Our approach to security and privacy

profile picture Yoti 7 min read
Padlock representing Yoti's security levels

Just as the right to identity is a fundamental human right, privacy is too.

We created Yoti to give everybody a secure, privacy-friendly way of proving their identity, online and in person. Privacy and security, therefore, aren’t just our priority but our raison d’etre.

Our free Yoti app is built with privacy and security at its core and harnesses data minimisation techniques that enable you to share less data. 

We have a rigorous approach to security and have built an innovative database architecture designed to protect against data breaches or cybersecurity attacks.

To ensure that we are held accountable, we are advised by our Guardian Council, an independent board of expert professionals and dedicated advisors from data privacy, human rights, online harms and last-mile technology sectors.

Our mission is, and will forever be, to be the world’s trusted identity platform. This is not a journey we make on our own but with policy advisors, think tanks, researchers, academics and humanitarian bodies.

As our sixth core business principle states, we are transparent about what we are doing and why, so in light of this transparency, we have answered your questions on how we protect your data.


Is Yoti recognised?

Yoti is certified to meet the requirements of ISO/IEC 27001, the global gold standard for information security management. 

We’re also a SOC 2 Type II certified company. We were externally audited over a six month period and we received a flawless report for the operation of our security controls.

The architecture of our security systems has also been reviewed by Cigital (Synposys) and we regularly undergo penetration testing to look for any potential vulnerabilities in our security operations.


How do you keep my data secure?

We have taken a radical new approach to protecting personal data. Instead of storing your information as a single record on one big database, we store each individual piece of your data separately.

Imagine the Yoti database as a bank vault. Each piece of your data is split up, turned into unreadable data through encryption and stored in a different safe. 

Only you have the key to access these safes, which is stored on your phone and not on the Yoti database. 

When you unlock your app with your five-digit PIN, you activate your key which then pulls all of these individual pieces of data together and turns them back into readable text. 

For extra security, Yoti also encrypts your key. To gain access to your safes in the vault, your key must match our Yoti key.


Can Yoti be hacked?

The Yoti database is protected by high-level security and firewalls that are extremely hard to penetrate. In the unlikely situation that somebody did hack the database, the fact that you have your own encryption key means that your data would appear as random gibberish to a hacker.

Imagine the bank vault with the safes again. In Yoti’s system, even if hackers broke into the vault, they still wouldn’t be able to open all the individual safes – they would need the keys from every user’s phone.  


What is encryption and how does Yoti protect my data with it?

Encryption is a mathematical code that turns text into meaningless strings of numbers and letters. We use AES-256 encryption, which is trusted by governments and organisations such as Apple as being virtually impossible to break. 

The number refers to the length of the encryption key and means a hacker will require 2256 different combinations to break a 256-bit encrypted message. We use this encryption for both storing and sending data, so it can’t be intercepted. 


Can Yoti see my data?

Once we verify your account, we can see your data for seven days for security purposes. This allows us to recall any documents that may be flagged up for fraudulent purposes and protect the Yoti ecosystem. After this period, we send your data to the central Yoti database where it is stored as encrypted text. Only you can turn this back into readable text with your encryption key. 


What happens when I share data?

A business will request the information they need from you, which you can accept or deny with your Yoti app.

When you accept a data share, the specified information is sent to the agreed third party  and both parties will get a receipt of the information exchanged.

Yoti can’t see the information you have shared, we can only see the type of attribute (such as ‘name’ and ‘address’), the company and the time and date. 


How is this any better than using my passport?

The Yoti app allows you to share just the information strictly necessary for a transaction. 

For example, to prove your age to buy alcohol in the UK, you can just share the fact that you’re over 18 and nothing else. If you were using a passport, you would have to share your photo, name and date of birth.

We will have already verified your details against the ID document you used to open your Yoti, so the business can have confidence that the details shared are real and accurate without needing to have a copy of the ID document themselves. This protects you against identity fraud and means you don’t need to send ID documents insecurely via email.


How can I be sure that identities are verified correctly?

When you create your Yoti Digital ID, you’re required to take a quick scan of your face during what we call a “liveness test”. This is to prove you’re a real person. We also ask you to scan an official ID document using your phone’s camera. 

We then use a combination of expert AI and manual checks to accurately extract the information from your document. Our team of super recognisers verify the document is genuine and that the photo on the ID document matches your face scan. They are the 2% of the population that have superior skills in recognising faces and work in our security centre, which is a highly secure environment where phones are prohibited and only security personnel can enter. 

To make sure fake and fraudulent documents aren’t being used, the security team check against the Keesing database of global ID documents and the CIFAS (Cross Industry Fraud Prevention Service) database. We also have connections with other fraud watchlists and are a member of the Association of Document Validation Professionals.


Will you ever sell my personal data?

No – we will not, and cannot, sell your information to third parties for marketing or any other purpose. We give you the tools to securely share your information with a chosen organisation. That organisation pays for the check and you have a receipt of what you have shared, but we don’t have access to your personal data.


Can I delete my personal information from your systems forever?

Yes. If you no longer wish to have any of your personal information on our database, you can delete your account by logging in to the app and tapping on More > Settings > Delete my account. We will ask you to take a photo of yourself so we’re sure it’s you deleting your account. We will delete this photo along with the rest of your data when we have verified it’s you. Once you delete your account, your information will be permanently deleted from our systems.

If you just uninstall the app without deleting your account, you do not delete your data.


More questions?

If you have any questions about privacy or security at Yoti, please drop us a line and we will be happy to clear up any doubts.