GH GambleHub

Third Party Risks and Partner Audits

1) Why and for whom

The goal: to reduce the likelihood of failures, leaks and regulatory violations that come through external suppliers and partners.
Coverage: PSP/payment gateways, CCM/sanctions/RAP, anti-fraud, game providers and studios, affiliate networks and tracking, clouds/CDN/hosting, BI/analysis, retention tools/marketing-SDK, call centers, as well as subprocessors of our vendors.

2) Risk categories (domain map)

Information security and privacy: PII/KYC/payment token leaks, weak TOMs, lack of WORM/audit.
Compliance: GDPR/UK GDPR/ePrivacy, AML/KYC, PCI zone, advertising/gaming requirements of jurisdictions.
Operational: availability/SLA, concentration, weak BCP/DR.
Financial: supplier stability, credit risks, chargeback shocks.
Sanctions/geopolitical: export/import restrictions, location of data centers, REP/sanctions in ownership structures.
Reputational and legal: violations of advertising/responsible play, IP rights.
Technical: SDK/API vulnerabilities, lack of versioning and test environments.

3) Supply chain mapping

1. Inventory: a single register of all vendors/partners/sub-processors with the owner (business owner).
2. Data Map: what data/jurisdictions/volumes pass through whom; PII flags/finance/special categories.
3. Criticality: classified by impact on money/PII/uptime.

4) Vendor Tiring (Example Criteria)

Shooting gallerySignsExamplesRequirements
Tier 1 (critical)PII/payments, 24 × 7, direct impact on GGRPSP, CCM/sanctions, anti-fraud, cloudFull due diligence, audit, BCP/DR tests, annual onsite/remote audit
Tier 2 (High)indirect impact, PII masked, important integrationsstudios/aggregators, DWH toolsExtended questionnaire, random audit, annual review
Tier 3 (medium/low)no PII/money, marketing toolse-mail, widgetsLight questionnaire, contractual minimums

5) Risk screening and scoring

Factors: security (policies, certification), privacy (DPA/SCCs/DTIA), compliance (AML/PCI/ISO), operational resilience (SLA/BCP/DR), finance (audit/reporting), jurisdictions/sanctions, incident history, technological maturity (SDLC/DevSec Ops).
Scoring (example): 0-5 for each factor → weighted total (W) → zone: green/yellow/red.

Threshold solutions:
  • Green: standard contract.
  • Amber: controls/remediation to Go-Live.
  • Red: failure or pilot with additional measures (segmentation, throttling, read-only, escrow, reduced limits).

6) Due diligence (what to require at the entrance)

Artifacts/controls (minimum for Tier 1-2):
  • Security/privacy policies, RoPA, sub-processor registry.
  • Audit reports/certification (ISO 27001/SOC 2 type II/PCI if applicable), latest penetration tests.
  • BCP/DR and test results, RPO/RTO.
  • Incident procedures (72-hour notifications), incident log for 12-24 months.
  • DPA/cross-border mechanism (SCCs/IDTA) + DTIA, data/key localization.
  • Integration security: mTLS/OIDC, signed webhooks, key rotation, allow-list IP.
  • Access/export logs, WORM copies, hash chains.
  • Retention and deletion policy, confirmation of the destruction of backups during offboarding.
  • Financial stability (public reporting/certificates), ownership structure (sanctions/POP checks).

Light questionnaire for Tier 2-3: sSIG/CAIQ-level (20-60 questions).

7) Contractual requirements (key points)

SLA/SLO: uptime (e.g. 99. 9%), P95 latency, incident response time, service credits.
Security/Privacy addendum: encryption at rest/in transit, keys/geo, logging, masking, data recycling prohibition.
DPA + sub-processors: duty to notify chain extension; right of objection/audit.
Incident & Notification: notification window ≤ 72 hours; access to logs/artifacts; joint war-room.
BCP/DR: mandatory tests N once a year, RPO/RTO.
Pen-test/Audit rights: at least 1 times a year (remote/onsite), access to reports.
Change control: notification of major changes (SDK/API/architecture/geography).
Termination & Exit: data export (formats), delete/return, escrow for critical integrations, X-day migration support.
Liability/Indemnity: cap/cublimits, IP guarantees, penalties for SLA violations/leaks.

8) Onboarding → Monitoring → Offboarding

8. 1 Onboarding

1. Business case and owner → tearing → questionnaire/artifacts.
2. Risk review (Security/Privacy/Compliance/Legal/Finance).
3. Controls before Go-Live: segmentation (VPC/tenant), loads/limits, masking/tokenization, feature-flags, test sandbox.
4. Contract/integration → pilot → Go/No-Go.

8. 2 Continuous Monitoring

Technical monitoring: uptime, errors, latency, risk budget.
Security: SIEM alerts (abnormal exports/access without 'purpose'), vendor reports, SDK vulnerabilities.
Privacy/compliance: changes in subprocessors, locations, retention; DSAR compatibility.
Finance: KPI by conversions/refund/chargeback, SLA penalties.
Quarterly review for Tier 1-2 and annual re-due-diligence.

8. 3 Offboarding

Revocation of keys/accesses, destruction/return of data and backups, acts, closure of tickets, updating registers and data maps.

