GH GambleHub

Due Diligence when selecting providers

1) Why Due Diligence Providers

Provider is a continuation of your chain of trust. Selection error = regulatory penalties, leaks, downtime, and reputational losses. Due Diligence (DD) allows:
  • Identify inherent risk by product/country/data.
  • Verify compliance and safety prior to contract award.
  • Record SLA/SLO and audit rights at contract stage.
  • Configure monitoring and offboarding while maintaining data integrity.

2) When and what covers

Points: preliminary selection, short list, before the contract, with significant changes, annual review.
Coverage: legal status, financial stability, security, privacy, technical maturity, operation/support, compliance (GDPR/PCI/AML/SOC 2, etc.), geography and sanctions risks, ESG/ethics, subcontractors.

3) Roles and RACI

RoleResponsibility
Business Owner (A)Business Case, Budget, Risk Based Final Decision
Procurement/Vendor Mgmt (R)DD Process, Tender, Bid Comparison, Register
Compliance/DPO (C/R)Privacy, legality of processing, DPA/SCC
Legal (R/C)Contracts, Liability, Audit Rights, IP/Licenses
Security/CISO (R)Technical control, tests, incident requirements
Data Platform/IAM/IT (C)Integrations, architecture, SSO, logs
Finance (C)Solvency, payment terms/currency/taxes
Internal Audit (I)Monitoring completeness and traceability

(R — Responsible; A — Accountable; C — Consulted; I — Informed)

4) Scorecard (what we check)

4. 1 Legal and Corporate Profile

Registration, beneficiaries (KYB), litigation, sanctions lists.
Licenses/certificates for regulated services.

4. 2 Finance and sustainability

Audited statements, debt load, key investors/banks.
Single client/region dependency, continuity plan (BCP).

4. 3 Security and privacy

ISMS (politicians, RACI), external test results, vulnerability management.
Encryption At Rest/In Transit, KMS/HSM, secret management.
DLP/EDRM, journaling, Legal Hold, retention and deletion.
Incident management: SLA notifications, playbooks, post-mortems.

4. 4 Compliance and certification

SOC 2/ISO 27001/PCI DSS/ISO 27701/CSA STAR (timing and scope).
GDPR/local norms: roles (controller/processor), DPA, SCC/BCR, DPIA.
AML/sanction loop (if applicable).

4. 5 Technical Maturity and Integration

Architecture (multi-tenancy, isolation, SLO, DR/HA, RTO/RPO).
API/SDK, versioning, rate limits, observability (logs/metrics/trails).
Change management, releases (blue-green/canary), backward compatibility.

4. 6 Operations and Support

24 × 7/Follow-the-sun, reaction/reduction time, oncalls.
Onboarding/offboarding procedures, data export without penalties.

4. 7 Sub-processors and supply chain

List of subcontractors, jurisdictions, their controls and change notices.

4. 8 Ethics/ESG

Anti-corruption policies, code of conduct, labor practices, reporting.

5) Due Diligence Process (SOP)

1. Initiation: demand card (goals, data, jurisdictions, criticality).
2. Qualification: short questionnaire (pre-screen) + sanction/license check.
3. Deep assessment: questionnaire, artifacts (policies, reports, certificates), interviews.
4. Technical check: security review, environment demo, reading logs/metrics, PoC.
5. Scoring and risks: inherent risk → control profile → residual risk.
6. Remediation: terms/corrections before the contract (gap list with deadlines).
7. Контракт: DPA/SLA/audit rights/liability/IP/termination/exit plan.
8. Onboarding: accesses/SSOs, data catalogs, integrations, monitoring plan.
9. Continuous monitoring: annual review/triggers (incident, sub-processor change).
10. Offboarding: export, deletion/anonymization, revocation of access, confirmation of destruction.

6) Provider questionnaire (core of questions)

Yur. person, beneficiaries, sanctions checks, disputes for 3 years.
Certifications (SOC 2 type/period, ISO, PCI), latest reports/scope.
Security policies, data inventory, classification, DLP/EDRM.
Technical isolation: tenant-isolation, network policies, encryption, keys.
Logs and audits: storage, access, WORM/immutability, SIEM/SOAR.
Incidents in 24 months: types, impact, lessons.
Retention/deletion/Legal Hold/DSAR stream.
Sub-processors: list, countries, functions, contractual guarantees.
DR/BCP: RTO/RPO, recent test results.
Support/SLA: reaction/decision times, escalations, credit schema.
Exit-plan: data export, formats, cost.

