Hard Rock Digital Mobile Internal Controls

Contents
Definitions................................................................................................................................... 2
Section 1. Safeguarding assets and revenues .............................................................................. 4
Section 2. Safeguarding player accounts .................................................................................... 4
Section 3. Requirements for internal and independent audits of the permit holder and its sports
betting platform supplier ............................................................................................................. 6
Section 4. User access controls for all personnel ........................................................................ 6
Section 5. Segregation of duties among personnel ..................................................................... 7
Section 6. Automated and manual risk management procedures ............................................... 8
Section 7. Procedures for identifying and reporting fraud, cheating, and suspicious or unusual
wagering activity......................................................................................................................... 9
Section 8. Procedures for identifying and preventing sports betting by Prohibited Individuals
................................................................................................................................................... 10
Section 9. Description of its AML compliance standards ........................................................ 11
Section 10. Description of all types of wagers available to be offered by the permit holder ... 12
Section 11. Description of all integrated third-party hardware, software, or systems .............. 13
Section 12. A monitoring system to identify irregularities in volume or odds and swings that
could signal unusual or suspicious wagering activity that should require further investigation
................................................................................................................................................... 14
Section 13. A wager or attempt to wager above any maximum wager threshold set by the permit
holder that qualifies as unusual or suspicious wagering ........................................................... 16

Page 1 of 17
MOBILE AND ONLINE SPORTS BETTING

These Mobile and Online Sports Betting Internal Controls are adopted pursuant to Section 300 of
the Virginia Lottery Sports Betting Regulation.

Definitions

(a) "Department" means the Virginia Lottery (“Lottery”), the independent department that
pursuant to § 58.1-4031 of the Code of Virginia is responsible for the operation of the
Commonwealth's sports betting program set forth in Articles 1 (§ 58.1-4000 et seq.) and 2 (§
58.1-4030 et seq.) of Chapter 40 of Title 58.1 of the Code of Virginia.

(b) "Independent Integrity Monitoring Provider" means an independent individual or entity

approved by the Lottery to receive reports of Unusual Betting Activity for the purpose of
assisting in identifying Suspicious Betting Activity.

(c) "Patron" means any person who is participating in Sports Betting.

(d) "Prohibited Individual" means any individual (i) who is prohibited from wagering pursuant to
the sports betting law; (ii) whose name is on any self-exclusion list or the Virginia Lottery
Exclusion List; (iii) whose participation may undermine the integrity of the wagering or the
sporting event; (iv) who is excluded from wagering for any other good cause; or (v) who makes
or attempts to make a wager as an agent or proxy on behalf of another for compensation (i.e.,
messenger betting).

(e) "Sports Betting" means wagering on any past or future professional sport or athletic event,
competition or contest, any Olympic or international sports competition event, any collegiate
sport or athletic event (but not including proposition bets on such collegiate sport or event), or
any motor vehicle race, or any portion of any of the foregoing, including but not limited to the
individual performance statistics of an athlete or other individual participant in any event or
combination of events, or any other "in-play" betting with respect to any such sporting event,
competition or contest, except "Sports Betting" does not include Fantasy Sports Contests, pari-
mutuel betting, or betting on any form of poker or other card game.

(f) "Sports Betting System" means the system and/or any platforms utilized to accept sports
wagers.

(g) "Suspicious Wagering Activity" means previously reported Unusual Betting Activity that
cannot be explained and is indicative of match-fixing, the manipulation of an event, misuse of
inside information, or other prohibited activity.

(h) "Unusual Wagering Activity" means abnormal betting activity exhibited by Patrons and

Page 2 of 17
 deemed by Hard Rock Digital as a potential indicator of Suspicious Betting Activity. Unusual
Betting Activity may include the size of a Patron's wager or increased betting volume on a
particular event or wager type.

(i) "Vendor" means an entity providing non-management services to support Hard Rock Digital's
Sports Betting operations either directly or through subcontractors. All Vendor contracts must
be provided to the Lottery before they are executed.

11VAC5-70-300.A

General requirements for Sports Betting

(a) Hard Rock Digital shall comply, and Hard Rock Digital shall require any Vendor to
comply, with the requirements for Sports Betting set forth in the Code of Virginia and all
applicable federal laws and regulations.

