Continuous · Cryptographically provable · Operator-only

The compliance posture engine for
licensed iGaming operators.

KURAL evaluates your stack against 184 controls across 33 jurisdictions — continuously, with cryptographically-provable evidence — so the next regulator letter finds you ready, not scrambling.

Start a 90-day pilot — €15-25k, refundableSee the platform
Connectors live today:EveryMatrix · SoftSwiss · OpenBet · Playtech IMS · Sumsub · Veriff · Jumio · GBG · ComplyAdvantage · Featurespace · Zendesk · SharePoint · BambooHR · AWS · GitHub
The £17M problem

You have the evidence. It just doesn't surface in time.

Entain paid UKGC £17M in 2023 — not for missing data, but for missing surfacing. Same pattern across the top 30 UKGC + MGA enforcement actions since 2022. The data lives in your PAM, KYC vendor, AML monitor, helpdesk and doc store. The problem is continuous monitoring with regulator-ready provenance.

£105M+
UKGC fines 2023-25 across 17 operators
3-7%
of GGR spent on compliance — and still failing
6 weeks
avg compliance-team time per regulator audit pack
9 days
on KURAL — same pack, same evidence, no scramble
How it works

Four moves, ~15 minutes to first finding.

01

Connect

Read-only API keys for your PAM, KYC vendor, AML monitor, helpdesk and doc store. AWS via OIDC, GitHub via App. Never any inbound port into your network. Never a write-path.

02

Discover

Auto-scan against your declared jurisdictions and product types. KURAL figures out which of the 184 controls apply, who in your team owns each one, and what evidence to look for.

03

Monitor

Continuous evaluation — every minute for critical controls, daily for the rest. Findings hit the right team member with a due date and an AI-drafted 3-step remediation plan.

04

Prove

One-click audit pack per regulator. Time-boxed auditor portal for eCOGRA / GLI / BMM. Every piece of evidence Merkle-hashed and anchored to AWS Object Lock — tamper-evident for 7 years.

The platform

Detect. Investigate. Operate. Prove.

Not a checklist. An end-to-end compliance operating system. Every feature ships in v1 — no waitlists, no premium tiers, no "contact sales" for the table-stakes.

Detect

Catch the gap before the regulator does.

184 jurisdiction-encoded controls

LCCP, RTS, MGA Player Protection Directive, AGCO Standards, BR-SPA, GlüStV, DGOJ, Spelinspektionen, KSA, ADM, ONJN — plus SOC 2 CC1-CC9 dogfood + cross-jurisdiction sportsbook baseline. Each control is a YAML fact with regulator citation, source URL, severity, cadence and evidence spec.

Continuous evaluation engine

Critical + hourly controls evaluated every 60 seconds. Daily, weekly, monthly cadences batched. Worker writes evaluations + findings + Merkle proofs into the evidence ledger. Health-checkpointed and self-reporting on the public status page.

Regulator-source watcher

Nightly midnight scan of every source-URL on every control. Body-hash diff → InboxNotification + Slack/Teams ping to the role-relevant owner. You hear about a UKGC RTS amendment within 12 hours of publication.

Investigate

Drill into any finding without losing the audit trail.

Evidence drill-down + Merkle proof

Every finding links to the underlying evidence ledger entries. Click to see the raw connector payload, the Merkle root, the chain hash. Prove a single field to a regulator (player_id, marker_score, timestamp) without exposing the rest of the record.

AI remediation suggestions

Every finding gets a structured 3-step action plan with effort estimate, recommended owner role, deadline, and links to the regulator's published text. Rule-based today; the same I/O contract supports a swap-in to your LLM provider tomorrow.

Anonymised peer benchmarks

P25 / P50 / P75 cohort bands per jurisdiction and per control category. "You're in the bottom quartile on MGA Player Protection." k-anonymity threshold of 3 — no operator ever re-identifiable. Privacy guarantee by design.

Operate

Make compliance a workflow, not an annual scramble.

Team + task assignment

Every finding gets routed to the role-relevant owner — MLRO for AML, RG-officer for player protection, DPO for data, KYC-lead for identity. Due-dates auto-set from severity. Assignees see findings in their own inbox with priority and progress.

Audit calendar + contacts

Schedule regulatory audits, internal reviews, regulator visits, pen-tests, renewal deadlines, filings. Link external contacts (BDO Malta auditors, Harris Hagan counsel, regulator liaisons). Drag-and-drop reschedule, click-to-edit. Owners get inbox + Slack pings 90 days out.

Slack + Microsoft Teams + Inbox

Three notification rails. High/critical findings fan out to Slack/Teams via webhooks (you generate, you own). Per-user in-app inbox with unread counts + read-states for individual ownership. Severity floors per destination.