9) Partner audit procedures

9. 1 Plan and area

Focus: access management, encryption/keys, logs, incidents, BCP/DR, DSAR processes, sub-processors.

9. 2 Methods

Interview, document/log review, spot checks, technical tests (api-rate-limit/mTLS/signatures), tabletop exercise.

9. 3 Report and CAPA

Classification of findings (Critical/High/Medium/Low), remediation timing, closure control and retest.

10) Incidents at the vendor: playbook

1. Detection: vendor/our monitoring/community signal.
2. War-room: owners + Security + DPO + Legal + Product.
3. Containment: limiting traffic/disabling SDK/keys, time limits/canary pools.
4. Forensics: call log, webhook signatures, WORM confirmations, range of affected records.
5. Notifications: regulators/users/banks (if necessary), joint texts.
6. CAPAs: fixes, deadlines, effectiveness checks; revision of scoring and contract terms.

11) RACI (enlarged)

ActivityBusiness OwnerSecurityDPO/PrivacyCompliance/LegalFinanceSRE/DataProcurement
Tiring/Business CaseA/RCCCCCC
Due diligenceRA/RA/RA/RCCC
Contracts (SLA/DPA/Edits)CCCA/RA/RIR
Integration/segmentationCA/RCCIRI
Monitoring/auditingRA/RA/RA/RCRI
Incidents/CAPACA/RA/RA/RCRI
Offboarding/export/deleteRA/RAACRI

12) Metrics (KPI/KRI)

Coverage:% of active vendors in the registry with an up-to-date score ≥ 100%.
Assessment TTM: median due diligence Tier 1 ≤ 15 working days.
Remediation SLA: critical findings closed ≤ 30 days (≥ 95%).
Incident Notification: the proportion of notifications in the window 72 h - 100%.
DPA/SCCs/DTIA Coverage: for Tier 1-2 - 100% relevant.
Concentration Risk: share of traffic/revenue per 1 PSP/provider ≤ X% (threshold).
BCP/DR Evidence:% Tier 1 with 12 month confirmed tests - 100%.
Export Logging: 100% of exports are signed and logged.

13) Templates and fragments

13. 1 Mini-questionnaire (Tier 1-2, exposure)

Certification/audits (ISO/SOC2/PCI), expiry date.
Data architecture: geo, sub-processors, keys/KMS, encryption.
Incidents within 24 months (type/date/measures).
Accesses and journals (RBAC/ABAC, break-glass, JIT, WORM).
BCP/DR (test dates, RPO/RTO).
DSAR/retention, RoPA, CMP/SDK.
API technical control: mTLS/OIDC, signature of webhooks, key rotation, rate-limit.

13. 2 SLAs (fragment)

IndicatorPurposeMeasurementCredit
Uptime (months)99. 9%external monitoring5–10% fee
Critical incident: Response≤ 15 minwar-room protocolfix.
Remediation High≤ 30 daysCAPA reportfix.

13. 3 Security & Privacy Addendum

"Prohibition of data recycling; access strictly by Need-to-Know; Export to approved registers only"

"Fixed logs (WORM) with hash signature; audit on request once a year"

"Sub-processor replacement - 30 ≥ day notification, right of objection, alternative plan."

"DTIA in any cross-border transmission outside adequate jurisdictions; keys - in EC/UK (per agreement)"

14) Checklists

Before Go-Live with Vendor

  • Owner assigned, shooting range defined
  • Questionnaire/artifacts received and verified
  • DPA/SLA/edits signed, sub-processors declared
  • Segmentation/limits/masking enabled, keys separate
  • Sandbox/tabletop test by incident passed
  • Exit/migration plan and escrow formalized

Quarterly (Tier 1-2)

  • SLA/Incident/SDK Vulnerability Monitoring
  • Updating Certificates/Reports, Sub-Processor Registry
  • DR/BCP validated
  • Fin screening (resistance), sanction checks
  • Review of concentration risks and alternatives

Offboarding

  • Keys/accesses revoked
  • Data export complete, delete/backup confirmation
  • Closure certificates, updated by Data Mar/registers

15) Typical scenarios and measures

A) Vulnerability in Marketing SDK

Immediate shutdown, PII collection block, DPO/regulators notification if necessary, vendor CAPA, retest.

B) PSP degrades over SLA

Auto-routing traffic to the backup PSP, lowering limits, activating service credits, revising the contract/exit plan.

C) Leak from KYC provider

Integration isolation, token revocation, mapping of affected records, notifications, manual KYC high-risk, vendor audit, possible replacement.

16) TPRM Implementation Roadmap

Weeks 1-2: inventory of vendors, Data Map, tearing, basic questionnaire and registry.
Weeks 3-4: SLA/DPA/additive templates, onboarding/monitoring/offboarding process, SIEM/CMDB/IDP integration.
Month 2: Tier 1-2 pilot, launch of quarterly reviews, automation of certificate/deadline checks.
Month 3 +: scaling, scoring/dashboards, BCP/DR stress tests, concentration risk optimization and alternative routes.

TL; DR

Strong TPRM = full vendor map → tiering and scoring → hard contracts (SLA/DPA/BCP/DTIA) → segmentation and secure integrations → continuous monitoring and auditing → rapid exit/remediation. This protects money, data and licenses - and keeps the business resilient even when partners crash.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.