Alberta iGaming Tech and Security

What Operators Need to Build Before
They Go Live
As Alberta moves toward a regulated iGaming framework, operators have an opportunity to enter a high-value market early. As with other regulated jurisdictions, success will depend not just on licensing, but on the strength of the underlying technology and security infrastructure supporting the platform.

While the final framework is still evolving, operators should expect requirements broadly aligned with established Canadian standards and comparable jurisdictions such as Ontario. The fundamentals are well understood: strong access controls, independent security validation, disciplined vulnerability management, and clear separation between production and development environments.

For operators already active in regulated markets, preparing for Alberta is unlikely to require a full rebuild. In most cases, it will be a combination of gap analysis, documentation, and validation of existing controls against anticipated expectations.

Core Security Foundations

Access control and privilege management will be a central focus. Operators should ensure that access to critical systems is tightly controlled, regularly reviewed, and aligned with principles such as least privilege and separation of duties. Multi-factor authentication, particularly for privileged access, is now considered baseline. Many operators are also moving toward more structured privileged access management solutions to improve visibility and control.

Independent security assurance will also play an important role. Operators should expect to demonstrate that their controls have been externally validated, commonly through frameworks such as SOC 2 or ISO 27001, or equivalent independent assessments. These processes take time and should be started well in advance of any planned launch.

Vulnerability management and testing are equally critical. Mature programs typically include defined remediation timelines based on severity, regular internal scanning, and periodic independent penetration testing across core systems, including authentication flows and APIs. The expectation is not just that vulnerabilities are identified, but that they are remediated in a timely and controlled manner.

What the Regulation Requires

  • Access Control and Privileged Access Management. Privileges must be reviewed quarterly confirming least privilege and separation of duties. All privileged accounts must be protected by phishing-resistant MFA and managed through a dedicated PAM solution with session recording, command logging, and time-bound elevation. If you do not have a PAM solution in place already, it needs to be on your critical path immediately.
  • Security Certifications. SOC 2 Type 1 from an AICPA-member firm is
    required before going live. Within two years this must be upgraded to ISO
    27001 or SOC 2 Type 2. Start your audit preparation now. SOC 2 Type 1
    alone can take several months.
  • Vulnerability Management. Critical vulnerabilities must be remediated within 48 hours, High within 7 days, Medium within 30 days. Annual independent penetration testing of all production infrastructure is required, covering APIs, authentication flows, and ingress and egress controls.
  • Geo-Location Controls. Only players physically in Alberta may participate. Your system must actively detect and block VPNs, proxies, remote desktop tools, and virtualisation. Location must be re-verified periodically with tamper- evident timestamped logging. Your annual Technology Compliance Confirmation must detail how these controls have been validated across expected device and network types.
  • Logging and Monitoring. Logs must be protected against alteration using WORM storage or SHA-256 cryptographic signing, transmitted over TLS 1.2 or higher, and retained for at least one year online and seven years in archive. A SIEM or equivalent must be in place to correlate and alert on integrity events.
  • Data and Encryption. Encryption must meet or exceed AES-256 and RSA-
    2048, evaluated annually. Backups must be off-site, quarterly tested,
    immutable, and encrypted at rest and in transit. Data centres must be
    approved by AGLC including data residency and cross-border transfer
    assessment.

What to Prioritise First

Start with a gap analysis against your current security posture. If you are in Ontario, use your existing compliance documentation as the baseline and identify where Alberta requires something additional.

Your critical path to launch covers four things. Get your SOC 2 Type 1 audit underway immediately. Implement your PAM solution. Validate your geo-location controls across expected device and network types. And begin building your Control Activity Matrix, which must be independently audited before you go live and takes considerably longer to complete than most operators expect.

All games, RNGs, and critical system components must also be certified by an AGLC-registered Accredited Testing Facility before deployment. Game certification is one of the most common causes of launch delays. Build it into your timeline from the start.

The Key Timelines

Requirement
Timeline
SOC 2 Type 1
Before market launch
SOC 2 Type 2 or ISO 27001
Within 2 years of launch
Penetration testing
Annually and after material changes
Access privilege reviews
Quarterly
Critical vulnerability remediation
48 hours
High vulnerability remediation
7 days
Medium vulnerability
remediation
30 days
Security log retention online
1 year
Security log retention archive
7 years

The Bottom Line

Alberta's technology framework is serious and built for the long term. Ontario operators will find much of it familiar with some important specifics to address. Everyone else needs to start building now.

Talk to the Loonio team about how our Canadian-built payments infrastructure supports operators building toward Alberta market launch.

Disclaimer: This article is for general informational purposes only and does not constitute legal or regulatory advice. Operators should consult the AGLC Standards and Requirements for Internet Gaming and qualified legal counsel.

Get started with Loonio today

Want to learn more about how Loonio™ can help grow your business?
Just fill in the form and we’ll be in touch.
Get Started
Loonio
Super secure, super simple.
Shoppers
Retailers
Payment History
FAQ
Terms
Privacy Policy
support@loonio.ca
Apply now
© 2025 Loonio™ trademarks, trade names, service marks, design marks, corporate logos, and emblems appearing on this website are the intellectual property of their respective owners and have been used with permission.