(b) Sports Betting may commence upon approval of the Virginia Lottery

(c) Sports Betting is limited to Patrons who are natural persons who are twenty-one (21) years
of age or older and are physically located within the Commonwealth of Virginia.

Sports Betting System

All Sports Betting is deemed at all times to be conducted exclusively by Hard Rock Digital in the
Commonwealth of Virginia at its facilities where the online sports books, including betting engine
servers and devices required to conduct wagering and accounting transactions, are located. This
includes any wagering undertaken by a Patron physically located in the Commonwealth of Virginia
using hardware mechanisms including electronic devices such as mobile devices to access a
website, application, or other platform accessible via the internet or mobile, wireless, or similar
communications technology that Patrons may use to participate in Sports Betting.
The Sports Betting System will, at least once every 24 hours, perform a self-authentication process
on all software used to offer, record, and process Sports Betting wagers that are identified as a
critical component of the Sports Betting System, to ensure there have been no unauthorized
modifications. If there is an authentication failure, the Sports Betting System must immediately
notify Hard Rock Digital and Hard Rock Digital must notify the Lottery within 24 hours. The
results of all self-authentication attempts must be retained for not less than ninety (90) business
days.

Hard Rock Sportsbook Platform

The Hard Rock Sportsbook Platform is a sports wagering platform that allows the player to
place eligible sports wager in the Commonwealth of Virginia using native mobile applications.
The system is comprised of two major software systems which are intended to be installed

Page 3 of 17
with, and operated by, a sports book operator. Hard Rock may act as IT Service Provider and its
own IT Department will take responsibility for the
management and control of the software once it is installed. The two system components are:

1. Sportsbook Manager (SBM), an Amelco player account management platform, and

2. Backend – NATS Portal, an Amelco trading platform.

The Sportsbook Manager a PAM platform used to:

• Store Patron’s personal details and transaction histories,
• Allow registered players to place wagers on the Hard Rock Sportsbook platform,
• Allow registered players to deposit and withdraw funds from a wagering account,
• Allow the Operator the ability to make manual account adjustments,
• Allow the Operator the ability to set transaction limits and/or suspend player accounts on-
demand, and
• Provide reports on all wagering account activity.

The NATS - Portal is a sports wagering/trading system used to:

• Create and manage wagering events,
• Accept fixed-odds sports wagers,
• Automatically settle wagers based on entered results,
• Manage and track wager payouts, and
• Provide reports on wagering activity.

The Hard Rock Sportsbook Platform also provides a front-end website and mobile native
applications which are the only way for end users to place account wagers on the system and
manage their wagering account.

11VAC5-70-300.B

Section 1. Safeguarding assets and revenues

Reserved – Retail

Section 2. Safeguarding player accounts

Security of Patron identity and financial information

Hard Rock Digital will create and maintain an electronic Patron file containing the information the
Patron submitted to establish the Sports Betting Account. This information shall be recorded and
kept for a period of five (5) years.

There are two levels of encryption in place.

Page 4 of 17
1. Hardware encryption:

a. All data storage is symmetrically encrypted at rest.

2. Database encryption:

a. Sensitive fields are symmetrically encrypted and the keys are managed using AWS
Key Management Service.

b. Password fields are asymmetrical salted hashes generated with bcrypt.

c. Currently, the Sports Betting System does not support storing of automated clearing
house (“ACH”) details as the flow allows Patrons to log into their bank via an
overlay, but if/when this is implemented it will be stored within a third-party PCI
vault by Hard Rock Digital’s ACH vendor.

Method for securely issuing, modifying, and resetting a Patron’s password

Users can reset their passwords in two (2) places: (1) the login screen, or (2) the Account section
after being logged in. Passwords must be eight (8) characters, and include one (1) special character,
one (1) number, and (1) uppercase letter at a minimum.

