GH GambleHub

Partner contracts and responsibilities

1) Partnership map in iGaming

Affiliates/Media: Traffic and Promo; CPA/RevShare/Hybrid models; strict advertising rules and RG.
White-label/Co-brand: brand/front - at the partner, platform/license - at the owner; data and IP responsibilities section.
Game/content providers: SDK, content rights, anti-cheat/anti-fraud integrations.
Payment/CCM/data: PSP, aggregators A2A, KYC/AML; DPA/sanctions/export.
Technology integrators/API clients: API access, quotas, version/depletion, Derived Data.
Sponsorship/influencers: IP/image rights, "morals clause," 18 + zoning.

2) Mandatory structure of the partnership agreement

1. Subject/scope: services/licenses, geo, channels, KPIs.
2. Term/stages: onboarding → pilot → prod; acceptance criteria.
3. Payment: model (CPA/RevShare/fix/mix), reporting, deductions.
4. IP and branding: ownership of existing/created, brand guide, prohibition of registration of similar TMs.
5. Data and privacy: roles (controller/processor), DPA/DSA, cross-border, TTL, rights of subjects.
6. Advertising/RG: 18 +/" Play responsibly, "short terms at CTA, pre-clearance creatives, mislead bans.
7. Security: encryption, secret management, SSO/2FA, SLA patches, incident reporting ≤72 h.
8. Sanctions/exports: screening of counterparties and prohibition of use in limited jurisdictions.
9. SLA and service loans: uptime, RTO/RPO, P1-P3, MTTR, compensation.
10. Audit and evidence: right of checks, logs, CMP logs, storage of artifacts.
11. Warranties/Representations and Indemnities.
12. Limit of liability and carve-outs.
13. Subcontracting and cession (flow-down obligations).
14. Change Control (SOW/Change Order).
15. Termination and transition period.
16. Dispute resolution (ADR/arbitration/court, applicable law).

3) Distribution of responsibilities (R&R model)

For content/advertising: The advertiser partner is responsible for matching RG/18 + creatives and short terms; The owner of the platform is for the correctness of the offers on the landing and compliance with the conditions.
For data and privacy: the Controller determines goals/grounds; Processor - safety/instruction handling. Shadow copies are not allowed.
For payments/CCM: PSP/KYC provider - technical correctness and regulatory compatibility; Operator - AML/Sanctions and Deduction Decisions.
For API: API Provider - Availability/Documentation/Depreaction; Client - secure storage of keys, compliance with quotas, correct caching.

For IP/brand: TM owner - rights and guide; Partner - correct use without imitation of the "official site."

4) Warranties, Representations, Indemnities

Guarantees: powers, compliance with laws, absence of IP violations, absence of sanctions, right to provide services/licenses.
Assurances: accuracy of reporting, origin of leads/traffic, absence of bot/fraud.
Indemnity: coverage of IP/privacy/advertising/RG/sanctions claims; "control of defense" by the beneficiary; exceptions for breach of obligations by the other party.

5) Limits and service loans

Limit of liability (cap): for example, 12 × average monthly payment; carve-outs: intent, IP, privacy, sanctions/AML, RG violations.
Service loans: for failure to achieve SLA (uptime, MTTR, TtW); escalation on repeatability.

6) Specifics by partnership type

6. 1 Affiliates/Media

Short terms + 18 + on each medium, prohibition of "guaranteed income," prohibition of children's audiences.
The traffic source is transparent; sub-affiliates - only with written consent.
Sanctions: warning → withholding payments → termination (gradation S0-S4).

6. 2 White-label / Co-brand

IP delimitation: brand/theme/UI templates remain with the owner; Partner receives a limited license.
Player data - DPA controller/processor role; Export data when negotiating.
"Morals clause": the right to pause/withdraw in case of reputational incidents.

6. 3 Game Providers/SDKs

Content rights, reverse engineering prohibition, minimum SDK versions, audit right.
RNG/games certification - provider responsibility; compliance with local regulators - jointly.

6. 4 Payments/ACC/Data

Sanctions/PEP lists, geo-blocks, AML decision log; liability for false positives/false negatives - by SLA.
Mandatory encryption, log trails and incident notifications.

6. 5 Tech Integrators/API Clients

OAuth2/HMAC/mTLS, RPS quotas/day, SemVer and EOL ≥ 9-12 months, Derived Data under the contract.
Prohibition of benchmarking/scrapping without consent; preventing PII from being cached over TTL.

7) Audit and evidence

Right to audit by notice (10-15 employees days), revision of creatives, API logs, CMP consents, AML solutions.
Register of evidence: versions of offers, screenshots, timecodes, pre-clearance tickets, SLA reports.

8) Termination and exit

For Cause: significant violations of RG/advertising/sanctions/security; failure to comply with SLA; fatal bot/fraud.
For Convenience: notification (30-90 days).
Transition period: data export, key recall, deletions/confirmations, make-good for short deliveries, final reporting.

