GH GambleHub

Partner Compliance Guide

1) Purpose and scope

This guide defines the compliance requirements for partners/contractors/affiliates/providers (including payment and hosting platforms, content studios, anti-fraud services, call centers, marketing agencies).

Objectives:
  • Uniform standards of security, privacy, regulation and responsible communication.
  • Reduce operational/legal risks in the supply chain.
  • "Audit-ready" evidence base and mutual verifiability.

2) Terms

Partner - any third party processing data or providing services.
Critical partner - has a significant impact on security, payments, personal data or regulatory processes.
Subprocessor - partner's counterparty involved in data processing.

3) Principles ("design tenets")

Compliance-by-design-Requirements are built into processes and architecture.
Data minimization and jurisdictional accounting (data residency).
Traceability and immutability: logs, WORM archive, hash receipts.
Proportionality: the depth of checks depends on risk.
"One version of truth": confirmed artifacts understood by SLA and RACI.

4) Roles and RACI

RoleResponsibility
Vendor Management (A)Risk classification, onboarding/offboarding, monitoring
Compliance/GRC (R)Requirements, checks, CAPAs, audit readiness
Legal/DPO (C)Contracts, DPA, privacy, cross-border
SecOps/CISO (C/R)Those. requirements, incidents, detections
Finance/Payments (C)Payment requests, chargeback/sanctions
Business Owner (R)Operational work with partner, KPI
Internal Audit (I)Independent compliance assessment

(R — Responsible; A — Accountable; C — Consulted; I — Informed)

5) Risk partner classification

Criteria: data type (PII/payment), volume of transactions, access to production systems, jurisdictions, role in the chain (processor/controller), incident history, certificates/audits.
Levels: Low/Medium/High/Critical → determine the depth of Due Diligence and the frequency of revisions.

6) Onboarding and Due Diligence (DD)

Steps:

1. DD questionnaire (owners, sub-processors, data locations, certificates, controls).

2. Screening of sanctions/reputation/beneficiaries.

3. Security/privacy assessment: SOC/ISO/PCI/penetration test, retention policy, DSAR processes.

4. Technical check: SSO/OAuth, encryption, secret management, logging.

5. Payment/AML aspects (if applicable): chargeback processes, anti-fraud, limits.

6. Risk Report and solution: admission/conditional/refusal + CAPA/compensatory measures.

7. Contracts: MSA, SLA/OLA, DPA, audit right, mirror retention, incident notifications, off-ramp.

7) Mandatory partner requirements (minimum)

7. 1 Security and privacy

Encryption in transit/at rest, key management (KMS/HSM).
RBAC/ABAC, MFA, admin log, re-cert accesses.
Logs and WORM archive with hash signature; synchronized time.
Retention policies, Legal Hold, DSAR procedures; masking/tokenizing PI.
Vulnerability reports/penetration tests; managed update policy.

7. 2 Regulatory and Marketing

Prohibition of unreliable/aggressive offers, mandatory disclaimers.
Compliance with the rules of responsible play and age verification (if applicable).
Geo-targeting according to licenses and local restrictions.
Documented consents/unsubscriptions for communications, storage of proofs.

7. 3 Payments/AML/KYC (by role)

KYC/KYB procedures, sanction/PEP screening, transaction monitoring.
Authorization logs/3DS, chargeback processes, risk limits.
Consistent blocking/investigation and return scenarios.

8) Technical integration

SSO/SAML/OIDC, SCIM-provisioning (if possible).
Structured logging (JSON/OTel), tracing (trace_id).
Webhooks - with signature and retras; delivery guarantee/idempotency.
API limits, contract tests, backward compatibility, versioning.
Isolated environments, keys and secrets are in secret storages.

9) Contractual obligations

SLA/OLA: uptime, TTR/MTTR, latency, RPO/RTO for critical services.
Evidence & Audit: audit right, PBC formats, response time, access to Data Room.
Incidents: notification ≤ X hours, report and timeline format, CAPA.
Retention and removal: TTL, confirmation of destruction, mirror retention in subprocessors.
Confidentiality/AOI and subcontract restrictions.

10) Incident management (shared)

A single notification channel and battle-rhythm updates.
Immediate Legal Hold of relevant data.
Joint timeline (who/what/when), artifacts with hash receipts.
Notifications to regulators/customers - through an agreed process.
Post-mortem, CAPA, re-audit in 30-90 days.