Forgot Password:

1. The user clicks “Forgot Password” on the sign in screen

2. The user will receive an e-mail with a unique link to reset their password
3. The user clicks the link and will be taken to a standalone web page
4. The user must enter a new password twice, following the same password requirements as
sign up
5. The user clicks “update password” to complete this flow
6. The user will not receive a confirmation e-mail when this action takes place

Change Password:

1. A logged in user can Account > Settings > Change Password to update their password
2. They must enter their current password and new password twice, following the same
password requirements as sign up
3. The user clicks “Confirm new password” to complete this flow
4. The user receives a confirmation e-mail that the password has changed

Hard Rock Digital Vendor Agent Password Update:

1. Agent can log into Back office

2. Agent Navigates to Account and search for the user’s account
3. Click “Change Password” under “User Conditions”
4. Enter a password following the same password requirements as sign up and click “Ok”

Page 5 of 17
5. The user will not receive a confirmation e-mail when this action takes place
6. Transactional E-Mails

Methods of Patron notification and identification for security modifications

Overview: Certain behaviors in the app will trigger an e-mail to the user each time they occur. The
actions below will trigger an email

Action Description
Welcome This is sent when a user completes the KYC process to sign up for the first
time
Deposit Completion This is sent when a user deposits funds into their account successfully
Timeout Period This is sent when a user chooses a timeout under the account section of the
app
Account Self-Excluded This is sent when a user chooses to self-exclude under the account section of
the app
Withdrawal Notification This is sent when a user requests a withdrawal
Forgot Password This is sent when a user clicks “Forgot Password” on the login page
Password Changed This is sent when a user changes their password in the account section of the
app

Section 3. Requirements for internal and independent audits of the permit holder and its
sports betting platform supplier

Hard Rock Digital will engage a certified public accountant to prepare in accordance with GAAP
an annual audit of the financial transactions and condition of its sports betting operation and submit
such audit to the director.

Internal audit functions will be handled by Hard Rock Digital’s compliance team and a third-party
auditor. Please see the attached audit plan prepared by an independent third-party that details Hard
Rock Digital’s schedule and details for internal gaming audits.

Section 4. User access controls for all personnel

Systems Access

(a) Access to the Sports Betting system will be managed by a small group of administrators
approved by Hard Rock Digital. A current listing of all permissions will be maintained by
the system vendor and shared with the Lottery as requested. Hard Rock Digital will

Page 6 of 17
 maintain the player account management (“PAM”) program for the Virginia system as well
as the administrative back-office tool.

(b) Permissions in Hard Rock Digital’s use of the back-office system are managed by system
administrators who assess an employee’s need for access to the system and grant
permissions on a minimal permission needed basis. Each department has designated user
groups set up to access only the parts of the system needed for that department as approved
by Hard Rock Digital.

(c) Managers within the IT and Compliance departments can add new users to back-office
platform with approval of Hard Rock Digital. Each user can access only the parts of the
system required to do their job.

(d) Hard Rock Digital will maintain documentation of each account created and note the
approver for each account. Hard Rock Digital will maintain a current listing of all
employees with access to the PAM and the back-office tool and will share such lists with
Lottery as requested.

(e) Each Hard Rock Digital or Vendor user may only have one back-office tool account
assigned to each user at any given time, which will be associated with the user’s email
address. Sharing of account login information between employees is prohibited.

(f) Vendor employees will use Okta identity management to access the back office with
approval of Hard Rock Digital. This means that employees must be active with the Vendor
in order to access these tools and will lose access upon termination.

(g) Upon any employee departure or termination from Hard Rock Digital or Vendor, Hard
Rock Digital's or Vendor's Human Resources (“HR”) will notify Hard Rock Digital's
Information Technology (“IT”) department, and IT will, within 24 hours, ensure that
individual no longer has access to Hard Rock Digital’s sports wagering systems. Hard Rock
Digital and Vendor HR will maintain a record of all active and terminated employees and
will share such lists with Lottery as required.

(h) Access to system functions is controlled by user roles and assigned in a manner that ensures
appropriate segregation of duties so that no employee is in a position both to commit an
error or to perpetrate fraud and to conceal that error or fraud in the normal course of his or
her duties.

(i) All user roles shall be approved by Hard Rock Digital in accordance with user Access
Control Procedures.

