Menu
English
Français
Search

Information Security Policy

1. Definitions

  • Account Holder – A person who owns and manages a Player Account on the Website.
  • Back Up – A regularly created copy of important business or operational data.
  • Business Data – Non-personal information processed by the Company for operational and administrative purposes.
  • Classified Information – Information defined as restricted under Article 4.3 of this Policy.
  • The Company – Audeo N.V., a limited liability company incorporated under the laws of Curaçao and registered with the Chamber of Commerce and Industry under number 127564.
  • Computer System – A collection of hardware and software working together to perform specific operations by receiving input, processing data, storing information, and generating output. This system is vital for the Company’s service delivery.
  • Confidential Business Information – Business-related data that the Company considers private and undesirable to disclose to external parties.
  • Data Subject – Any natural person who can be identified, directly or indirectly, through personal data.
  • Employee – Any individual working for or contracted by the Company.
  • Player – A registered user who utilizes the Company’s gaming Services on the Website and holds a valid Player Account assigned with a unique identifier.
  • Player Account – A personal account established by the Company upon registration, required for real-money gameplay. Each person, household, IP address, and shared environment may hold only one Player Account.
  • Personal Data – Any data relating to an identifiable individual, including but not limited to name, identification number, contact details, or attributes related to physical, psychological, genetic, mental, economic, cultural, or social identity.
  • Sensitive Information – Confidential or critical data that must be protected from unauthorized access to ensure privacy and security.
  • Service – The gaming and wagering products offered online by the Company through its Website to Account Holders.
  • Website – The online gaming platform managed and operated by the Company.

2. Information Security Policy

2.1 Policy

To guarantee the stable and secure operation of the Company, it is essential to preserve the availability, accuracy, and confidentiality of all business information. Certain categories of information, defined as Sensitive Information, demand higher protection standards due to regulatory, contractual, or stakeholder obligations. This Policy outlines the framework for protecting such information and will be reviewed regularly to ensure compliance with applicable legislation and continued confidence in Company operations.

2.2 Objective

The purpose of this Policy is to protect the integrity, confidentiality, and accessibility of all data managed by the Company and to demonstrate management’s ongoing commitment to robust information security practices.

2.3 Responsibilities

All Employees are expected to act ethically and responsibly. Specifically:

  • Data or information obtained through improper means must never be used;
  • Any discovered system weakness must be reported immediately and not exploited;
  • Every Employee must perform their duties carefully and is accountable for any misuse of Company systems or data;
  • All known security incidents or vulnerabilities must be reported to the appropriate security personnel.

3. Data

Sensitive information exists in various forms. Under the applicable laws, such as the Curaçao Data Privacy Act and the GDPR, a distinction is made between Personal Data and Confidential Business Data.

3.1 Personal Data

The personal information collected and processed while using the Services includes, but is not limited to:

  1. Details provided during account registration or through forms submitted on the Website, such as full name, date of birth, contact number, and email address;
  2. Verification documents and supporting information required to confirm a player’s identity, process payments, and conduct anti-fraud checks, including copies of identification, receipts, and bank statements;
  3. Data related to the Player Account, such as login credentials, IP address, browser and device type, activity logs, and network data;
  4. Records of communications with the Website via messages, emails, or other channels;
  5. Complete transaction history and records of surveys or questionnaires completed by the player;
  6. Responses to surveys or any other customer feedback activities conducted periodically.

3.2 Confidential Business Data

The Company also processes non-personal data for operational use. Such Business Data is considered confidential when it is not intended or appropriate to be shared externally.

3.3 Classified Data

The Company may handle certain categories of data that require stricter security controls. Classified Information refers to information for which there are legal or financial consequences in case of disclosure. This includes payroll, personnel records, sensitive player data, and financial reports.

4. Security of Information

4.1 Security During Usage of Company’s Systems

All Company hardware and software, whether fixed or mobile, must be installed, used, and maintained in line with manufacturer and IT department instructions. The Company’s IT team ensures that all systems used to store or access sensitive data are updated promptly with the latest security patches.

4.1.1 Password

All devices and storage media containing Sensitive Information must be secured with an authentication method such as a password, two-factor authentication, or encryption.

  1. Passwords must comply with international cybersecurity standards for strength and renewal.
  2. When a password manager is required by the Company, Employees must use it to create and update passwords.

4.1.2 Security and Proprietary Information

Passwords must remain confidential, and Employees are prohibited from sharing accounts. Authorized users are responsible for safeguarding their credentials. Caution must be exercised when opening email attachments from unknown sources to prevent security threats like malware or phishing.

4.1.3 Acceptable Use Policy

Employees are expected to exercise good judgment regarding limited personal use. Internet access should primarily serve professional needs. Posting or sharing Company or client-related information that could harm the Company’s reputation or relationships on social media or other platforms is strictly prohibited, whether during or outside working hours.

4.1.4 Secrecy

Employees and suppliers are bound by confidentiality regarding all sensitive information obtained during their engagement with the Company. This duty of secrecy continues even after the termination of employment or contract. All external communication with media or authorities must only be handled by authorized Company representatives.

