GH GambleHub

License renewals and audits

1) Why it matters

A license is not a static document, but an obligation to maintain RG/AML, security, data and reporting standards. Successful renewals and audits confirm risk manageability, process maturity, and readiness for scale.

Key principles: evidence-first, no-humans-in-prod, policy-as-code, traceability.

2) Types of renewals and audits

Renewal: by calendar (usually annually/once every N years) - submission of form, fees and package of evidence on controls.
Variations/changes (variation): change of beneficiaries, addition of verticals, hosting locations, key persons - require separate coordination.
Regulatory audit: review of policy/reporting, marketing/affiliates, RG/AML, incident logs.
Technical audit/laboratories: RNG/RTP, SDLC/releases, vulnerabilities/pentest, DR/BCP, hosting and logs.
Financial audit: GGR/taxes/reserves, correctness of bonus write-offs, registers of payments.
GDPR/DPA audit: DPIA, processing registry, responses to subjects, leaks/notifications.
PCI DSS (if working with PAN): segmentation, tokenization, access logs, ASV scans.

3) Renewal calendar: indicative scale

T-90...60 days - gap analysis, updating policies, booking laboratories/auditors.
T-60...30 - collection of artifacts (logs, SBOM, scan/penetration test reports, DR acts), Key Persons confirmation.
T-30...14 - final package, internal sampling of evidence, preparation of those responsible for the interview.
T-14...0 - submission of a renewal package, payment of fees, SLA windows for responses to the regulator.
T + 0... + 30 - Q & A/requests, remediations, renewal confirmation.

💡 Critical path: Key Persons → policies/procedures → technical evidence (SDLC/logs/DR) → laboratories/auditors → Q & A.

4) Evidence package: what to cook in advance

Org/right: ownership structure, SoF/SoW (if modified), CV and Key Persons references, delegation register.
Policies: current AML/CTF, RG, advertising/affiliates, data protection (DPIA), incidents, DR/BCP; journal of audits and trainings.

IT & Releases:
  • a log of releases with SBOM and artifact signatures;
  • SAST/SCA/DAST reports, remediation plan, no critical/high without active exceptions;
  • observability: dashboards SLO/SLI, synthetic checks "deposit/CCD/withdrawal";
  • logging: structured logs without PII/PAN, retention and search;
  • DR/BCP: acts of restore tests, RTO/RPO, emergency exercise protocols.
  • RG/AML: intervention and outcome registry, self-exclusion (local/national), suspicious transaction reports (STR/SAR), sanction/PEP log.
  • Marketing/affiliates: white lists of channels, a selection of creatives with apps, a log of violations and measures.
  • Finance/Tax: GGR vertical reports, bonus/jackpot adjustments, PSP/bank reconciliations.

5) Format and traceability

Each policy ↔ controls ↔ evidence (screenshots, uploads, hash and date reports).
Single index "Evidence Map": control where → → owner is stored → the date of update.
Package versioning (Git/repository) + access control so auditors can selectively view artifacts.

6) IT/Data Requirements (What's Most Watched)

SDLC/releases: staging pipelines, manual/auto quality gates, rollback policy, prohibition of direct changes in sales.
Supply chain: artifact signatures, SBOM, admission check, vulnerability policy.
Secrets and access: SSO/MFA/PAM, short-lived tokens, privileged session logs.
Network: segmentation, WAF/bot management, DDoS, mTLS/egress control.
Observability: OTel-trails, SLO dashboards, alert error-budget, SRM-check in experiments.
Data: DPIA, minimization, data by region (residency), PII/PAN access logs.
DR/BCP: backups, regular restore with protocols, switching exercises.

7) Passing the audit: tactics

1. Kickoff and scope: agree on the perimeter, list of samples, format of evidence.
2. Data room: prepare structured access to Evidence Map.
3. Dry-run interview: MLRO/DPO/RG-Lead/CTO/SRE - Q&A and demo run.
4. Live sessions: we show logs, SLO dashboards, release artifacts, DR scripts.
5. Remediation: coordinate priorities and deadlines, fix in the tracker.
6. Closure: audit report, lessons learned, policy/control updates, retro.