Section 5. Segregation of duties among personnel

Hard Rock Digital user roles include:

Page 7 of 17
 • ADMINISTRATOR
• PUNTER
• AGENT
• MEMBER
• CUSTOMER_CARE_AGENT
• CUSTOMER_CARE_MANAGER
• PAYMENT_AGENT
• MARKETING
• MANAGER
• READ_ONLY
• RISK_AGENT
• RISK_MANAGER
• TRANSLATIONS_AGENT
• DEVELOPMENT
• BACKOFFICE
• OPERATOR_ADMIN
• TERMINAL
• TELLER_OPERATOR
• TELLER_DEVICE
• NATS_ADMIN
• AMELCO
• SBM_ADMIN

The roles and permissions of each user role are contained in Hard Rock Digital’s NATS user roles
database. The NATS user roles are further defined and detailed in Hard Rock Digitals NATS user
roles matrix included as an attachment to this document and labeled accordingly.

Section 6. Automated and manual risk management procedures

The Vendor is responsible for risk management and contracts with traders for setting odds and
wagering limits for a given sporting event and wagering opportunity pursuant to management
direction from Hard Rock Digital. Traders are used to manage risk by using automated and manual
controls to monitor wagering and to adjust odds based upon their assessment of wagering activity
and the risks associated with a sporting event.

The sports wagering platform, provided to Hard Rock Digital by Vendor, processes all the data
and content provided by the traders. The platform is also used by Hard Rock Digital to establish
wagering rules, suspend events, handle wagering and financial transactions, create markets, settle
wagers, close markets, cancel events, void or cancel wagers, player account management, and
maintain odds to limit risk.

Page 8 of 17
Section 7. Procedures for identifying and reporting fraud, cheating, and suspicious or
unusual wagering activity

Identifying and Reporting Unusual and Fraudulent Wagering Activity (Game Integrity)

(a) Hard Rock Digital and its Vendor Trading and Risk Team have controls in place to identify
unusual betting activity and report such activity to an Independent Integrity Monitoring
Providers. Hard Rock Digital is a member of U.S. Integrity. Hard Rock Digital and its
Vendor Trading and Risk Team escalates unusual betting activity to U.S. Integrity, and this
reporting is shared with other members including Sports Betting operators in other U.S.
states and the Lottery. Such information is sent to the Lottery via email at
SuspiciousActivity@valottery.com.

(b) All Independent Integrity Monitoring Providers shall share information with each other
and shall disseminate all reports of unusual activity to Hard Rock Digital, and the Lottery
whenever:

I. Any abnormal betting activity or patterns that may indicate a concern about
the integrity of a sports event or events; or

II. Any other conduct with the potential to corrupt a betting outcome of a sports
event for purposes of financial gain, including but not limited to match
fixing.

III. Suspicious or improper betting activities, including use of funds derived

from improper activity, wagers to conceal or launder funds derived from
illegal activity, use of agents to place wagers, or use of false identification.

(c) Hard Rock Digital will send any reports required to be shared with regulatory authorities
or other law enforcement agencies to any appropriate regulatory bodies or agencies that are
required including the Lottery. Such reports will be sent to the Lottery via email at
SuspiciousActivity@valottery.com.

(d) Hard Rock Digital will review such reports and notify the Independent Integrity
Monitoring Provider of whether or not they have experienced similar activity.

(e) If an Independent Integrity Monitoring Provider finds that previously reported Unusual
Wagering Activity rises to the level of Suspicious Wagering Activity, they shall
immediately notify all other Independent Integrity Monitoring Providers, Hard Rock
Digital, and the appropriate sports governing body and all other regulatory agencies as
directed by Hard Rock Digital.

(f) Hard Rock Digital will provide the Lottery with real-time reporting and a quarterly
summary report detailing Unusual Wagering Activity or other Suspicious Wagering
Activity. Further, upon receipt of a report of Suspicious Wagering Activity, Hard Rock

Page 9 of 17
 Digital may suspend betting on events related to the report and may cancel wagers with
Lottery approval.

I. Any unusual betting activity or patterns that may indicate a concern about
the integrity of a sports event or events; or

II. Any other conduct with the potential to corrupt a betting outcome of a sports
event for purposes of financial gain, including but not limited to match
fixing.

(g) Suspicious or improper betting activities, including use of funds derived from improper
activity, wagers to conceal or launder funds derived from illegal activity, use of agents to
place wagers, or use of false identification.