4.1.5 Remote Connections

Any Employee or third party granted remote access must keep login credentials secure and must not share them with anyone under any circumstances.

4.1.6 Remove Sensitive Information

Storing Sensitive Information always carries a risk of unauthorized access or loss. Therefore, it must be regularly reviewed to confirm its necessity. If data is no longer required by law or business need, it must be deleted securely. Sensitive data may not be taken outside the Company unless essential for official duties.

4.1.7 Retention Terms and Personal Data

The Company keeps relevant records and documents for a minimum of five years after the end of a business relationship. These records must be maintained to allow authorities to trace and audit transactions effectively.

4.2 Secure Disposal and Destruction of Business Information and Devices After Use

Documents or devices containing Company information must never be discarded through public waste systems.

4.2.1 Devices

When an Employee’s device (such as a phone, laptop, or tablet) is no longer in use, it must be returned to the responsible manager for secure handling.

4.2.2 Physical Documents

Physical business records must be destroyed safely, such as through shredding or disposal by a certified document destruction provider.

4.2.3 Destruction of Business Information

Information no longer required for business purposes must be designated for deletion and securely removed. Periodic reviews should confirm that:

  1. Outdated or unused devices are wiped or destroyed;
  2. Obsolete Company data, including backups, is permanently deleted.

5. Security of the Computer System

5.1 Safeguarding of Applications

All internet-connected systems and their operating software must have the latest updates and security patches applied.

5.2 Safeguarding of Networks

Wireless networks must be password protected and restricted to authorized Company personnel. The transfer of confidential or classified data must be strictly managed, and such information must never be printed, downloaded, or copied without authorization.

5.3 Logs and Other Systems Security Tools

Systems handling sensitive or valuable information must log all key security-related events, including login attempts, password guesses, privilege changes, and software modifications. If cybercrime or misuse is suspected, all relevant system logs and data must be stored offline until the matter is resolved.

5.4 Measures Against Data Loss

The Company maintains secure backup facilities where regular backups of business information are stored. Employees are required to save data on the Company’s network drives rather than local devices to reduce data loss risks.

6. External Parties

6.1 Hiring of External Parties

Before granting access to Sensitive Information, the Company must ensure that external parties have a legitimate business need and meet all security standards defined in this Policy. These obligations must be outlined in a written agreement signed by the external party before any data access is provided.

Access for third parties, auditors, or consultants requires management approval and must be temporary. All external access credentials will be revoked immediately after the assignment is completed.

7. Physical Security of Buildings and the Surrounding Area

7.1 Clean Desk Policy

Employees must ensure that all documents, devices, and media are secured and not left unattended. After working hours, desks must be cleared and sensitive materials stored safely.

7.2 Employees Access

Employees may only access areas of the premises for which they have authorization through a key or access card. Misuse of access privileges may result in disciplinary action.

7.3 Visitors

Visitors are not permitted in areas where sensitive data is stored. They must be accompanied by a Company representative at all times and escorted out upon completion of their visit. The hosting Employee is responsible for the visitor’s conduct and supervision.

8. Training

All Employees must participate in training sessions or webinars focused on privacy and personal data protection. New hires are also required to complete such training, and checklists will be used to ensure all staff remain compliant and informed.

1. Company Policy

1.1 It is the policy of Malibu Club Casino (the "Company") to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities. The Company strives to comply with all applicable requirements under the legislations in force in the jurisdictions in which the Company operates, to prevent the use of the financial system for the purpose of money laundering and terrorist financing.

2. Objective of the Policy

2.1 The Company is fully committed to be constantly vigilant to prevent money laundering and combat the financing of terrorism in order to minimize and manage risks such as the risks to its reputational risk, legal risk and regulatory risk. It is also committed to its social duty to prevent serious crime and not to allow its systems to be abused in furtherance of these crimes.

2.2 The Company will endeavor to keep itself updated with developments both at national and international level on any initiatives to prevent money laundering and the financing of terrorism. It commits itself to protect, at all times, the organization and its operations and safeguards its reputation and all from the threat of money laundering, the funding of terrorist and other criminal activities.

2.3 The Company's policies, procedures and internal controls are designed to ensure compliance with all applicable laws, rules, directives and regulations relevant to the Company's operations and will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place.

3. Player Identification Program

3.1 The Company will take reasonable steps to establish the identity of any person for whom it is proposed to provide its service (hereinafter "Players"). For this purpose the process for the registration of Players provided for under the General Terms and Conditions of the Company provides for the due diligence process that must be carried out before the opening of a user account.

3.2 The Company will keep at all times a secure online list of all registered Players and information and documents will be retained in accordance with the applicable data protection obligations.

3.3 The Company will collect certain minimum Player identification information from each Player who opens an account. The Company will not accept to open anonymous accounts or accounts in fictitious names such that the true beneficial owner is not known. The information required will include at least:

  • Player's date of birth (showing that the player is over eighteen (18) years of age);
  • Player's first and last name;
  • Player's place of residence;
  • Player's valid email address; and
  • Player's username and a password.

