Onboarding new partners

1) Onboarding objectives and boundaries of responsibility

• Speed and predictability: from request to "first events" in a consistent window (SLA).
• Uniform standards: ontology, data contracts, canon of metrics.
• Security/privacy: Zero Trust, PII-minimization, RG-guardrails.
• Economics: transparent payment models (CPA/RevShare/Hybrid), invoicing and reconciliation.

2) Ontology and onboarding artifacts

Сущности: `partnerId`, `role` (operator/studio/affiliate/psp/kyc), `jurisdiction`, `trustTier`, `contractId`, `apiKeyId`, `webhookId`, `traceId`.

• Data Contracts (event diagrams, windows, owners);
• Protocol Pack (API/webhooks/EDA + security profile);
• Compliance Pack (KYP/KYB, DPIA/DPA, RG policies);
• Go-Live Checklist (technical/legal/financial contours);
• Scorecard (SLO/quality/reputation).

3) Legal and Compliance Package (KYP/KYB)

Registration documents, tax status, beneficiaries.
Traffic source policy (for affiliates): prohibition of brand-bidding, incent-model, cookie-stuffing.
Jurisdictions and brand guide: admissibility of content/advertising, speech formulas, disclaimers.
DPIA/DPA: PD processing objectives, retention periods, cross-border flows, data localization.
RG obligations: limits, warnings, self-exclusion, age filters.

4) Technical circuit: API, webhooks, EDA and tracing

API (REST/gRPC): versions '/vN ', cursor pagination,' Idempotency-Key ', machine-readable errors and' correlationId '.
Webhooks: JWS/HMAC signature, 'kid/timestamp', deduplication window ± 5 minutes, exponential backoff with jitter, replay register.
EDA (event bus): partitioning by 'partnerId/traceId', guarantees "exactly once" in business sense (idempotency).
Tracing: W3C 'traceparent'; cross-cutting correlation from click to FTD/deposit/rates/payouts.
SmartLink/Deep Link: Parameter Signature, TTL, Geo/Jurisdiction/Device Routing, and Payment SLO.

5) Canonical events and attribution

Минимальный набор: `click`, `session_start`, `registration`, `kyc_status`, `deposit`, `ftd`, `bet/spin`, `reward_granted`, `postback_received`, `fraud_signal`.
Attribution rule: last optional touch with windows by jurisdiction/channel; cross-device stitching - only through tokens (without raw PD).
Deduplication: unique 'eventId', body signature, hash storage, window ± 5 minutes.
History: cursor uploads for reconciliation, prohibition of offset pagination under load.

6) Security and privacy (Zero Trust)

S2S security: mTLS, short-lived tokens, egress-allow-list, key rotation/JWKS.
PII minimization: tokenization of 'playerId '/' visitId'; Detoxification only in safe zones.
RBAC/ABAC/ReBAC: "see only my own and agreed" access; SoD (who sees ≠ who changes the rules ≠ who manages the keys).
WORM audit: immutable logs of changes to rules, keys and calculation formulas.
Vendor-risk: checking build-pipeline, dependencies and vulnerabilities of the partner.

7) Payments & KYC: Profiles & SLO

APM-matrix: PSP priority by 'geo × device × scheme'; auto cut-over during CR/p95 degradation.
Float buffers and netting (for instant payments) - with limits and treasury rights.
KYC/AML levels: L0/L1/L2; fast-track for low-risk; manual verification of disputes; SLA stages.
Chargeback procedures: evidence base, windows, connection with attribution/fraud signals.

8) SLI/SLO and Reputation (Trust Tiers)

• Postback delivery ≥ 99. 9%, p95 ≤ 1-2 s; API p95 ≤ 150-300 ms; lag bus ≤ 200-500 ms.
• KYC pass-rate and average stage time - by jurisdictional profiles.
• Showcases/dashboards: freshness ≤ 1-5 s; p95 render ≤ 1. 5–2. 0 s; uptime ≥ 99. 9%.

Trust Tiers (T1-T4): Are automatically assigned by composite speed (SLO/ATTR/RG/SEC) and affect limits, RevShare rates and pilot access.

9) Economics and calculations

Payment models: CPA/RevShare/Hybrid/CPL; NET7/14/30 conditions; minimum payments; holds and klau-backs.

