Trust

We never ask for your operator backoffice password.

We are not aware of any other affiliate aggregator that has made this commitment in writing. This page is the long version — encryption, audit log, admin access, and the compliance path we are on.

Last updated: 2026-05-19

Read the methodology

Working draft. Final wording on this page is subject to external legal review and may change without notice. Technical commitments are tracked against shipping milestones — see the compliance roadmap below.

01

Three things affiliates worry about, and what we do about them.

Honest framing first. Detail underneath.

A data breach exposes my deal terms and payout history.

Every sensitive column is envelope-encrypted under AWS KMS Frankfurt with a per-record data key. If a snapshot leaks without the key, the data is unreadable — and GDPR Article 33 treats that as exempt from individual-notice.

An aggregator stores my operator backoffice password and gets compromised.

We never ask for that password. We integrate via postback URLs and read-only API keys. A major affiliate platform had its payout wallet hijacked in 2024 through compromised affiliate-account credentials — that attack pattern is structurally impossible against the BetLink design.

A hostile attacker drains the payout fund or rewrites my wallet address.

Payout-address changes are gated by step-up MFA plus a twenty-four-hour cooldown. Every change is in your real-time audit log. We will never reverse a fund movement on your behalf without a written, signed request that you can verify out of band.

02

How encryption actually works here.

Plain-English summary; the deep technical brief lives in the SOC 2 evidence package.

  • Every sensitive column — operator API keys, postback HMAC secrets, payment-rail tokens, KYC index — is wrapped under a hybrid envelope scheme. We hold a per-tenant key-encryption-key (KEK) in AWS KMS, Frankfurt region (eu-central-1), FIPS 140-2 Level 3.
  • Each individual record carries its own data-encryption-key (DEK). The DEK is generated at write time, used once, and discarded. The encrypted DEK lives next to the ciphertext; the KEK never leaves KMS.
  • EncryptionContext (AAD) on every wrap includes the workspace ID, the credential ID, and the purpose tag. A DEK wrapped for one tenant cannot be unwrapped against another tenant's context. This is enforced cryptographically, not by application code.
  • KEK rotation is automatic on a one-year schedule. Per-record DEKs are never rotated — each record carries a fresh key from day one, so rotation is a non-event.

Supabase Vault is used for our own infrastructure secrets only. Customer data does not pass through it, because the Vault master key is held by Supabase staff. The hybrid envelope keeps the master root on our side of the trust boundary.

03

A real-time audit log you can actually read.

Every decryption, every credential change, every admin touch — written to your view, hashable, and exportable.

  • Every sensitive operation writes a row into a per-workspace audit_events table — credential added, credential decrypted for postback dispatch, payout address changed, MFA challenge issued, admin investigated.
  • Rows are HMAC-chained: each row carries a MAC of the previous row. If anything is rewritten retroactively, the chain breaks on next verification.
  • Once per hour, the chain head is signed by AWS KMS and the signature is anchored to a Wasabi EU bucket in Object-Lock WORM mode. We retain the anchor for ten years. The signed root means even we cannot rewrite history without leaving evidence.
  • IP addresses in the log are pseudonymised through a per-tenant HMAC. When you close your account, we shred the tenant key. The chain stays valid for verification; the IPs become un-correlatable. This is what makes the log GDPR Article 17 compatible despite being immutable.

You can view your audit log live at /settings/audit and export it as signed JSON. We do not know of another affiliate aggregator that exposes per-credential decryption events to the affiliate.

04

Honest admin access. Two lenses, no third one.

Most platforms quietly run with full impersonation and call it 'support'. Here is exactly what BetLink staff can do and what gets logged.

Lens A — investigate (read-only)

A BetLink staff member can open a silent, read-only view of your workspace if a fraud investigation, KYC escalation, or anti-money-laundering case requires it. Reads are silent at the moment they happen — this is required by AML 'tipping-off' rules. After ninety days, the session is revealed in your audit log unless it remains tied to an open suspicious-activity report. Sessions are capped at thirty minutes, require step-up MFA on the operator side, and are bound to an IP allow-list.