(h) All information and data received or distributed by Hard Rock Digital related to unusual
or suspicious activity shall be considered confidential and shall not be revealed in whole
or in part unless required by the Lottery.

Identifying and Reporting Unusual and Fraudulent Wagering Activity (Patron Activity)

A combination of manual and automated controls will be used to identify and prevent persons
under the age of 21, and those that have been restricted from participating in the sportsbook
wagering in accordance with 11 VAC 5-70-210. Minors and prohibited players.

The identification of Prohibited Individuals relies on the creation and maintenance of restricted
lists in accordance with 11 VAC 5-70-210. Minors and prohibited players. A separate list will
be maintained detailing individuals considered Covered Employees of Hard Rock Digitals Sports
Betting operation. These lists will be used to identify and prevent Prohibited Individuals from
participating in Sports Betting.

Section 8. Procedures for identifying and preventing sports betting by Prohibited Individuals

Hard Rock Digital’s PAM is designed to work with third-party KYC providers to prevent anyone
under the age of 21 from wagering, and to also block self-excluded customers from creating a new
wagering account.

With respect to otherwise prohibited participants, as noted above, Hard Rock Digital will process
the relevant Prohibited Individuals lists daily upon receipt of the VEP file and share such
information with its vendors so that it may block users from wagering as required. Patrons who
self-exclude will have their accounts suspended immediately.

Additionally, appropriate personnel will also be able to access these lists for purposes of preventing
and suppressing marketing to any prohibited Sports Betting participants.

Page 10 of 17
Verification of Player Identification
Hard Rock Digital uses Lexis-Nexis for initial KYC screening and account creation where the
customer’s name, address, date-of-birth, and Social Security Number are verified. Customers who
fail the Lexis-Nexis verification proceed to the Socure platform which requires the verification of
photo-identification and sanctions screening. Customers who fail the Socure verification are
passed to customer service personnel for manual verification. Hard Rock Digital will use the
Accertify platform to continuously screen customers’ activity for red-flags that may indicate fraud
or money laundering. Some of these triggers are unusual activities related transaction velocity,
multiple deposit methods, and merchant high-risk response codes. Hard Rock Digital also uses
GeoComply for geofencing and GeoComply’s investigative tool Kibana to enhance fraud
identification and investigation relating to the attempted creation of multiple accounts on the same
electronic device. Finally, in addition to using the anti-fraud controls available through Hard Rock
Digital financial vendors Braintree and Mazooma, Hard Rock Digital uses enhanced machine
learning or Artificial Intelligence to identify indicators of fraud at customer account creation,
deposit, and withdrawal; and also implemented Application Programming Interface “BOT”
detection at the computer Server level.
Any unusual or suspicious activity identified by Hard Rock Digital that results in suspension or
closure of player accounts will be reported to the Lottery via email at
SuspiciousActivity@valottery.com.
Wagering By Prohibited Individuals
In the event Hard Rock Digital discovers that a Prohibited Individual is wagering on its system,
Hard Rock Digital will ensure the following steps are taken:
(a) The Patron’s account is immediately suspended;
(b) Any outstanding wagers will be voided and refunded, and the Patron will be directed to contact
Hard Rock Sportsbook Customer Service to provide an address for mailing of any outstanding
balance; and
(c) Hard Rock Digital will alert the Lottery.

Section 9. Description of its AML compliance standards

(a) Hard Rock Digital and its Vendor have controls in place to allow for proper monitoring,
testing, and reporting of AML matters. The Vendor’s Compliance team is charged with
investigating incidents and, when appropriate, reporting such matters to Hard Rock Digital
to make management decisions on the same and file any Suspicious Activity Reports
(“SAR”) with FinCEN. Additionally, the Vendor’s Compliance team oversees an enhanced
due diligence program to monitor customer activity and recommend action to Hard Rock
Digital if such action is necessary.

Page 11 of 17
(b) The Vendor’s AML Standard Operating Procedures and Workflow details the process for
review and escalation. Any additional details required by the Lottery will be provided by
HRD upon request.

