Torrent Gear

How to choose a platform and provider: RFI/RFP checklist

How to choose a platform and provider: RFI/RFP checklist

1) Approach: selection funnel

1. RFI (2-3 weeks): short survey of 10-15 vendors → short list 3-5.

2. RFP (4-6 weeks): detailed specification, demo, PoC, legal and finance.

3. BAFO/Negotiation (1-2 weeks): Best And Final Offer → winner selection.

4. Due Diligence (1-2 weeks): reference check, security audit, contract final.

2) Mandatory criteria (go/no-go)

Jurisdictions and Licenses: Launch Countries + Expansion Plans.

Game content: studios/aggregators, local tops, live tables.

Payments: PSP by market/methods (card, A2A, vouchers, local).

Security/compliance: ISO 27001/GDPR/PCI DSS (if related to cards), audit trails.

Data export: raw events in near-real-time (S3/Kafka), scheme, retention.

SLA/SLO: uptime ≥ 99. 9%, deposit/SLO login, DR plan, RPO/RTO.

Cost and model: transparent RevShare/fix, customization price, TCO predictivity.

Exit clause: migration timing and format, transition assistance.

3) RFI: short form (question template)

About the company

Launch year/iGaming customers by region; current certifications.

market coverage (license/certification) and plans for 12-24 months.

Product and stack

Wallet (double-entry? holds? multi-wallet? currencies/FX?), responsible play limits.

Games/aggregators: list, conditions, exclusives, time-to-enable.

Payments/KYC/AML providers; average success-rate by country.

Observability: access to customer metrics/logs/tracks.

CRM integrations/affiliates, tournaments/missions, anti-fraud/bot manager.

Safety

Threat Model, WAF/DDoS, TLS 1. 3, HSTS, key management/rotation.

Accesses and audits (RBAC/MFA), change log, WORM stores.

Commerce/Conditions

Pricing model (RevShare/fix/hybrid), minimum commits, customizations roadmap.

SLA/SLO/downtime credits; exit and migration.

4) RFP: extended questionnaire (fragments)

4. 1 Architecture and operation

Component diagram (edge/CDN/WAF → API → wallet/payments → games/providers), brand isolation.

Autoscaling, connection limits to DB/PSP, backpressure.

DR-scheme: RPO/RTO, recovery tests (frequency), results of recent exercises.

4. 2 Wallet and finance

Support: CASH/BONUS/WAGER/FS/POINTS; idempotency 'operation _ id'.

Holds/reserves, partial settle, returns; FX and rounding (minor units).

Reconciliation with PSP and game providers (frequency/format).

Reversing transactions and audits.

4. 3 Payments and KYC/AML

PSP by country (methods, 3DS, risks, cap/limits), fallback routing.

KYC/AML providers, document verification/sanction/PEP; retention and DPA.

Indicators: deposit success, dispute/chargeback rate (anonymized).

4. 4 Games and Promo

List of studios/aggregators, average TTFS, incident rate.

Tournaments/missions: formulas, tie-breaks, anti-abuse, load.

Jackpots (local/network), reports.

4. 5 Data and BI

Real-time event export (Kafka/S3), delivery SLA, schema (catalog).

Access to ClickHouse/BigQuery/Redshift? Canonical definitions of metrics.

PII policy/aliases, anonymization, retention periods.

4. 6 Safety

Pentest report (last 12 months), vulnerabilities/remediation.

Secret policies (KMS), key/certificate rotation.

WAF rules/bot scoring; IP/ASN management.

4. 7 Services and support

On-call 24/7, target SEV-1/2 response time.

Communication channels, incident status templates.

Training/documentation/test/sandbox access.

4. 8 Contract/Law

Exit data package (structures, volumes, format, dates).

The right to connect additional PSPs/providers; SLA on integration.

IP/licenses, sub-processors and their responsibilities.

5) Demo scripts and "what to show" list

1. Login/deposit/bet/settlement/output - end-to-end flow with p95 metrics.

2. Flow tournament: start → scoring → leaderboard → award.

3. PSP failure: automatic fallback route and report.

4. Incident: dashboard SLO, alterts, runbook, post-mortem.

5. Data export - how the event gets to S3/Kafka and BI in real time.

6. Admin: promo, responsible game limits, affiliates.

6) PoC (2-4 weeks): inspection plan

Those: test domain connection, CDN/WAF, PSP sandbox, 2 game studios.