3.4 Documents to verify the identity information received will be requested from the Player if and when there is considered to be risk or uncertainty about the information provided and prior to any payment in excess of EUR 3,000 per occasion or when payments to the account are made in excess of EUR 3,000. These documents shall include, to the extent permitted under the relevant data protection regulations:

  • A copy of a valid identity card or passport;
  • Proof of address;

3.5 The Company may supplement the use of documentary evidence by using other means, which may include:

  • Independently verifying the Player's identity through the comparison of information provided by the Player with information obtained from a reporting agency, public database or other source;
  • Checking references with financial institutions; or
  • Obtaining a financial statement.

3.6 The Company will inform relevant Players that the Company may seek identification information to verify their identity.

3.7 Any employee of the Company who becomes aware of an uncertainty in relation to the accuracy and truthfulness of the Player information provided shall immediately notify the AML Compliance Person, who will review the materials and determine whether further identification is required and or so that it may be determined whether a report is to be sent to the relevant authorities.

3.8 If a potential or existing Player either refuses to provide the information described above when requested, or appears to have intentionally provided misleading information, the Company will not open a new account and, after considering the risks involved, consider closing any existing account. In either case, the AML Compliance Person will be notified so that it may be determined whether a report is to be sent to the relevant authorities.

3.9 If a Player has been identified as attempting or participating in any criminal or unlawful activity, the Company will take the appropriate steps to immediately freeze the account of the Player.

3.10 If any material personal information of a Player changes, verification documents will be requested.

4. Continuous transaction due diligence

4.1 The Company will monitor account activity with special attention, and to the extent possible, the background and purpose of any more complex or large transactions and any transactions which are particularly likely, by their nature, to be related to money laundering or the funding of terrorism.

4.2 Monitoring will be conducted through the following methods: Transactions will be automatically monitored and reviewed daily for all transactions above a certain threshold along with all the details of the users making those transactions. Documents may be required at the determination of the AML Compliance Person.

4.3 The AML Compliance Person will be responsible for this monitoring, will review any activity that the monitoring system detects, will determine whether any additional steps are required, will document when and how this monitoring is carried out, and will report suspicious activities to the relevant authorities.

4.4 Parameters that signal possible money laundering or terrorist financing include, but are not limited to:

  • Wire transfers to/from financial secrecy havens or high-risk geographic location without an apparent reason.
  • Many small, incoming wire transfers or deposits made using checks and money orders.
  • Wire activity that is unexplained, repetitive, unusually large or shows unusual patterns or with no apparent specific purpose.

4.5 When an employee of the Company detects any activity that may be suspicious, he or she will notify the AML Compliance Person. AML Compliance Person will determine whether or not and how to further investigate the matter. This may include gathering additional information internally or from third-party sources, contacting the government, freezing the account and/or filing a report.

4.6 The Company will not accept cash or non-electronic payments from Players. Funds may be received from Players only by any of the following methods: credit cards, debit cards, electronic transfer, wire transfer cheques and any other method approved by the Company or respective regulators.

4.7 The Company will only transfer payments of winnings or refunds back to the same route from where the funds originated, where possible.

4.8 To the extent the Company utilizes a third party to process and record payments to and from Player and accounts, the Company will use best efforts to ensure the services provider has transaction monitoring systems in place which will allow for screening of the transactions pursuant to these provisions and in accordance with the applicable legislation. The AML Compliance Person shall be responsible to review the relevant service agreement with the service provider to ensure the adequacy of the agreement.

4.9 Records relating to the financial transactions shall be maintained in accordance with the data protection and retention requirements in the applicable jurisdiction of Curaçao.

5. Suspicious Transactions and Reporting

The AML Compliance Person will report any suspicious transactions (including deposits and transfers) conducted or attempted by, at or through a Player account where the AML Compliance Person knows, suspects or has reason to suspect:

5.1 The Player is included on any list of individuals assumed associated with terrorism or on a sanctions list;

5.2 The transaction involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade laws or regulations or to avoid any transaction reporting requirement under law or regulation;

5.3 The transaction has no ordinary lawful purpose or is not the sort in which the Player would normally be expected to engage, and after examining the background, possible purpose of the transaction and other facts, we know of no reasonable explanation for the transaction; or

5.4 The transaction involves the use of the Company to facilitate criminal activity.

6. Training Programs

6.1 The Company will develop ongoing employee training under the leadership of the AML Compliance Person and senior management. The training will occur on at least an annual basis. It will be based on the Company's size, its Player base, and its resources and be updated as necessary to reflect any new developments in the law.

6.2 The training will include, at a minimum:

  • how to identify red flags and signs of money laundering that arise during the course of the employees' duties;
  • what to do once the risk is identified (including how, when and to whom to escalate unusual Player activity or other red flags for analysis;
  • what employees' roles are in the Company's compliance efforts and how to perform them;
  • the Company's record retention policy;
  • the disciplinary consequences for non-compliance with legislation.