You're in safe hands

We created Yoti to give everybody a secure, private way of proving their identity. Security, therefore, isn’t just a priority. It’s our raison d’être.

Compliance, security and memberships

We commission regular external audits of our business and have been certified to meet some of the world’s most stringent security standards, such as ISO27001, SOC2 Type II and HIPAA.

External audits

  • SOC 2: We undergo an annual SOC2 Type II security assessment by one of the big four accounting firms. We passed our last audit with no exceptions.
  • ISO27001: Our provision of ID Verification Services is certified as compliant with the ISO/IEC 27001:2013 international standard for Information Security. 
  • Penetration testing: We commission annual penetration testing of our platform and network infrastructure.
  • Bounty Program: We participate in the HackerOne community, offering bounty payments to those finding vulnerabilities in our platform.

Industry-based compliance

Social, ethical and environmental performance

  • B Corp: We have been a certified B Corp since 2015, awarded for our commitment to rigorous standards of social, environmental performance, accountability and transparency. Read our report here.
  • Guardian Council: We have our own independent ethics board who are influential individuals from relevant fields such as data privacy and last mile tech. They meet each quarter to discuss issues that affect our users and the people we serve.

 

Identity Verification

  • GPG45: We help clients meet low and medium levels of assurance when checking identity in accordance with the UK government’s Good Practice Guide 45. We’re also happy to assist organisations that need to meet a high level. For more information, read our GPG 45 guidance.

 

Age Verification

  • PAS 1296:2018: As part of our SOC2 assessment, our age-check services were validated as being in compliance with the British Standards Institution’s PAS 1296:2018 code of practice. 
  • PASS: We have been certified by the Age Check Certification Scheme to provide Electronic Identification Verification Technology (e-IDVT) to issuers of ‘PASS’ (Proof of Age Standards Scheme) cards in the UK.
  • FSM: The German Association for Voluntary Self-Regulation of Digital Media service providers has approved our age verification methods to safely regulate access content for minors. Read the report here.

 

Healthcare

  • HIPAA: Where Yoti is used to store, process or transmit electronic health data, our services have been assessed as compliant with the US HIPAA Privacy & Security Rules.

Privacy compliance

  • DPO: Yoti’s Data Protection Officer oversees a Data Inventory that identifies the categories of data that may be stored on the Yoti platform. The inventory also indicates data sensitivity, storage, retention, disclosure, lawful basis for processing and whether certain rights apply.
  • GDPR: Yoti products, services and operations are built and run in a jurisdiction subject to the GDPR / UK Data Protection Act 2018, which is implemented through our Privacy Governance Framework. You can request the framework here.
  • Product-specific privacy: You can find information in our product-specific privacy policies here

Memberships and pledges

  • Responsible 100: We are aligned with Responsible 100 and have used their frameworks to host roundtable discussions on our age estimation technology.
  • Biometrics Institute: We support the seven ethical principles for building biometric technology, as laid out by the Biometrics Institute.
  • 5 Rights: We support the 5Rights framework and their mission to create a digital environment fit for children and young people.

Platform security

The security and privacy of data is paramount in the design of the Yoti platform. It incorporates several features to achieve this.

Data security

  • Data in transit: All public endpoints support only TLS versions 1.2 & 1.3, ensuring that data in transit is secured using up-to-date protocols.
  • Data at rest: Data is stored using AES-256-GCM encryption within our production environments.
  • Separation of concerns: Our production environments are completely isolated from other company networks, and only members of the Security Operations team are granted access to production systems via a VPN with MFA.

Data hosting

  • Data centers: Yoti has two data centers in the UK hosted by Equinix and Telehouse. We have contracted with Amazon Web Services (AWS) to provide cloud computing and hosting services in the UK, Dublin, the US and Canada
  • Network architecture: The network architecture of the Yoti production systems has been designed with the intention of providing an extremely rigorous level of network security, and to provide redundancy against failure of hardware components, whilst maintaining high performance.
  • Monitoring management: Yoti’s Network Operations Centre staff monitor the live production systems 24/7. Monitoring capabilities include systems for real-time cyberthreat/intrusion detection, vulnerabilities scanning, DDoS attack, system performance, resource utilisation and availability. Logging is collected locally in all data centres and archived to Yoti’s central logging infrastructure.

Product security

Some of our products and services have additional security considerations, which you can find explained here. 

