Overview
The AmbiOS ecosystem provides AI-powered robotics as a service to automate repetitive tasks in ecommerce and retail supply chains, empowering people to handle more.
The platform provides on-premise robot runtime software to enable machines such as AmbiSort A-Series and B-Series to pick, analyze, sort, and pack any package or item using state-of-the-art artificial intelligence and robotic dexterity. Data collected from on-premise operations is transmitted securely to the Ambi Cloud for remote monitoring/support services, real-time analytics, and continuous learning updates to the robot AI, so your robot fleet continues to improve over time.
Ambi Robotics uses security tools to scan our internal environment, system, and services. We also engage professional security vendors to perform third-party penetration tests and audits of our environment on an annual basis, respectively, while internal system scans are performed quarterly. The AmbiOS service is hosted in multiple data centers to provide redundancy. The data centers are geographically distributed and highly redundant in themselves.
Access to Customer Data
A subset of Ambi Robotics’ Personnel has access to customer data as necessary to support the platform and provide the service. Individual access is granted based on individual role and job responsibilities. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis.
Secure Data Handling and Destruction
Our solution is hosted on one or more cloud-based Infrastructure-as-a-Service platforms. These cloud providers are responsible for the security of the underlying cloud infrastructure and Ambi Robotics takes the responsibility of securing workloads we deploy inside the cloud infrastructure. Cloud providers monitor and audit computing environments continuously, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. Any device storing any data is subjected to data-at-rest encryption. The service makes use of code-level logic and permissions to segregate customer data.
Customer Responsibilities
As a user of the AmbiOS platform, customers should be proactive in recognizing the value and sensitivity of the information provided by the service as well as the need to safeguard such data appropriately. This document details Ambi Robotics’ customer responsibilities as they relate to use of the AmbiOS ecosystem. It is the responsibility of Ambi Robotics customers to familiarize themselves with the information and procedures set forth below and comply with them.
Safeguarding of Assets and Information
To safeguard information assets and policy enforcement capabilities available in the AmbiOS ecosystem, the customers’ IT governance processes should include end-user training regarding appropriate use and awareness of the need for securing access to their AmbiOS ecosystem account credentials. As with most cloud services, access to the AmbiOS ecosystem requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the AmbiOS service, it is the customer’s responsibility to manage which users should be given access to the service. Customers should also define when access should be removed. For example, removing access upon termination of employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Ambi Robotics AmbiOS service; users should not share authentication credentials.
Ambi Robotics’ AmbiOS service should be considered sensitive and confidential by users of the service. Users should follow information security best practices to ensure that access to their account credentials is appropriately limited, and the information and functionality provided by the AmbiOS service is protected from unauthorized use. AmbiOS users are responsible for maintaining the security and confidentiality of their user credentials (e.g., Login ID and Password), and are responsible for all activities and uses performed under their account credentials whether authorized by them or not. By establishing user credentials and accessing the platform, users of the Ambi Robotics AmbiOS service agree to comply with these requirements to safeguard assets and account information.
Service Termination
Ambi Robotics service can be terminated by contacting [email protected].
Password Management
The AmbiOS Ambi Access service is accessible via the Internet. As a result, great care must be exercised by AmbiOS users in protecting their subscription against unauthorized access and use of their credentials. By establishing user credentials and accessing the service, users agree to proactively protect the security and confidentiality of their user credentials and never share service account credentials, disclose any passwords or user identifications to any unauthorized persons, or permit any unauthorized person to use or access their AmbiOS accounts. Any loss of control of passwords or user identifications could result in the loss or disclosure of confidential information and the responsible account owner(s) may be liable for the actions taken under their service account credentials whether they authorized the activity or not. Additionally, when establishing AmbiOS account credentials, end users are required to establish strong passwords following password strength and complexity best practices; passwords should not be easily guessable.
Reporting Operational Issues
All Ambi Robotics services are monitored 24/7 to meet our service commitments. All planned maintenance will be performed in accordance with Ambi Robotics’ maintenance plan, which is communicated to customers when they sign up for the service. If there is a need to perform emergency maintenance for a vulnerability or bug fix, we will notify customers prior to the work being performed. To get updates in real-time, customers can subscribe to email notifications. On the occasion that Ambi Robotics customers observe performance issues, problems or service outages, they can contact [email protected] or open a support ticket to report such issues.
