Home Clients Work About Contact Careers
Part of Rocket Science Group
Regulatory Compliance

CFIUS-Compliant Player Identity Service

We built, operate, and support a PII isolation service enabling a foreign-owned game studio to comply with US government data restrictions.

Key Results

Government
Compliance
Multi-Region
Availability
50+ Pages
Policy Docs
Build-Operate-Support
Model

The Challenge

A game studio owned by a foreign corporation faced CFIUS restrictions preventing them from storing US citizen data. They couldn't keep player platform IDs in their own systems—a fundamental requirement for their upcoming multiplayer game. They needed a US-based entity to build, own, and operate the solution indefinitely.

Our Solution

We built a fault-tolerant player identity service that tokenizes platform IDs, replacing them with random tokens the studio can safely store. The service runs on multi-region AWS infrastructure we operate, with an admin portal featuring immutable audit logging for regulatory compliance.

Technologies Used

Kotlin gRPC AWS DynamoDB Multi-Region Architecture Terraform

The Challenge

When a foreign corporation owns a US game studio, regulatory restrictions apply. Under CFIUS (Committee on Foreign Investment in the United States) rules, certain foreign-owned entities cannot have bulk unrestricted access to US citizen data. Our client couldn’t store player platform IDs—PlayStation, Xbox, Steam, Epic—in their own systems.

But a multiplayer game fundamentally needs player identity. Without it, there’s no progression, no inventory, no account persistence. The studio needed a third-party US-based entity to build, operate, and support a PII isolation service that would satisfy government requirements while enabling their game development.

The stakes were existential: this service would sit in the main game loop. If it goes down, every player loses everything.

Our Approach

Tokenization Architecture

We built a fault-tolerant service that accepts first-party platform IDs and replaces them with randomly-generated tokens. When a player authenticates through any platform, our service looks up or creates a random token—essentially meaningless gibberish—that the studio can safely store. The original platform IDs never touch their systems.

Bulletproof Availability

The service runs on AWS DynamoDB with multi-region replication. We designed it to be extraordinarily difficult to fail—game-critical services demand this level of resilience from day one.

Compliant Admin Portal

For troubleshooting and game management, we built an admin portal accessible only to specific named individuals. Every PII access generates an immutable audit log entry capturing who, what, when, and where. This satisfies government accountability requirements.

Policy Documentation

This wasn’t just engineering. We authored 40-50 pages of security policy documentation that navigated NSA and legal review to gain government approval. Custom-written to satisfy specific CFIUS compliance requirements.

The Results

  • Government-approved security and audit policies
  • US citizen data isolated from foreign parent company
  • Multi-region architecture for bulletproof availability
  • Build-operate-support model where we own and run the infrastructure
  • Expandable scope with commerce proxy and matchmaker on the roadmap
"This service sits in our main game loop. Terminal Velocity built something that's really hard to fail, and they'll operate it for the life of the game."
— Technical Director

Ready to achieve similar results?

Let's discuss how we can help solve your technical challenges and scale your game.

Get in Touch