7) Scoring model (example)

Axes: Law/Finance/Security/Privacy/Engineering/Operations/Compliance/Chain/ESG.
Scores 1-5 on each axis; weight by service criticality and data type.

Final risk rate:
  • 'RR = Σ (weight _ i × score _ i) '→ category: Low/Medium/High/Critical.

High/Critical: Pre-contract remediation, enhanced SLA conditions and monitoring are mandatory.
Low/Medium: standard requirements + annual revision.

8) Mandatory provisions of the contract (must-have)

DPA: roles (controller/processor), purpose, data categories, retention and deletion, Legal Hold, DSAR assistance.
SCC/BCR for cross-border transmissions (if applicable).
Security Appendix: encryption, logs, vulnerabilities/patching, penetration tests, vulnerabilities disclosure.
SLA/SLO: reaction/elimination time (sev-levels), credits/penalties, availability, RTO/RPO.
Audit Rights: right to audit/questionnaire/evidence; notifications of control/sub-processor changes.
Breach Notification: terms of notification (for example, ≤ 24-72 hours), format, cooperation in the investigation.
Subprocessor Clause: list, change by notice/agreement, responsibility.
Exit & Data Return/Deletion: export format, dates, confirmation of destruction, migration support.
Liability/Indemnity: limits/exceptions (PI leakage, license violation, regulatory fines).
IP/License - development/configuration/data/metadata rights.

9) Monitoring and review triggers

Expiration/renewal of certificates (SOC/ISO/PCI), changes in reporting status.
Change of sub-processors/storage locations/jurisdictions.
Security incidents/significant SLA outages.
Mergers/acquisitions, deterioration of financial performance.
Releases affecting isolation/encryption/access.
Regulatory inquiries, Findings audits.

10) Vendor Risk Mgmt Metrics and Dashboards

Coverage DD:% of critical providers that have passed full-fledged DD.
Time-to-Onboard: median from bid to contract (by risk category).
Open Gaps: active remediation by provider (timelines/owners).
SLA Breach Rate: Proportion of SLA breaches by time/availability.
Incident Rate: Incidents/12 months by provider and severity.
Audit Evidence Readiness: availability of up-to-date reports/certificates.
Subprocessor Drift - changes without notice (target 0).

11) Categorization and verification levels

Provider categoryExampleDataDD depthRevision
Criticalkernel hosting, KYC/AML, PSPPI/FinanceComplete (on-site/PoC)Yearly + Triggers
Highanalytics, DWH, logsPI/pseudoPIExpanded12-18 months
Averagemarketing, email, supportrestrictedlyBasic18-24 months
Lowtraining, contentdoes not process PIEasy pre-screen24 months

12) Checklists

Starting DD

  • Requirement card and service risk class.
  • Pre-screen: sanctions, licenses, base profile.
  • Questionnaire + artifacts (policies, reports, certificates).
  • Security/Privacy review + PoC for integrations.
  • Gap list with deadlines and owners.
  • Contract: DPA/SLA/audit rights/liability/exit.
  • Onboarding and monitoring plan (metrics, alerts).

Annual review

  • Updated certificates and reports.
  • Sub-processors/locations/jurisdictions check.
  • Remediation status, new risks/incidents.
  • DR/BCP tests and results.
  • Dry-run audit: collect evidence "by button."

13) Red flags (red flags)

Refusal to provide SOC/ISO/PCI or material sections of reports.
Fuzzy answers for data encryption/logs/deletion.
There are no DR/BCP plans or they are not being tested.
Closed incidents without post-mortem and lessons.
Unlimited data transfer to sub-processors/abroad without guarantees.
Aggressive limitations of liability for PI leaks.

14) Antipatterns

"Paper" DD without PoC and technical verification.
Universal risk-free/jurisdictional checklist.
Contract without DPA/SLA/audit rights and exit plan.
Lack of a provider registry and change monitoring.
"Forever" issued accesses/tokens without rotation and re-attestation.

15) Related wiki articles

Compliance and reporting automation

Continuous Compliance Monitoring (CCM)

Legal Hold and Data Freeze

Policies and Procedures Lifecycle

KYC/KYB and sanction screening

Data Retention and Deletion Schedules

Continuity Plan (BCP) and DRP

Result

Risk-oriented Due Diligence is not a tick, but a managed process: correct categorization, deep verification along key axes, clear contractual guarantees and continuous monitoring. So suppliers become a reliable part of your chain, and you predictably meet the requirements without slowing down your business.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.