-party websites and services before linking or connecting them to our website or Service.
Other companies owned by or under common ownership as Pandorabots, which also includes our subsidiaries (i.e., any organization we own or control) or our ultimate holding company (i.e., any organization that owns or controls us) and any subsidiaries it owns. These companies will use your personal information in the same way as we can under this Policy;
Third party vendors, consultants and other service providers that perform services on our behalf, in order to carry out their work for us, which may include identifying and serving targeted advertisements, content or service fulfillment, billing, or providing analytics services;
Our business partners who offer a service to you jointly with us, for example, when running a co-sponsored contest or promotion;
Third parties at your request. For example, you may have the option to link your information on our Service with your friends via email or social media;
Other parties in connection with any company transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company or third party or in the event of bankruptcy or related or similar proceedings; and
If you do not wish to receive promotional emails, you can click the “unsubscribe” button on promotional email communications. Note that you are not permitted to unsubscribe or opt-out of non-promotional messages regarding your account, such as account verification, billing confirmations, change or updates to features of the Service, or technical and security notices.
We may permit third party online advertising networks to collect information about your use of our website over time so that they may play or display ads that may be relevant to your interests on our Service as well as on other websites or apps. Typically, the information we share is provided through cookies or similar tracking technologies. The only way to completely “opt out” of the collection of any information through cookies or other tracking technology is to actively manage the settings on your browser or mobile device. Please refer to your browser’s or mobile device’s technical information for instructions on how to delete and disable cookies, and other tracking/recording tools. (To learn more about cookies, clear gifs/web beacons and related technologies, you may wish to visit
and/or the Network Advertising Initiative’s online resources, at
). Depending on your mobile device, you may not be able to control tracking technologies through settings.
We will retain your information for as long as your account is active or as needed to provide you services. Following termination or deactivation of your account, we may retain information for a commercially reasonable time for backup, archival, and/or audit purposes. Please contact us at email@example.com if you wish to delete your account. Please be aware that we will not be able to delete any content you have shared with others or with social media sites.
Pandorabots is GDPR compliant.
On May 25th, 2018, the EU General Data Protection Regulation (GDPR) went into effect. These new regulations harmonized data privacy laws across Europe and brought data protection rights for all members of the European Union.
Here at Pandorabts we completely support the privacy rights of our customers and our customers' users. Under GDPR guidelines, Pandorabots acts as a Data Processor. Listed below is how we are adhering to the GDPR specification.
To reflect new GDPR compliance Pandorabots now offers:
We have appointed a DPO that can be reached at firstname.lastname@example.org should you have any questions, right of access, right to erasure, DPA draft copy, or other requests.
Pandorabots is headquartered in the USA so any information you provide will be processed and stored in the USA unless otherwise specified (e.g., in a separate Enterprise Agreement provisioning AWS instances in the EU to prevent data transfer outside the EU). If you are in the European Union or European Economic Area, this may mean that your personal information will be stored ina jurisdiction that offers a level of protection that may, in certain instances, be less protective of your personal information than the jurisdiction that you are typically a resident in.
If we transfer information from the European Union to third parties outside the European Union and to countries not subject to schemes which are considered as providing an adequate data protection standard, we will either enter into contracts which are based on the EU Standard Contractual Clauses with these parties or transfer information under the scope of the EU/US Privacy Shield.
At Pandorabots the security of our platform, your data, and your customers’ data is critically important to us. We adhere to industry standard policies, outlined below. For any questions, concerns, or to report a vulnerability, please email us at email@example.com.
Pandorabots maintains a comprehensive Information Security Management Program run by the Information Security Officer (ISO), who reports directly to the CIO. Internal policies include:
All Pandorabots personnel undergo background checks, and privacy and security training with respect to these policies, including training on the OWASP Top 10 application security risks.
The NIST CyberSecurity Framework (NIST CSF), developed by the U.S National Institute of Standards and Technology, is used to guide and manage our cybersecurity-related risks.
Copies of all policies can be made available to select Enterprise Customers on written request.
Pandorabots hosts all of our production services on Amazon Web Services (AWS). The AWS data centers are equipped with multiple levels of physical access barriers, that include:
Please refer to Amazon’s AWS Security Whitepaper for more details. Pandorabots staff do not have physical access to AWS services, nor do we run our own production servers, DNS servers, data centers, network equipment, storage, databases, autoscalers, or load balancers.
The TLS certificates for our production servers are 2048 bit RSA, signed with SHA256. We use firewalls, security groups, and IP address whitelisting to limit access to servers and databases. We implement Distributed Denial of Service (DDoS) mitigation by conforming to AWS resilient reference architectures through the use of AWS Shield, Route53, auto scaling, and load balancers. We follow industry best practices by using strong cipher suites on our servers.
