Prioritising privacy and security: Yoti’s commitment to meeting ISO standards

profile picture Amba Karsondas 6 min read
Image of three ISO certification symbols for ISO 27701, ISO 27001 and ISO 9001.

We’re committed to protecting the privacy and security of our users. That’s why we’re thrilled to announce that we have recently been certified to meet ISO 9001 and ISO 27701 standards.

This is a huge achievement for us as it confirms that our quality management system and data protection policies and procedures meet international standards. These sit alongside ISO 27001 which we’ve met since 2015.


What are ISO standards?

The International Standards Organisation (ISO) is an independent body made up of industry experts from around the world.

They’ve created a series of standards which cover almost all aspects of technology and manufacturing. ISO standards offer businesses a way to standardise and regulate their processes.

ISO standards are designed with the needs of the parties they represent in mind. These could be manufacturers, sellers, buyers, customers, trade associations, users or regulators.

They are internationally recognised and transferable across different industries. This allows for a safer and more consistent end result as everyone is able to follow the same set of guidelines.


What is ISO 27701?

ISO 27701 is a newly released framework for data privacy. Most countries have laws on data protection and privacy. Those laws tell a company what they need to do to comply. Though they are broadly similar, some of the details tend to differ across jurisdictions.

To allow for these differences, ISO 27701 guides companies on best practices for managing their privacy and data protection activities.

Companies are required to document how their practices are in line with the standard’s requirements. They must also be audited by internal and third-party auditors.

Our auditor said, “It is clear to see that the business and its employees are totally committed to making the business the best it can be, and I can see strong signs that it won’t just be best-in-class but world-class.”


How does Yoti meet ISO 27701 standards?

At Yoti, we work closely with personal data. It’s a key part of what we do.

One of the founding principles within our ethical framework is to ‘enable privacy and anonymity’. Therefore, it’s essential that we have a robust privacy information management system (PIMS) in place. With this, we can keep personal data safe as it ensures that we follow local laws such as the Data Protection Act (DPA) and GDPR.

David Davis, our Technical Compliance Officer, said, “Since our company’s inception, we have always aimed to follow best practices in data protection, and comply with the law in the territories we operate in. ISO 27701 is a new international standard for this, and we were eager to be an early adopter.”

One way that we do this is through ‘Privacy by Design’. When building and engineering our products, we consider privacy and data protection right from the start. And our database architecture is built to be protected against data breaches and cybersecurity attacks.

This means that everything, from our Digital ID app to our age assurance solutions, is built with privacy at the core. Users are always in control of their data. They have full visibility over what data they are sharing, and who they are sharing it with.

This is all overseen by our Data Protection Officer. They make sure that we process personal data in compliance with data protection rules.


What is ISO 27001?

Security goes hand in hand with privacy. ISO 27701 relies on ISO 27001 – the world’s best-known standard for information security management systems (ISMS).

It provides companies with guidance for establishing, implementing, maintaining and improving an ISMS.

We were certified to meet ISO 27001 standards back in 2015, just one year after Yoti was founded. Achieving this standard early on was a priority for us as keeping our users’ data secure is fundamental to our business. We needed to be sure that we were compliant long before we even had any customers.


How does Yoti meet ISO 27001 standards?

To be ISO 27001 compliant, we have over 100 different security controls in place. Each control addresses a specific security risk such as system access, the physical security of our buildings, and personnel security.

As technology is evolving at such a rapid rate, we need to be able to manage risks. Security is an incredibly complex area, which is why we use a ‘layered’ approach. This involves multiple controls covering all sorts of human, physical and technological aspects.

These have to be continually monitored to ensure that there are no breaches and that everyone is informed of the latest measures. This gives our controls the best chance of working reliably.


What is ISO 9001?

ISO 9001 sets out the criteria for quality management systems. It checks for an effective system for providing products and services that meet customer and regulatory needs.

Put simply, it makes sure that businesses have a strong customer focus and are always looking to improve their products. This is to ensure that customers get consistent, good quality products and services that meet their needs.


How does Yoti meet ISO 9001 standards?

There are lots of different ways that a business can do this. During our product development process, we focus on meeting WCAG accessibility guidelines. In our Security Centre, there is a strong focus on training and quality checking our staff.

After products are live, we have a Quality Assurance team who try to keep our software free of bugs. And we have dedicated Customer Services and Customer Success teams who give our customers a helping hand.


Privacy as a priority

With the rise of online services and the accelerating shift to a digital world, people understandably have lots of concerns about data privacy and how businesses manage their personal information.

It has never been more important for companies to be transparent about how they handle data and what they’re doing to protect it.

For us, prioritising privacy and implementing data protection processes is vital. By being certified to meet ISO 9001, ISO 27701 and ISO 27001 standards, we hope that this is a step towards reassuring our customers that we’ll always handle data responsibly and securely.

If you’d like to know more about our privacy and security practices, take a look at our privacy centre or get in touch.

Keep reading

Thoughts from our CEO

In this blog series, our CEO Robin Tombs will be sharing his experience, whilst focusing on major themes, news and issues in the world of identity verification and age assurance. This month, Robin chats about why facial age estimation is not easy to spoof, the recently passed age verification law in Texas, and the importance of human fallback for identity verification.   Texas age verification law The US state of Texas can continue with their new law requiring platforms with adult content to verify the age of all users. The government said this is part of their legitimate interest in

5 min read
Impactful text saying "Rivet connects big ideas to major impact"

Yoti Foundation supports RIVET, funding and amplifying social change projects

Yoti, via the Yoti Foundation, are delighted to announce our support of RIVET, a nonprofit organisation funding and amplifying social change projects led by young people all over the world. RIVET brings together young people, NGOs and influencers to finance projects led by young people tackling everything from food insecurity in rural areas to systemic gender bias in their communities. RIVET support projects in 5 key areas: Environmental Sustainability Poverty Reduction Education Health and Wellbeing Inclusion To date, RIVET has funded over 1,000 projects in 66 countries, impacting over 260,000 people. They are an organisation that align closely with our

2 min read
An image of three illustrations. The first is an ear, the second is an eye and the third is a finger tapping on something. Basically it’s an illustration summing up accessibility and the key things we look for whenever we release a new page or product. Audio, sight/visuals and touch.

Yoti Identity Verification achieves WCAG 2.2 Level AA for accessibility

Our Identity Verification solution has achieved Web Content Accessibility Guidelines (WCAG) 2.2 Level A and Level AA for accessibility. This is a huge milestone for us as one of our founding principles is to ‘make Yoti available to anyone’.   WCAG 2.2 Level A and Level AA WCAG’s framework is used as a benchmark for accessibility regulations around the world. To achieve WCAG 2.2, we had to meet all A and AA criteria. Level A conformance requirements prohibit elements that make the product inaccessible. If products don’t meet Level A criteria, they’re almost impossible for people with disabilities to use.

6 min read