(c) The Sports Betting System will utilize Accertify and Socure as an automated tool to assist
the operations team with monitoring suspicious behavior, AML concerns such as deposits
and withdrawals with little gameplay, account sharing and linked accounts, bonus and
promotion abuse, claims of fraud/identity theft, and potential structuring of withdrawals to
avoid reporting thresholds (e.g., $10,000 in a single gaming day).

(d) Additionally, the Vendor’s Due Diligence and Compliance teams conduct a monthly
Enhanced Due Diligence process (“EDD”) to review play for potential fraud or AML
concerns to report to Hard Rock Digital for any management decision or action that may
be necessary. Each month, accounts are flagged for review by the Operations team
personnel, and AML Compliance personnel and the Vice President of Regulatory
Compliance review customer play along with relevant publicly available information to
share such information with Hard Rock Digital to determine whether additional action is
needed (e.g., request for a source of funds, filing of a SAR, etc.).

(e) As described above, wagering is monitored and tracked on a rolling basis. The Vendor’s
Trading and Risk team have algorithms in place to identify instances where a customer
may be attempting to structure wagers or otherwise avoid reporting requirements (e.g. two-
way betting or short odds wagering). The Trading and Risk team prepares monthly reports
on such activity, which is reviewed by Hard Rock Digital as part of their wider EDD review
process.

(f) An ad hoc action tracker for behavior determined to be high risk is also maintained. These
incidents are reviewed immediately rather than at the end of the month.

(g) Hard Rock Digital shall monitor and report all suspicious activity related to Sports Betting
transactions. Should any suspicious activity related to Sports Betting be witnessed or
identified a Suspicious Activity Report shall be submitted in accordance with Hard Rock
Digital’s Title 31 Bank Secrecy Act Anti-Money Laundering Program and sent to the
Lottery via email at SuspiciousActivity@valottery.com. All state and federal AML laws
and regulations will be satisfied.

Section 10. Description of all types of wagers available to be offered by the permit holder

(a) Hard Rock Digital shall only accept wagers approved and published by the Lottery on an
Authorized Sports, Events, Leagues, and Bets Lists. If Hard Rock Digital wishes to take
wagers on a non-listed event, it must submit a request for approval in writing at least 72
hours before the proposed new event to the Lottery at SBEevents@valottery.com. Hard
Rock Digital will only accept wagers on sports events and other events approved by the

Page 12 of 17
 Lottery for which:

I. the outcome can be verified;

II. the outcome can be generated by a reliable and independent process;

III. the outcome will not be affected by any wager placed; and

IV. the event is conducted in conformity with all applicable laws.

(b) Payment for Sports Betting activity or for deposit into a player account shall be made by
debit card, credit card, electronic bank transfer, an online or mobile payment system that
supports online money transfers, winnings or payouts, bonuses and promotions, or a
verified reloadable prepaid card. Other forms of payment may be utilized only upon written
approval of the Lottery.

(c) Hard Rock Digital shall maintain a cash reserve in the amount of at least $500,000.00 or
the actual amount, if higher, to ensure the ability to cover the outstanding Sports Betting
liability.

Section 11. Description of all integrated third-party hardware, software, or systems

(a) Hard Rock Digital Internal Trading Feed – provides event creation, management, pricing
and settlement.

(b) Amelco Platform: Trading platform where all Hard Rock Digital trading is hosted;
consumes feeds for creation and pricing and surfaces to our channels.

(c) Betradar – Provides pricing and event information.

(d) Genius Sports – Provides pricing and event information.

(e) Lsports – Provides analytic insights to derive pricing.

(f) Swish – Provides analytics used in pricing prop bets in approved markets.

Page 13 of 17
(g) Slack – Communication tool between US & dedicated Trading and Risk team.

(h) LexisNexis – Provides customer identification verification

(i) Socure – Provides customer identification verification.

(j) Geocomply – Provides geolocation services.

(k) Accertify – Provides automated AML and fraud detection tools.

(l) MLB – Official Data provider.

(m) NBA – Official Data provider.