Passage metrics: p95 login ≤ 300 ms, deposit success test ≥ 98%, TTFS games ≤ 800 ms, export events T + 60 sec.

Fault tolerance: PSP/game provider fall simulation, fallback confirmation.

Data: reconciliation of reports (difference <0. 5%).

Security gate: pentest scan, TLS/HSTS/OCSP header check, rBAC.

7) Weight evaluation matrix (example)

Category	Weight	Criteria
Product and Content	20%	studios/PSP/tournament features/CRM
Technique/Performance	20%	SLO, autoscale, DR
Data/BI	15%	event export, schema, latency
Security/Compliance	15%	ISO/GDPR/PCI, audits, WAF
Cost/TTA	20%	model, predictability, stops
Support/SLA	10%	24/7, processes, statuses

Scale 0-5 (0 - no, 5 - leading the market).

Formula: 'Score = Σ (Weight × (Point/5))'.

8) Red flags (red flags)

No raw exports or delay> 24 h.

Blurred SLA/SLO, no DR plan with test evidence.

Ban on additional PSPs/providers or "penalties" for third-party integrations.

Opaque RevShare, hidden "required modules."

Long release/changejay queue (> 60 days for simple change).

Lack of recent pentest/certifications; weak policy of secrets.

9) Proposal requirements (RFP response format)

Executive summary: meeting goals and markets.

Compliance table: "requirement → how to close → link to section/screen."

SLO/SLA: specific numbers and proofs (screenshots/log snippets).

Prices: fixed/RevShare/lows/customizations, TCO forecast 3 years (Base/Optimistic/Stress).

Roadmap 12-24 months: features and timing.

Applications: contracts, DPA, list of sub-processors.

10) Commerce and Negotiation

Steps RevShare (% decrease when reaching turnover) and "most favored terms."

Cap for customization services and price list with SLA for implementation.

Service loans for violation of SLO (including deposits/login).

Exit scenario: data export, technical support for migration with a fixed price.

11) Legal checklists

DPA/Privacy: controller/processor roles, retention periods, cross-border transfers.

IP/licenses: the right to use/modify custom, source (if provided).

Regulatory: compliance with local advertising/age/responsible play rules.

Taxes/levies: who pays and how is reflected in the reporting.

12) Scoring table (CSV-fish)


Vendor,Category,Weight,Criterion,Score(0-5),Notes
V1,Product,0. 20,Studios coverage,5,"Top EU + LatAm"
V1,Tech,0. 20,SLO deposit/login,4,"p95 280ms/99. 9%"
V1,Data,0. 15,Real-time exports,5,"Kafka T+30s"
V1,Security,0. 15,Certifications,4,"ISO27001, PCI SAQ-A"
V1,Cost,0. 20,TCO 3y,3,"Higher RevShare"
V1,Support,0. 10,24/7 & war-room,4,"15m SEV-1"

13) Winner Implementation Plan

Kickoff (Wk 1): RACI, integration calendar, accesses.

Tech block (Ned 2-6): domains/CDN/WAF, PSP/KYC, 2-3 game studios, data export.

UAT (Wk 7-8): SLO/load, deposit/bet synthetics, DR drill.

Market (Wk 9-10): Affiliates/CRM, Localization/Rules, Content.

Go-live (Ned 11-12): canary traffic, war-room, post-launch plan.

14) Decision checklist

Coverage of jurisdictions and content confirmed.
PSP/KYC by fallback markets.
Docking proof SLO/SLA/DR and on-call 24/7.
Export of crude events Т + 60с, the diagram is approved.
TCO 3 years in three scenarios + NGR sensitivity.
Contract clauses: service loans, cap for custom, exit package.
Successful PoC and demo scenarios, report discrepancies <0. 5%.
Reference calls with 2-3 customers in our regions.

Resume Summary

Strong selection is not "two presentations and a price," but a formalized process: a short RFI, a detailed RFP with PoC, a weighted evaluation matrix, checking SLO/DR/data exports and "hard" contract clauses (cost, support, output). By following the checklists and templates above, you get a supplier that actually shuts down your markets, withstands SLOs on money and does not block growth - either technically or commercially.