8) Remediation plan (template)

IDStayRiskActionsOwnerTermStatus
SEC-01No image signature in 2 servicesHighEnable signatures and admission policyPlatform Lead15 daysIn operation
RG-02Incomplete intervention telemetryMediumExpand events/dashboard, conduct trainingRG Lead10 daysPlan
AML-032 vulnerability exceptions expiredHighClose/update exceptions, report to SIEMSecurity Lead7 daysDone

9) RACI (example: renewal program)

AreaResponsibleAccountableConsultedInformed
Evidence Map and data roomCompliance PMHead of ComplianceSecurity, Platform, DataExec
Policies and trainingCompliance LeadCOOLegal, HRAll
SDLC/Releases/SBOMPlatform/SRE LeadCTOSecurityCompliance
Pentest/vulnerabilitiesSecurity LeadCTOVendorsCompliance
RG/AML ReportingRG Lead / MLROCOOSupport, DataExec
Marketing/AffiliatesMarketing OpsCMOLegal, ComplianceFinance
Financials/GGR/TaxesFinance LeadCFOPSP, ContentExec

10) Checklists

10. 1 Definition of Ready (60-90 days before deadline)

  • Updated AML/RG/Ad/Data/Incident policies; trainings were held.
  • Key Persons confirmed, SoF/SoW relevant (if required).
  • SAST/SCA/DAST and pentest reports collected, critical/high closed without expired exceptions.
  • Release logs with SBOM/signatures are available; admission-policy in the enforce state.
  • SLO/SLI dashboards and synthetic deposit/CCL/withdrawal check reports are available.
  • DR/restore test reports within SLA RTO/RPO.
  • RG/AML registries: interventions, SAR/STR, self-exclusion; sanctions/PEP reports.
  • Marketing/affiliates: whitelisting channels, sampling creatives with approwals.
  • GGR financial statements/taxes reconciled with PSP/banks.

10. 2 Definition of Done (after renewal/audit confirmation)

  • Letter/renewal certificate received, registers/site/documents updated.
  • Remediation plan closed, policies and Evidence Map updated.
  • Retro lessons, process changes, calendar updated.
  • Notifications sent to ISPs/PSPs (if necessary).

11) Work with affiliates and advertising during the audit period

Prepare a register of channels, a sample of creatives, evidence of the 18 +/21 + target, a log of approvals.
Stop-list procedure for violating partners, conditions in RG/AML compliance contracts.
Display frequency/restriction dashboard and block lists.

12) Risk management (registry)

RiskProbability/ImpactSignControlOwner
Critical vulnerabilities overdueM/HFindings> 14 daysno critical/high policy, auto trackingSecurity
Incomplete RG logsM/MEvent gapsEvent Directory, Data QARG Lead
Insufficient evidence of SDLCM/HRelease QuestionsSBOM/signatures, change logPlatform
Unstable DR proceduresL/HRTO/RPO not reachedQuarterly restore testsSRE
Advertising/Affiliate ViolationsM/MComplaints, finesWhitelisting, auditing creativesMarketing

13) Mini templates

Evidence Map (CSV) cap: 

Control,Policy Ref,Artifact,Location,Owner,Updated At,Retention
RG-Limits,RG §4.2,Dashboard URL,obs://rg/limits,RG Lead,2025-10-15,24m
SDLC-SBOM,SDLC §3.1,sbom_2025Q4.json,repo://release/sbom,Platform Lead,2025-10-30,36m
DR-Restore,BCP §5.3,restore_report_Q4.pdf,doc://dr/reports,SRE Lead,2025-10-20,36m
Audit Plan (1 page):
  • Scope/goals
  • List of samples and format of evidence
  • Sessions/Interview Calendar
  • Roles and Contacts
  • Q&A channel and SLA responses

14) Frequent questions

Do I need to submit all artifacts at once? No: submit a base, and give samples on demand - but keep everything ready.
Is it possible to compensate for the absence of some of the logs? Only with an explainable cause and remediation plan (and timeline).
What is more important for the regulator - politics or evidence? There is always evidence to prove that politics actually works.

15) 30 Day Short Plan (fast track)

Week 1: final gap analysis, policy update, SLO/log measurement, auditors reservation.
Week 2: collecting SBOM/signatures/release logs, vulnerability reports/penetration tests, DR acts.
Week 3: RG/AML/marketing consolidation, summary dashboards, dry-run interviews.
Week 4: Filing, Q&A, Quick Remediations and Confirmation of Renewal.

Brief conclusion

Renewal and auditing is not a one-off "report delivery" but a regular demonstration of process maturity. Build a calendar, keep Evidence Map, automate controls like code, keep observability and DR in good shape. Then the extension will turn from risk into routine, and the audit into a source of improvement and trust from regulators, partners and players.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.