Prove

Hand the auditor the proof in 9 days, not 9 weeks.

One-click audit packs

Regulator-flavoured PDF per jurisdiction: MGA System Audit, UKGC Annual Assurance Statement + RTS Annex A, AGCO Self-Assessment, BR-SPA Compliance Pack. Executive summary, per-control register, findings appendix, evidence-integrity statement, Merkle-root attestation.

Time-boxed auditor portal

Invite eCOGRA / GLI / BMM to a watermarked, audit-logged, scope-checked workspace. They see the controls + evidence you authorised, nothing else. Every access logged for your operator audit trail. Revoke anytime. Auditors love it; saves them prep time too.

Transparency anchors

Every 24h, the evidence-ledger chain head is anchored to AWS S3 with COMPLIANCE-mode Object Lock — physically immutable for 7 years. Even an attacker with database admin cannot rewrite history without leaving a cryptographic divergence visible at the next anchor check.

Coverage

33 jurisdictions live. More every month.

Deep tier = high-frequency-audited control coverage. Stub tier = structural coverage you can attest against until depth ships. Each control is a YAML fact in our open-architecture library — inspect or fork on request.

RegionDeep coverageMedium / StubForthcoming
EU + UKUKGC · MGA · GlüStV · DGOJ · Spelinspektionen · KSA · ADMDK · RO · GRBE · FR · IE · CZ
AmericasNJ DGE · AGCO Ontario · BR SPA · PA PGCB · NV NGCB · MI MGCBCO · MX · AR (PBA/CABA/Mendoza) · PENY · IL · CL (forthcoming)
Asia + OceaniaPAGCOR · Singapore GRAAustralia NTJP IR · KR
Africa + GlobalZA NGB · Curaçao CGB · Sportsbook baseline · SOC 2 CC1-CC9Kenya · Nigeria · NZ
Trust posture

Built for procurement teams that read the architecture.

🔒 Read-only forever

Architectural commitment, not a setting. There is no write path into any operator system anywhere in the codebase. Cannot modify a self-exclusion, cannot change a limit, cannot trigger a payment. Observer-only by construction.

🇪🇺 EU data residency

AWS eu-west-2 (London) primary, eu-west-1 (Ireland) read-only standby. No US LLM inference traffic. Single-tenant deployment option available for Tier-1 procurement requirements.

🛡️ Cryptographic evidence ledger

Every evidence record carries a per-entry Merkle root plus a chain hash linking to the previous record. Tamper detection happens at every read. Object-Lock anchors prove the chain state at every 24h checkpoint.

📜 Certifications roadmap

Cyber Essentials Plus (Q4 2026). SOC 2 Type I (Q4 2026). SOC 2 Type II (2027). ISO 27001 (2028). DPA + MSA templates ready for your legal review today.

📋 Subprocessors

AWS EMEA (hosting), GitHub (source code), Let's Encrypt (TLS). 30 days notice before any addition. Full list →

🔍 Open architecture

Control library is CC BY-SA 4.0. Connector code inspectable on request. We don't hide what we run on your data. The cryptographic primitives are standard library — auditable by any competent engineer.

🚨 Responsible disclosure

Bug bounty-style safe-harbour for security researchers. SLA: 2 business days acknowledgement, 14d critical fix. Policy →

📡 Public status page

status.kural.tech — live uptime across API, worker, transparency-anchor, source-watcher and TLS-certs components. 99.5% rolling-30-day SLA target for paid pilots.

🤝 Operator-only commitment

We don't sell to gambling regulators. Your data never goes to a regulator without your explicit per-control, per-occurrence consent. Operator trust is the only moat that matters.

Why "KURAL"

An ethical canon, codified for the cloud era.

Kural is the Tamil word for an ethical couplet — specifically the Tirukkural, a 1,330-verse text on right conduct composed around 30 BCE by the Tamil sage Valluvar. It is one of the oldest published codes of ethical practice in human history.

Kural is also the modern Turkish word for rule — coined in 1934 during Atatürk's language reform.

Two civilisations, two thousand years apart, converged on the same idea: publish your code of conduct, prove your adherence.

That's our category. The Tirukkural codified moral conduct two millennia before SOC 2 existed. We brought the operational engine into the cloud.

அறத்தான் வருவதே இன்பம் மற் றெல்லாம்
புறத்த புகழும் இல
“True joy comes from righteous conduct; all else lacks praise.”
— Tirukkural, Verse 39
90-day paid pilot

€15-25k. Refundable in full if you don't see value at day 60.

One jurisdiction, one brand, ~30 controls live in week 1, audit-pack PDF in week 12. Founder-led delivery. Read-only access to your stack, never a write path, never a regulator handoff without your consent.