We run currently active LTS Ubuntu on all our servers and use a combination of automated and manual inspection to determine if new vulnerabilities are introduced in the software packages on our systems. We use AWS Inspector on a weekly scanning routine to automatically alert to new security vulnerabilities. Our platform team ingests these alerts and prioritizes remediation according to our internal Security Vulnerability Identification documentation.
Pandorabots maintains full control over its AWS infrastructure, and only authorized personnel have access to configure infrastructure for incident response or adding new functionality as needed, according to principles of least privilege.
Pandorabots undergoes regular penetration testing by independent third parties provided with an overview of the application architecture and system endpoints. Results are reported to the ISO and Pandorabots senior management, and used to set mitigation and remediation priorities. Select Enterprise Clients may be permitted contractually to access the results of routine penetration tests, or commission their own independent, additional third party tests.
Amazon Web Services undergoes third-party independent audits and can provide verification of compliance controls, including but not limited, to: ISO 270001, SOC 2, and PCI.
Pandorabots employs industry standard intrusion detection and prevention systems which alert us to any suspicious activity. All activity is closely monitored via AWS tools and Zabbix monitoring software. Any alerts are then investigated, escalated, and responded to accordingly.
Pandorabots uses properly-provisioned, redundant servers (i.e., multiple load balancers, web services, replica databases) to ensure appropriate failover and backup mechanisms are in place. Maintenance is conducted during the published routine window, and advance notice is provided for any planned non-routine maintenance. Enterprise Customers may contractually specify alternate routine maintenance windows optimized for their volumes and time zones, and can be provided uptime guarantees of +99.9% under a separate Service Level Agreement.
Pandorabots creates routine backups of our databases, and critical logs and files, enabling the easy and seamless restoration of the system in the event of data corruption or loss.
Pandorabots maintains a comprehensive Disaster Recovery Plan policy to ensure that any disruption or damage to critical IT services or equipment are recoverable to the right level and within the right timeframe to return to normal operations with a minimal business impact. Our Disaster Recovery Plan can be made available to Enterprise Customers upon written request.
Pandorabots provides a RESTful API that can only be accessed via HTTPS to prevent eavesdropping or man-in-the-middle attacks. API access requires an account specific user key. We also provide a public bot key to prevent exposure of user secrets when passed over the network (or viewed in a browser) and support domain whitelisting via the use of referrer filters.
Data from end-user chat platforms is sent to the Pandorabots Platform via TLS 1.2. Data is AES-256 encrypted at rest.
Pandorabots maintains intelligent network firewall rules at the infrastructure level that limit the surface for data extraction. We vet preferred partners and integrations to ensure they comply with necessary security regulations (GDPR, PCI, etc), before transferring data for processing.
Data in Pandorabots servers is automatically encrypted at rest using AWS EBS Encryption via our master encryption key stored in AWS Key Management Service. Volumes are encrypted in AWS using the industry-standard AES-256 algorithm. Pandorabots only sends data over TLS 1.2 or greater, and never downgrades connections to insecure TLS methods (SSLv3 or TLS 1.0).
Data may be retained after termination of service unless otherwise specified in an Enterprise Contract or GDPR request. If data is kept after termination of service for purposes of making platform improvements Pandorabots will scrub all personally identifiable information (PII) to the extent possible, including data like usernames, emails, phone numbers, etc.
The types of personally identifying information (PII) that Pandorabots receives is often dictated by third-parties beyond our control, including, for example: (a) what an end-user chooses to disclose to a bot during a conversation and (b) what a messaging or voice platform makes available about its end-users for purposes of providing or personalizing its services.
Pandorabots discourages and in some cases prohibits sending certain types of PII to our servers (which should be redacted by your application); however, Pandorabots can support the redaction or deletion of PII for Enterprise Customers upon request. Contact us to learn more.
Pandorabots supports Single Sign On via OAuth 2 and email login with industry standard password requirements. Additional SSO methods can be supported as required. Passwords are stored in our databases using a secure one-way salted hash. Account sign in attempts are rate limited to counter brute force password attacks. We log successful and unsuccessful login attempts in order to identify anomalous activity. We enforce HTTPS for our website pages.
Pandorabots practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in rapid sequence. A continuous delivery methodology, complemented by pull request reviews, continuous integration (CI), security scanning, and error tracking, decreases the likelihood of security issues and improves response times to security vulnerabilities. Internally, Pandorabots enforces at least one authorized reviewer for all code changes, and deployments to our production environment are gated under condition that all code is reviewed.
All payment and credit card information is processed by Braintree, a validated Level 1 PCI DSS compliant service provider. Pandorabots does not process or store any payment details.
Open-source is a core component of our company culture. We are extremely grateful to those who share our values and their code.