Lens B — support (read-write, consented)

A full read-write support session only happens with your explicit consent through a one-click button in your workspace. While it is active, a persistent banner is shown to both you and the operator, and both sides receive an email at start and end. Sessions are capped at one hour and produce a per-action audit trail tied to a GitHub Enterprise SSO identity, not a shared admin account.

The dual-lens pattern is closest in spirit to the engineering-blog write-up Pigment published in April 2026; it is intentionally stricter than the typical SaaS 'support shadow login'.

05

What we never ask for, and what some peers do.

Compared against publicly documented behaviour. Aggregators are listed for transparency only — names are withheld until counsel clears the comparison page.

  • Operator backoffice passwords. We use postback URLs and read-only API keys. Some peers — including ones that publish help articles such as 'Connecting an Affiliate Program (via Login Credentials)' and tools that accept bulk CSV credential uploads — do ask. We do not.
  • Two-factor codes, recovery codes, or device-binding seeds for your operator accounts.
  • Wallet seed phrases or full payment card numbers. Payouts run through partners with the appropriate licences; we hold a tokenised reference, never the underlying number.
  • Government ID for affiliates who do not opt into KYC. KYC is gated to tier-promotion and to payout thresholds that legally trigger it.

If any of this changes — if a future BetLink feature ever genuinely needs an operator-side credential — we will publish the rationale here and in the changelog before it ships.

06

Authentication standards.

What we require, what we encourage, and what we refuse.

  • Mandatory MFA on every paid workspace. Step-up re-authentication on payout-address changes, key adds, and admin-session consent.
  • TOTP supported today. WebAuthn / passkey support is in upstream beta; we will flip the default to passkey-preferred when the auth provider promotes it to general availability.
  • SMS as a second factor is a hard no. SIM-swap attacks are a documented, recurring vector in this industry, and we will not advertise SMS as security.
  • Enterprise SAML and SCIM through WorkOS arrive in Q3 2026.

07

The compliance roadmap, on the record.

Dates we will be held to.

  1. August 2026

    Drata kickoff. Parallel SOC 2 Type 1 and ISO 27001 Stage 1 evidence collection begins. Audit-firm engagement signed.

  2. Q1 2027

    SOC 2 Type 1 report issued. ISO 27001 Stage 1 review complete. Penetration test by an external firm.

  3. August 2027

    SOC 2 Type 2 report and ISO 27001 certification, both standalone. This makes BetLink the only standalone SOC 2 Type 2 plus ISO 27001 affiliate platform in iGaming. Series-A diligence ready.

If a date slips, the slip will be published here on the day it is known. We would rather move a date than quietly re-define it.

08

The person on the other side of this page.

There is one founder. Here is the address you can serve papers at.

Jonathan Luis

Founder, BetLink

BetLink Group Holdings Ltd — Limassol, Cyprus

External counsel: Harris-Kyriakides LLC, Larnaca, Cyprus.

BetLink does not hide behind a generic 'team@'. A regulator, an investor, or an angry affiliate can find a named human and an incorporated Cyprus entity. Counsel is named. Cyprus jurisdiction is named. There is no offshore re-domiciliation planned.

09

Bug bounty.

We are standing up a private bug bounty programme on Intigriti in late 2026. Scope and reward bands will be published here when it goes live.

  • Until then, please email security@betlink.ai. We respond within one business day and we do not pursue legal action against good-faith research.
  • Scope and the canonical security policy live in our /security-policy.txt file, in RFC 9116 format.
  • A public hall of fame ships with the Intigriti programme launch.
Contactsecurity@betlink.aiSecurity policy (RFC 9116)

Want the side-by-side?

We are putting together a public comparison page — encryption, admin access, MFA, audit log — against the platforms most affiliates compare us to. Counsel is reviewing copy before it goes live.

See the /compare tableComing soon
Affiliate operations, connected

Run offers, links, postbacks, and payouts from one workspace.

BetLink gives iGaming teams one place to manage operator terms, tracking links, campaign performance, disputes, and payout workflows.

Start freeSee pricing