Additional tools integrated and used for data capture:

Section 12. A monitoring system to identify irregularities in volume or odds and swings that
could signal unusual or suspicious wagering activity that should require further investigation

Page 14 of 17
Hard Rock Digital’s trading risk team constantly monitors both its bet ticker and its risk summary
pages within the backend trading system. The team can observe individual bets or groups of bets
through which appear to be unusual or suspicious, based on deviations from its normal or expected
customer betting patterns. Additionally, through its risk summary pages, the team can observe at
a sportsbook-wide or state-wide level when certain events or markets accumulate liabilities which
deviate from the normal or expected liability amounts. When such events are discovered, the team
can delve further into the customer details to investigate and, when appropriate, report suspicious
findings to the compliance team and to U.S. Integrity, its Independent Integrity Monitoring
Provider, for further investigation. The Compliance team will report any such activity as well as
any investigative findings or determinations to the Lottery via email at
SuspiciousActivity@valottery.com.

Setting and Moving Lines

Most of Hard Rock Digital’s sports content will be provided via third party trading feeds into the
Sports Betting platform. All price management will be done through the third-party trading fees.
The models/feed are controlled by the feed providers. If and when required, manual price changes
can be made on the platform.

Hard Rock Digital will utilize odds that are set by in-house odds-makers who create prices based
on statistical and historical performances, or by third-party suppliers who provide odds.

Manual odds will be based on general market consensus pricing accompanied by any underlying
algorithmic or analytic information received from third party providers. Lines will be moved to
remain in consensus with the market or reactively to betting activity.

1
Overview of the Hard Rock Digital Trading Platform

Page 15 of 17
System Failures

Procedures for paying wagers in the event of a system failure depend on the nature and expected
duration of the failure.

In normal operations, winning wagers are paid from the Sports Betting System to the player wallet
system in near-real time as the bets are settled. If the failure is a long-term failure of the Sports
Betting System (longer than an hour), unsettled bets will be manually settled with approval from
Hard Rock Digital by the Vendor’s Customer Operations team based on the bet transaction log
and winnings credited to the player’s account as a financial adjustment, where they can be
withdrawn in the normal course. Once the Sports Betting System is restored, balancing adjustments
will be posted as necessary to correct the balance once the settlement proceeds.

Unsettled bets will be manually settled based on the bet transaction log and outstanding balances
determined from the daily wagering account summary or detail report. Once the Sports Betting
System is restored, balancing adjustments will be posted as necessary to account for the manual
actions and correct the balance.

Hard Rock Digital shall document the date, time, and reason for each system failure along with
the date and time the system is restored and file an incident report for each system failure with the
Lottery that details the same. In any event where winning wagers are not paid in a timely
manner, Hard Rock Digital will further file an incident report with the Lottery documenting, at a
minimum, the date, time, and reason for the failure, as well as the date and time the system
is restored, and wagers are properly paid. Incidents will be submitted to the Lottery via email at
SBReleases@valottery.com, and such reports will include the impact to Patrons and include a
report detailing the same when applicable.

Section 13. A wager or attempt to wager above any maximum wager threshold set by the
permit holder that qualifies as unusual or suspicious wagering

Hard Rock Digital’s internal trading and risk team determines wager amount thresholds that trigger
suspicious activity and sets these thresholds using the NATS back-office tool. Generally, the team
sets its bet ticket to filter all wagers $1,000 or greater during peak hours and $500 or greater during
non-peak hours. Once these bets are filtered, they are subject to being flagged and reviewed by the
trading team. These thresholds may be adjusted by the trading and risk team at its discretion.
Hard Rock Digital’s internal trading and risk team also sets a threshold for maximum payouts on
winning bets using the NATS back-office tool. Winning bets that meet the threshold are flagged
by NATS and are manually reviewed by Hard Rock Digital’s trading and risk team. Generally, the
team sets the maximum payout threshold between $5,000 and $10,000 but may adjust any
threshold at its discretion based on a variety of environmental factors.
Hard Rock Digital sets maximum winnings for a variety of bet offerings as shown below:

Page 16 of 17
Offering Maximum Winnings
NFL, MLB, NBA, NHL- Moneyline, Main $1 Million
Spread, Main Total
NFL, MLB, NBA, NHL- Other markets $500,000
excluding player props
NCAAF, NCAAB- Moneyline, Main Spread, $500,000
Main Total
PGA, Tennis, Soccer $250,000
Other sports and markets including $100,000
permissible player props

Page 17 of 17