9) Risk Matrix (RAG)

RiskR (critical)A (to be corrected)G (control)
Advertising/RGНет 18+/short terms, misleadUnreadable, not in all channelsFull coverage + pre-clearance
Data/DPANo roles/agreementsPartial DPA/TTLFull DPA, DPIA at high-risk
Sanctions/AMLNo screeningOne-time/irregularPolitics + quarterly rescreening
IP/BrandNo usage rulesPartial guideBrand guide, banning clone domains
SLA/SafetyNo SLA/Patch PolicyIncomplete metricsSLA + credits, MTTR and windows
Audit/EvidenceNo right/registryPartiallyAudit right + log registers

10) Checklists

Before signing

  • Subject/volume/geo/channels, KPIs.
  • IP: results/license ownership, brand guide.
  • DPA/DSA, data roles, cross-border, TTL.
  • RG/advertising: 18 +, short terms, pre-clearance, prohibited practices.
  • Sanctions/export: screening, geo-blocks.
  • SLAs/credits, security, incident procedures.
  • Indemnity, limits and carve-outs.
  • Audit/evidence retention.
  • Change Control, termination, transition period.

During execution

  • Monthly SLA/KPI reports.
  • Kraul creatives and matching with landing.
  • API/CMP/AML solution logs are saved.
  • RG/brand partner training.

Output

  • Export/delete data, revoke keys.
  • Finance/Credit Closure Act.
  • Post-sea and template update.

11) Templates of contractual clauses (fragments)

A. Advertising and RG

💡 Partner posts 18 +/21 +, "Gamble responsibly" and short terms (vager, max bet, term, contribution/exclusions) in readable format next to CTA. All materials are subject to prior approval. Promises of income and targeting minors are prohibited.

B. Data and DPA

💡 Parties define data processing roles (Controller/Processor). Processing is by DPA/DSA, including security, sub-processors, cross-border transfers, and retention periods. PII caching outside of agreed targets is not allowed.

C. Indemnity

💡 Each Party shall indemnify damages arising from third party claims related to infringement of IP rights, confidentiality, sanction regimes or advertising requirements of RG, subject to timely notification and provision of protection control.

D. Limit of liability

💡 Total liability is limited to the amount of payments for the 12 months preceding the event, except for privacy violations, IP rights, intent/gross negligence and sanctions violations.

E. Sanctions/Export

💡 Parties confirm compliance with sanctions regimes and export controls; the use of services and the transfer of data to subjects under sanctions is prohibited.

F. API and security

💡 API is accessed by OAuth2/HMAC/mTLS; scraping, benchmarking without consent, storage of keys outside protected storage are prohibited; compliance with quotas and EOL window for at least 9 months.

G. Morals Clause

💡 In case of reputational incidents/violations of RG/advertising, the Party has the right to suspend activations, demand the removal of materials and terminate the contract.

12) Recommended registries (YAML)

12. 1 Register of partnerships

yaml partner_id: "PR-2025-044"
entity: "AffNet Media Ltd"
type: "affiliate"
geo: ["UA","PL","CA-ON"]
kpis: { cpa: 45, ftd_target: 600, cr_min: 2. 5 }
rg_requirements: { age_mark: "18+", short_terms: true, preclearance: true }
privacy: { dpa_signed: true, role: "independent_controller" }
sanctions_screened_at: "2025-11-05"
sla: { reports_tat_hours: 24 }
audit_rights: true owner: "Marketing Compliance"
status: "active"

12. 2 Evidence register

yaml evidence_id: "EV-2025-119"
partner_id: "PR-2025-044"
artifacts:
- "banner_set_v3_mobile. png"
- "story_18plus_overlay. mp4"
- "landing_terms_v21. html"
preclearance_ticket: "#PC-5812"
cmp_log_ref: "consentlogs/2025-11"

13) Playbooks (operating)

P-PAR-01: Violation of RG/advertising

Fixation (screen/timecode) → immediate removal → notification of the partner → adjustment of layouts → withholding of payments (if repeated - termination) → entry in the register.

P-PAR-02: Data Incident

Isolation/forensics → notifications ≤72 h → corrections/key rotation → report to partner/regulator → post-sea.

P-PAR-03: SLA delinquency

Validation of metrics → service credits → remediation plan → recovery control → escalation on retry.

P-PAR-04: Sanction flag

Autopause → Rescreening → JUR → Withdrawal/Recovery → Notifications and Reporting.

14) KPIs and reporting

SLA Compliance %, Service Credits (в мес.).
Time-to-Takedown by Ad/Content.
DPA Coverage% and data incidents/quarter.
Sanctions Screening Coverage %.
Proportion of compliant creatives and pre-clearance time.
Traffic quality (bot/fraud rate, FTD validation).

15) Mini-FAQ

Who is responsible for short terms? Advertiser/affiliate in creativity, operator - on landing; texts must match.
Is it possible to transfer leads to a sub-affiliate? Only by written consent and inheritance of all obligations.
Who owns Derived Data? By contract: usually to the owner of the platform when anonymized.
How long to keep EOL for API? 9-12 months with migration guide.

16) Conclusion

Partnership contracts are not only commerce, but also risk management: clearly separate roles for data and advertising, fix RG requirements and brand rules, introduce SLAs/credits and audit rights, issue indemnities and reasonable limits. Standardized registries, playbooks, and KPIs turn partnerships into a scalable and secure operation.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.