Incidents and Breaches
By establishing AmbiOS account credentials or accessing its service, customers agree to notify Ambi Robotics immediately of any security incident, including any suspected or confirmed breach of security. Also, users of the service agree to log out or exit the service immediately at the end of each session to provide further protection against unauthorized use and intrusion. Ambi Robotics customers should also notify Ambi Robotics immediately if they observe any activity or communications in other forums that may indicate that other Ambi Robotics customers have had their accounts compromised.
Compliance Issues
Regulatory requirements and industry mandates are continuously increasing in scope & depth and can vary from industry to industry. Ambi Robotics users agree to abide by the regulatory requirements, industry mandates, and other compliance requirements imposed on their organizations and understand that use of cloud-based services does not exclude the organizations from responsibilities for restricting access to application information and functionality.
Vulnerability Management & Responsible Disclosure
Ambi Robotics encourages users to practice responsible disclosure by notifying Ambi Robotics of any potential or confirmed security vulnerabilities. Ambi Robotics is dedicated to providing secure services to clients, and will triage all security vulnerabilities that are reported.
If you believe you have discovered a security flaw in the AmbiOS or the underlying infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Ambi Robotics. Ambi Robotics will prioritize and fix security vulnerabilities in accordance with the risk that they pose.
We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not already known to us. When reporting the security vulnerability to our Security team, please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please provide the complete details necessary for reproducing the issue. We determine the risk of each vulnerability by assessing the ease of exploitation and business impact associated with the vulnerability.
Please note that the following are not eligible for bug bounties:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests
- Bruteforce oracle attacks against unauthenticated endpoints
- Missing best practices in Content Security Policy
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
- Tabnabbing
- Issues that require unlikely user interaction by the victim
For information on security vulnerabilities in the AmbiOS Ecosystem, please submit an inquiry to [email protected].
Response
As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Ambi Robotics commits to:
- Acknowledge the receipt of the reported security vulnerability in a timely fashion
- Notify you when the vulnerability is remediated
- Extend our gratitude by providing a token of appreciation in supporting us to make our customers safer and more secure
Please report security issues to: [email protected]
Privacy Policy
You can view our Privacy Policy at https://www.ambirobotics.com/privacy-policy/. The Policy in effect at the time you use our website affects how we may use your information. Our business may change from time-to-time. As a result, at times it may be necessary to make changes to the Privacy Policy. We reserve the right to update or modify the Privacy Policy at any time. If we make material changes we will post the updated policy on our website with an updated Effective Date. Please review the policy periodically, and especially before you provide your data to us through the website or by registering for our service(s). Your continued use or access to the website and/or our services after any changes or revisions to the Privacy Policy shall indicate your agreement with the terms of the revised Privacy Policy.
Whistleblower Policy
You can view our Whistleblower Policy at https://ambirobotics.com/whistleblower-channel. Issues can be reported via https://whistleblower.ambirobotics.com/#/.
Data Retention
By default, we will retain your data indefinitely. You can ask to close your account by contacting us at [email protected] and we will delete your information upon request. We may, however, retain information, including personal information to the extent applicable, for an additional period as is required under applicable laws, for legal, tax, or regulatory reasons, or for legitimate and lawful business purposes.
Changes to our Privacy Policy
The Privacy Policy in effect at the time you use the AmbiOS service governs how we may use your information. Our business may change from time-to-time. As a result, at times it may be necessary for Ambi Robotics to make changes to the Privacy Policy. Ambi Robotics reserves the right to update or modify the Privacy Policy at any time. If we make material changes we will post the updated policy on this page with an updated Effective Date. Please review our Privacy Policy periodically, and especially before providing your data to Ambi Robotics through our website or by registering for the AmbiOS service. Your continued use or access to the Ambi Robotics corporate website or the AmbiOS service after any changes or revisions to the Privacy Policy shall indicate your agreement with the terms of the revised Privacy Policy.
Changes to our Service Commitments
While rare, we may occasionally change our service terms. This includes, but is not limited to, our commitments regarding security, confidentiality, performance or availability. In the event that we intend to make such changes, we will notify the business contact for the organization at the email address we have within our customer database at least thirty (30) days prior to such changes taking effect.
Contacting Ambi Robotics
For general inquiries, please contact us at [email protected]