# Certifications & Jurisdictions

**Last updated 2026-04-12** · `compliance@apogeetech.net`

This is an honest snapshot of Apogee Studios' current certification
and jurisdictional status. We believe transparency beats marketing.
Nothing below is aspirational — if it's listed as "pending" it means
exactly that. If it's listed as "in scope" it means we're ready for
audit but haven't been audited yet.

## RNG certifications

| Body | Standard | Game(s) | Status | Cert ref |
|---|---|---|---|---|
| **GLI** (Gaming Labs International) | GLI-19 (v3.0) | Skyward, Contrail, Apogee Hot 5 | **In scope** — math packaged for submission 2026-Q2 | — |
| **iTech Labs** | RNG + RTP verification | Apogee Hot 5 | **Requested** — engagement signed, testing Q3 | — |
| **eCOGRA** | Fair-gaming seal | All | **Roadmap** Q4 2026 | — |
| **BMM Testlabs** | ISO/IEC 17025 | Skyward | **Roadmap** 2027 | — |

**What "in scope" means.** Our math and source code are ready for
independent inspection right now. The RNG is `crypto.getRandomValues`
(CSPRNG), the crash formula is deterministic and open-source
(`docs/PROVABLY-FAIR.md` has the full derivation), the house edge is
enforced server-side with cryptographic commitments, and the audit
log is append-only in Firestore. We haven't paid for a cert yet
because we're pre-launch — certs are expensive and operators in
early-stage B2B licensing don't always require them up-front.

**What this means for you as an operator.** If you hold a licence in
MGA, UKGC, Isle of Man, Gibraltar, Ontario, or any jurisdiction that
mandates a GLI-19 or equivalent cert on every game, **you cannot
legally deploy Apogee games live yet**. You can integrate, test in
sandbox, run your own UAT, and be first in line once certs land. Some
operators are fine to launch provisionally in Curaçao, Anjouan,
Kahnawake, or SRIJ (Portugal B2C via operator's own cert) while the
formal cert clears — talk to us.

## Jurisdictional coverage

### Operator licensing model

Apogee Studios is currently a **B2B content provider**. Operators are
responsible for their own gaming licence in their own market. Apogee
does not hold an operator licence anywhere. This matches the operating
model of the biggest content aggregators — they don't hold the licences,
the operators who embed them do.

### Where operators currently run Apogee games

| Jurisdiction | Regulator | Status | Operators | Notes |
|---|---|---|---|---|
| Ethiopia | National Lottery | Live | edil.bet | Since 2026-04 |
| Zambia | Ministry of Finance | Sandbox testing | Zambiabetting | Integration in progress |
| Curaçao | GCB | **Approved content provider** | Pending |  |
| Anjouan | Anjouan Licensing | Supported |  |  |
| Kahnawake | KGC | Supported |  |  |

### Where operators can NOT yet run Apogee games live

| Jurisdiction | Regulator | Blocker | Earliest |
|---|---|---|---|
| Malta | MGA | GLI-19 cert required per game | 2026-Q3 |
| UK | UKGC | Independent RNG cert + responsible-gambling features audit | 2026-Q4 |
| Ontario | iGO / AGCO | Ontario-specific cert (GLI + AGCO registration) | 2027-Q1 |
| Germany | GGL (GlüStV 2021) | €1 stake cap + specific RG features + whitelist | Apogee Hot 5 already has DE mode (`SLOTS_DE_MODE=true`), full cert 2026-Q4 |
| Isle of Man | GSC | GLI-19 + IM-specific audit | 2026-Q4 |
| Spain | DGOJ | Spanish-specific RNG cert | 2027 |
| France | ANJ | Not supported (ANJ bans crash games) | Never |
| US (any state) | State regulator | Full state-by-state cert, usually GLI-19 | Not planned |

