Digital transformation is reshaping how we live, work and interact with one another. But just as the right to identity is a fundamental human right, the right to privacy is too. That’s why protecting your privacy and security is at the heart of what we do.
It helps us ensure that you, as our users, trust us with your personal data. We’re committed to only using your data in ways that are ethical, secure and compliant with data protection laws globally.
Here’s a brief overview of our approach to privacy and security. If you’d like to drill down into the details, you can look at our in-depth privacy and security pages.
Our obligations differ depending on whether we’re the data controller or data processor
Knowing the different roles we play is crucial to understanding our responsibilities with respect to your data. Depending on which role we play, this changes our obligations. Depending on the product or service being used, Yoti is either the data controller or a data processor.
As the data controller, such as for our Digital ID app, we determine what personal data is collected, how it’s collected and why it’s being used. This means we are required to follow data protection principles, uphold individuals’ rights, ensure data security and take responsibility for our data processing activities.
In other cases, we’re the data processor, such as for our identity and age verification products. As a data processor, we handle personal data on behalf of our business customers, who act as the data controllers. We process their customers’ data in line with the data controller’s instructions. But even in this situation, we still have important obligations under data protection law, such as following the controller’s instructions, applying appropriate technical and organisational security measures and helping the controller meet their responsibilities with respect to individual rights.
You can find out if we’re acting as the data controller or the data processor by looking at the relevant product privacy notice.
We’re transparent in our data processing
In line with our core principles, we’re fully transparent with how we collect, use and share your data. Our clear and comprehensive privacy notices are publicly available on our website or via our Digital ID app. They explain how we use your data in simple terms, to help you make informed decisions about how your data is used.
Each of our products has its own privacy notice, explaining the information we collect and use, data retention, the information we may share, the product’s security, the product’s data analytics and your rights and choices. You can find our product-specific privacy policies in our Privacy Centre.
We always ensure you can easily exercise your individual rights
We’ll always prioritise you being able to exercise your individual rights in the simplest way possible.
A good example is our Digital ID app, where we are a data controller. If you no longer wish for us to have any of your personal information, you can delete your account through the app settings. We’ll ask you to take a photo of yourself so we’re sure it’s you deleting your account. Once we’ve verified that it’s you making the request, we’ll delete this photo along with the rest of your data. This means that your information is permanently deleted from our systems.
For products where we’re the data processor, we work to help our customers (the data controllers) facilitate your rights. For example, we provide functionality for the deletion of data when they receive a request.
It’s our goal to try to make any rights requests as easy as possible. This helps you keep control of your personal data.
We build our products using the ‘Privacy by Design’ approach
At Yoti, our belief is simple: you should have full control over your personal data. Our user-centric model focuses on empowering you to manage your data with confidence. We’ve built everything, from our Digital ID app to our age assurance solutions, using the ‘Privacy By Design’ approach. This helps us to integrate data protection into our technology from the earliest stage.
In an era where data is often exploited and misused, we have a minimalist approach to data collection. In line with our core principles, we only collect the minimum necessary data for the specific purpose. This allows us to protect your privacy whilst reducing the risks associated with the over-collection and over-retention of data.
For example, our facial age estimation technology gives you a secure way to prove your age without sharing your identity document, credit card or details like your name and date of birth. The moment your age is estimated, the selfie is deleted and isn’t retained by Yoti for our own purposes.
We also built our Digital ID app for the same reason. With a Digital ID, you can choose to only share the information strictly necessary for a specific purpose, instead of showing a full identity document. For example, if a business needs you to prove an aspect of your identity, you can choose to share just an “over 18” age credential, your student status or a proof of address.
We have a comprehensive Privacy Governance Framework
Yoti has a robust Privacy Governance Framework which is designed to protect personal information globally. It is overseen by our Data Protection and Security Teams.
The Framework is made up of various controls, processes and policies around fundamental principles. This includes privacy by design, training and awareness, transparency, privacy risk assessment, due diligence and record management, to name a few.
This Framework is essential for maintaining accountability, identifying potential risks and ensuring compliance across all areas of data processing.
Adhering to this Framework is not just the role of our Data Protection Team. At Yoti, we make sure that all employees understand their responsibilities to ensure privacy is considered in everything we do.
We adhere to global data protection and security standards
Our privacy and security practices are underpinned by various industry-leading certifications. These external standards ensure our systems meet the highest levels of data protection and privacy.
We were an early adopter of ISO 27701, the international standard for data privacy. Alongside this, our identity verification services are certified to meet ISO 27001 – the global standard for information security management – and are audited annually. It provides companies with guidance for establishing, implementing, maintaining and improving information security management systems (ISMS).
We also undergo an annual SOC2 Type II security assessment by one of the big four accounting firms. As part of our SOC2 assessment, our age-check services were validated as complying with the British Standards Institution’s PAS 1296:2018 Code of Practice for Online Age Verification service providers.
We commission annual penetration testing of our applications, platform and network infrastructure using a third-party provider. They are assured under the UK National Cyber Security Centre CHECK Penetration Testing scheme. We also run a long-standing, public bug bounty program on HackerOne, where we offer rewards for responsibly disclosed vulnerabilities. This proactive approach has been in place for several years and helps us continuously strengthen the security of our products and services.
We also maintain a comprehensive security centre on our website. It houses our latest security certifications and contains information about our security measures. This includes each of the various security considerations across our products and services.
Putting your privacy and security at the core
As the digital landscape evolves, we remain committed to protecting your privacy. By prioritising data protection, minimising information collection and enforcing robust security protocols, we hope to set the standard for secure data management and pave the way for a safer digital future.
If you have any questions about our privacy and security practices, please get in touch.