11) Reporting and monitoring

Quarterly reports: certificates, incidents, SLAs, sub-processors, data location changes.
Privacy/DSAR metrics, customer complaints, marketing violations.
Financial/payment: chargeback ratio, anti-fraud efficiency, win-rate appeals.

12) Control and audit right

Scheduled audits by risk classes; unplanned - for incidents/critical changes.
Data Room, PBC-лист, ToD/ToE/Walkthrough/Reperform.
CAPA → results, timelines and evidence of closure (WORM).

13) Partner offboarding

Migration/replacement plan, transfer of artifacts and keys.
Confirm partner and sub-processor data destruction.
Revoke accesses/secrets, close integration channels.
Final audit/report and archiving of evidence.

14) Metrics and KRI

Onboarding Lead Time (by risk class).
Vendor Certificate Freshness (target: 100% critical partners).
SLA Compliance and Incident Rate by Partner.
Privacy/DSAR SLA and customer complaints.
Chargeback Ratio/Fraud Loss% (for payment roles).
CAPA On-time и Repeat Findings.
Localization/Jurisdiction Drift (inconsistent changes to locations/sub-processors).

15) Dashboards

Vendor Risk Heatmap: risk rate, certificates, incidents, countries.
Compliance Coverage: DPA/SLA availability, audit right, retention/Legal Hold.
SLA & Incidents: uptime, TTR/MTTR, unclosed incidents.
Privacy & DSAR: terms, volumes, complaints, trends.
Payments/Fraud: chargeback ratio, reasons, win-rate appeals.
CAPA & Re-audit: statuses, delays, repeated comments.

16) SOP (standard procedures)

SOP-1: Partner onboarding

The DD questionnaire → screenings → those/privacy/security-assessment → Risk Report → contracts (MSA/DPA/SLA) → setting up integration and logging → pilot → go-live.

SOP-2: Partner changes

Change Notification (Sub-Processors/Locations/Architecture) → Risk Assessment → Contract/Policy Update → Tests → Prod.

SOP-3: Incident

Single channel → Legal Hold → joint timeline/artifacts → notification → CAPA → re-audit.

SOP-4: Periodic revision

Annual/quarterly risk cycle → PBC → ToD/ToE sample → report/CAPA → metrics publication.

SOP-5: Offboarding

Migration plan → export/transfer → confirmation of destruction → revocation of access → final report.

17) Artifact patterns

17. 1 Vendor DD Checklist (snippet)

Yur. data/beneficiaries; sanction screening

Certificates/Audits, Security/Privacy Policy

Data locations/sub-processors/retention

Incidents in 24 months, CAPA

Those. integration: SSO, logging, encryption, webhooks

17. 2 DPA/SLA - Mandatory Items

Data processing, objectives, legal grounds

Timing of incident notification, format of reports

Audit right, PBC formats, Data Room

TTL/removal, Legal Hold, confirmation of destruction

Sub-processors and approval order

17. 3 Evidence pack

Access logs/admin actions (structured, hash receipts)

Vulnerability/Penetration/Scan Reports

DSAR registry/deletions/retention

SLA/Incident/Recovery (RTO/RPO)

Signed versions of contracts/addendums

18) Antipatterns

Opaque sub-processors/data locations.
"End-to-end" accesses without re-cert and logs.
Manual uploads without immutability and hash confirmations.
Marketing with inauthentic/forbidden promises.
No evidence of data destruction when offboarding.
Eternal waivers without deadlines and compensatory measures.

19) Maturity model (M0-M4)

M0 Hell-hoc: one-time checks, no risk register by partner.
M1 Directory: list of partners, basic DD/contracts.
M2 Managed: risk classes, SLA/DPA, dashboards, scheduled revisions.

M3 Integrated: logging/evidence-bus, re-audit, CAPA-linking, "audit-ready."

M4 Continuous Assurance: real-time monitoring, recommendation checks, auto-generation of PBC/evidence packages.

20) Related wiki articles

Due Diligence when selecting providers

Outsourcing risks and contractor controls

External audits by external auditors

Storage of evidence and documentation

Logging and Audit Trail

Remediation Plans (CAPAs)

Re-audits and follow-up

Policy and compliance repository

Communication of compliance solutions in teams

Total

The "Partner Compliance Guide" turns the supply chain into a managed ecosystem: uniform requirements, predictable checks, immutable evidence and transparent arrangements. This reduces risk, speeds integration and makes collaboration scalable and verifiable.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.