## Responsibility split (operator vs Apogee)

The single most common onboarding question. Here's the honest answer:

| Area | Operator | Apogee |
|---|---|---|
| Player KYC / AML | ✅ 100% yours | ❌ we never see your players' PII |
| Player self-exclusion enforcement | ✅ you trigger via `POST /v1/players/:id/terminate` | ❌ we terminate the session when you say so |
| Player deposit / withdrawal | ✅ your wallet, your ledger | ❌ we never move fiat |
| Responsible-gambling limits (loss / time / session) | ✅ your rule engine | 🟡 we expose them in the UI if you pass them in session metadata |
| Geo-IP blocking (jurisdiction allow/deny) | ✅ you decide which players can launch | ❌ we run anywhere |
| Tax reporting (GGR to your regulator) | ✅ you report | 🟡 we provide per-merchant billing exports |
| Game RNG integrity | ❌ not your responsibility | ✅ we prove it via `docs/PROVABLY-FAIR.md` + `GET /v1/fair/verify` |
| Game RTP enforcement | ❌ not yours | ✅ server-side, per-merchant configurable |
| Bet audit trail | 🟡 we keep 90d, you keep indefinite | ✅ `transactions/{txId}` collection available via admin panel |
| Payout settlement | ✅ your wallet | ❌ we mutate your wallet, you do the math |
| Jackpot / bonus funding | ✅ your money | 🟡 we track + enforce caps (see docs/BONUSES.md when it ships) |
| Incident disclosure to regulator | ✅ you escalate per your licence | ✅ we disclose to you within the SLA windows |

## Security posture

| Control | Status |
|---|---|
| HMAC-SHA256 signed requests with nonce + timestamp replay protection | ✅ enforced |
| TLS 1.2+ only, HSTS, no mixed content | ✅ enforced, graded A+ by SSL Labs |
| Per-session rate limiting (10/s burst, 5/s sustained) | ✅ enforced |
| Operator wallet URL HMAC signing (Apogee → operator) | ✅ enforced, same algo as inbound |
| Firestore write-once audit log (`transactions/{txId}`) | ✅ 90d retention, export on request |
| Cryptographic commit-reveal for every crash round | ✅ per-round seed commitment, epoch chains for Contrail |
| Secrets in Google Secret Manager (not env vars) | ✅ for production merchant keys |
| PCI-DSS | ❌ **not required** — we never handle card data |
| SOC 2 Type 2 | **In scope** — audit engagement 2026-Q3 |
| ISO 27001 | **Roadmap** 2027 |
| GDPR data processing agreement | ✅ available on request |

## Supplier and sub-processor list

| Vendor | Role | Location |
|---|---|---|
| Google Cloud Platform | Compute, Firestore, load balancing | EU (europe-west1) primary, multi-region backup |
| Cloudflare | DNS, CDN, WAF | Global |
| MailerSend | Transactional email (billing, incident notifications) | EU |
| Stripe | Merchant fee collection | Global |
| Statuspage.io | Public incident status | Global |

Full DPA (Data Processing Agreement) and sub-processor list at
`https://apogeetech.net/legal/dpa.pdf` (published on request until
formal release).

## Questions operators ask before onboarding

**Q: Are your games GLI-certified?**
A: In scope for Q2 2026. If you can launch provisionally in
Curaçao/Anjouan while the cert clears, yes. If you need GLI-19 on
paper before you can even sandbox us, no — wait ~3 months.

**Q: Can we use Apogee games in the UK?**
A: Not yet live — UKGC cert is in roadmap Q4 2026. You can
sandbox-test today.

**Q: Who owns the player data?**
A: You. We never see KYC, deposit, withdrawal, email, phone, or real
name. We see a pseudonymous `playerId` that you choose.

**Q: Can we export our session + transaction data?**
A: Yes. CSV export via admin panel, or programmatic via
`GET /v1/rounds?merchantId=...&from=...&to=...` (see
`docs/openapi.yaml`).

**Q: What happens if Apogee goes down?**
A: See `docs/SLA.md`. Service credits auto-apply.

**Q: What's your RTO / RPO?**
A: RTO ≤ 4 hours for Sev-1, RPO ≤ 5 minutes. Geo-redundant backups
across 3 continents.

**Q: Where's the audit trail for a specific round?**
A: Admin → Reports → Search by txId. Regulator-friendly CSV export
with operator response bodies, latencies, fingerprints, and
cryptographic seed reveals.

---

**If you're an operator** with a specific jurisdictional question
that isn't answered here, email `compliance@apogeetech.net`. We'd
rather give you a straight "we can't serve you until Q3" than string
you along.