KURAL evaluates your stack against 189 controls across 33 jurisdictions — continuously, with cryptographically-provable evidence — so the next regulator letter finds you ready, not scrambling.
Across the top 30 UKGC + MGA enforcement actions since 2022, the failure mode is consistent: the underlying data lived in the operator's PAM, KYC vendor, AML monitor, helpdesk or doc store. The fine was for not surfacing it against a control — continuously, with regulator-ready provenance.
6-screen plug-and-play discovery flow. Auto-detects your jurisdiction from public registers. Pre-evaluates 12+ controls before you connect anything. Streams PASS/FAIL live as your stack comes online. Try it →
Read-only API keys for your PAM, KYC vendor, AML monitor, helpdesk and doc store. AWS via OIDC, GitHub via App. Never any inbound port into your network. Never a write-path.
Auto-scan against your declared jurisdictions and product types. KURAL figures out which of the 189 controls apply, who in your team owns each one, and what evidence to look for.
Continuous evaluation — every minute for critical controls, daily for the rest. Findings hit the right team member with a due date and an AI-drafted 3-step remediation plan.
One-click audit pack per regulator. Time-boxed auditor portal for eCOGRA / GLI / BMM. Every piece of evidence Merkle-hashed and anchored to AWS Object Lock — tamper-evident for 7 years.
Not a roadmap. Every surface below is running in production at app.kural.tech right now, against 189 controls across 33 jurisdictions.
Per-control cadence — continuous, hourly, daily. Findings auto-routed via org-units + delegation + OOO + four-eyes maker-checker on critical / high resolutions (single and bulk paths).
Every evaluation, finding, and regulator artefact anchored in a Merkle-chained ledger. Independently timestamped by DigiCert / FreeTSA. Your regulator verifies the math without us in the room.
Five auto-generators. Each PDF is SHA-256 fingerprinted and anchored as a board_report_fingerprint. Tipping-off-safe — SAR-linked findings filtered per POCA s.333A.
Claude Sonnet extracts effective dates + cited clauses. Inline approve / reject. One-click creates findings with due-date = effective − 30 days.
GAMSTOP per-player check Merkle-anchored. W15 screening-list version anchoring against Refinitiv WC1 / Dow Jones / ComplyAdvantage. NCA SAR Online XML with four-eyes drafting.
Time-bounded, watermarked, access-logged URL at /audit/{token}. Tipping-off-safe filtering. Auditor recomputes the Merkle proof against the chain head — KURAL not in the loop.
GLI / BMM / eCOGRA / iTechLabs cert PDF → Claude vision extracts cert number, jurisdictions, RTP and expiry with per-field confidence. Reviewer confirms one click — the PDF's SHA-256 is anchored as cert_pdf_fingerprint in the evidence ledger. Bulk-CSV path still available for spreadsheet-trackers.
One jurisdiction, one brand, ~30 controls live in week 1, audit-pack PDF in week 12. Founder-led delivery. Read-only access to your stack, never a write path, never a regulator handoff without your consent.