• `NetRev = GGR − BonusCost − Jackpot/PoolShare − PaymentFees − Chargebacks − Tax/Levy − FraudLosses`.
• Credits/penalties: auto-bonus/malus for SLO rejection, RG/sanctions → pause and recount.
• Reconciliation: signed summaries/oracles, cursor uploads, discrepancy reports, invoice statuses in the portal.

10) Sandbox and Conformance Tests

Sandbox keys and test webhooks; signature/idempotence validators; jitter retrai scenarios.
Load tests: target rps, simulation of PSP/KYC/bus spikes and degradations.
Compliance tests: RG-gardrails, localization of texts/disclaimers, jurisdictional filters.
Go/No-Go: checklists and war-room for the launch window, canary traffic (1%→5%→25%→100%) and auto-rollback.

11) Dashboards and scorecards

Partner panel: clicks/reg/FTD/deposits/CR/ARPU/LTV, postback statuses, transport SLO, dispute/hold cases, payment forecast.
Ecosystem Dashboard: Partner Contribution to NetRev, Reputation/Tier, "Time to Trace Package," RG Fouls, SLO Incidents, Limits Forecast.
Metrics catalog: uniform GGR/NetRev/CR formulas, owners and windows - "two truths" are prohibited.

12) Operational Processes and RACI

12. 1 RACI (example)

12. 2 War-room and incidents

P1/P2 matrix, stop buttons (traffic/offer/routes/payments), SLA for a trace packet of 60-90 s, RCA "no blame."

13) Anti-patterns

"Postback Zoo": different schemes/signatures/windows → doubles/holes and disputes.
Offset-pagination of history at peak → loss/duplicates (use cursors).
Retrai without jitter/limits → storm and double accruals.
"Many truths" according to the formulas GGR/NetRev/FTD/CR.
PII in BI showcases/exports and cross border without DPIA/DPA.
SPOF-gateway of redirects/assets/invoicing without N + 1/DR.
Experiments without guardrails (SLO/RG) and without auto-rollback.
Exceptions without TTL/audit are sticky overrides.

14) Checklists

14. 1 Pre-onboarding

• KYP/KYB and jurisdiction map; brand guide and source policy.
• DPIA/DPA, RG policies; metric/formula owners are assigned.
• Main offer/additional agreements (payments, NET, holds) signed.

14. 2 Integration

• API/webhooks/EDA: keys, signatures, idempotency, cursors.
• SmartLink/Deep Link: signatures, TTL, routing.
• Attribution: last optional touch, windows, dedup, cursor history.
• Security: mTLS/JWKS, tokenization, SoD, egress control.

14. 3 Sandbox/Go-Live

• Load/compliance tests; RG-gardrails; PoC Payments/LCC.
• Dashboards and alerts; SLO thresholds and auto-malus/bonus.
• Canary traffic, auto-rollback, war-room.

14. 4 Operation

• Weekly reconciliation and discrepancy reports.
• Scorecards and revision of Tier limits/rates.
• Key/certificate rotation; DR/xaoc-gateway exercises.

15) Maturity Roadmap

v1 (Foundation): basic KYP/KYB, Protocol Pack, sandbox, two-way payment models, manual reconciliation.
v2 (Integration): auto-conformance, canary releases, scorecards and auto-malus/SLO bonus, SmartLink routing.
v3 (Automation): predictive cut-over payments/CCL, ML-traffic quality assessment, Trust Tier limits/rates dynamics.
v4 (Networked Governance): federated onboarding between chains, shared pools/campaigns, DAO rules for metrics/rates.

16) Onboarding success metrics

Rate: TTM from application to first valid events; average sandbox duration; the proportion of onboarding in the target SLA.
Quality/risk: accuracy/timeliness of postbacks, tire lag, share of disputed <X%, MTTR incidents.
Compliance/RG: 0 PD leaks, compliance with localization, RG triggers/1k active.
Economics: uplift CR/FTD/ARPU/LTV, Cost-to-Serve per rps/txn/event, cache predictability,% auto-reconciliation.
Partnership: "time for a trace package," distribution by Trust Tiers (T3/T4 ↑).

Brief summary

Onboarding new partners is a standardization ritual: uniform data contracts and transport protocols, Zero Trust and tokenization, canonics of attribution and postbacks, predictable SLO/SLA and reputation, plus transparent economics and incident/invoice discipline. Following the described canon, the ecosystem connects partners quickly, safely and provably, scaling the network without increasing operational risks and controversies.