Apps - Yoti and EasyID

  • Multi-layered wrapped key encryption model:  Each user’s data in the key-value store is encrypted with a user key that is present only on their own smartphone: it is not stored on the Yoti backend. For further security, there are two more encryption keys stored online and offline locations.
  • Attribute storage: Each individual user’s shareable attributes (eg: name, date of birth, passport details) are not stored together as a single record as they are in a traditional database. Instead they are randomly dispersed throughout the partitioned key-value, making it much harder for data to be useful in the event of a breach.
  • Single-use tokens: Each individual user’s data items can only be associated with each other via personalised, single-use credential tokens that are stored in the Yoti app on that particular user’s smartphone. Yoti staff cannot access or reconstruct any user’s data themselves: this can only be done with a request made from the user’s own smartphone, that sends a credential token to the Yoti backend database, which is used to assemble the requested data so it can be submitted to a third party.

Identity Verification

  • This service allows businesses to ask their customers to verify their identity by uploading an image of their ID document and a biometric selfie to our web portal or the embedded solution. Identity attributes are extracted and encrypted in our data centre, where they can only be decrypted by the business making the request. A business can set a ‘time to live’ parameter which determines how long the attributes are stored for in our data centre before being deleted.

Age Verification

  • Where we provide online age-checking services to third party websites, this allows users of the website to prove that they are over a threshold age (18+) either by sharing this attribute using the Yoti app, using the identity verification portal or performing an age estimation. The result of the age verification is stored in the users browser session in the form of an anonymous hashed ‘age token’ (a form of cookie).

Facial Age Estimation

  • User privacy is a key consideration of this service which doesn’t require end users to log in or hold any kind of account with Yoti. They simply present their face to a webcam or camera in a mobile device. The captured image isn’t stored locally but is transmitted securely across the internet using TLS 1.2 encryption to the Age Scan service. The captured image is then deleted and the resulting age attribute (which may simply indicate whether the estimate is over a configured threshold, such as ‘18+’) is securely transmitted back to the client on the capturing device.

eSignatures

  • All documents and personally identifiable information stored in the database there are encrypted using AES-256. Passwords and API keys are not stored (only hashes of passwords). Encryption and storage of keys is done on Yoti’s UK data centre infrastructure.

Password Manager

  • Login credentials are stored securely in a ‘secure content cloud’ in the Yoti data center and are only downloaded to the browser plugin for the duration of a session. Data in transit between mobile app/browser plugin and the Yoti backend is secured with TLS 1.2 encryption; all data at rest (both in the browser plugin, in the mobile app and on the Yoti backend) is encrypted using AES-256. 

Health Testing

  • This web portal communicates with Yoti backend services and a database hosted at Yoti’s data centres. Users can submit identity and contact details and receive test results via the Yoti app; alternatively these can respectively be entered manually via a web form and received by email. Data submitted via the frontend webform is not cached locally in the browser and data in transit is encrypted through TLS1.2+.

Yoti Security Centres

The highly sensitive operation of verifying identity documents is carried out at our security centre facilities that are run under strict operating procedures designed to maintain data security.

  • Physical security: Yoti Security Centres are manned by operations staff 24/7 and access is controlled by multiple security doors, keyfobs, RFID tags and fingerprint scanners. Access to security rooms is protected with fingerprint scanners and staff are prohibited from entering with personal devices or equipment. The floor is protected with CCTV, burglar alarms and panic buttons which connect to the local police constabulary.
  • Staff vetting: Strict staff vetting involves a CIFAS internal fraud check, and a CallValidate check for ID verification, address verification, bank verification, PEP (Politically Exposed Persons), County Court Judgements, and basic DBS (Disclosure and Barring Service) checks. In India the checks involve an identity and address, employment history verification, education/qualifications, credit history, police record and court records database.  
  • Software architecture: End-user terminals run ‘thin clients’ restricted to specific processes with no other functions or network access possible. 
  • Network architecture: All communication between the security centre terminals and Yoti production systems elsewhere is protected by means of a firewalled and encrypted VPN. No network-enabled devices are permitted inside the security centre rooms.

Internal controls

Some of our products and services have additional security considerations, which you can find explained here. 

  • Security Forum: Yoti’s Security Forum has been established to help ensure that there is a clear direction and visible management support for security initiatives. The Security Forum has responsibility for implementing Yoti’s suite of Information Security Management System policies, helping to ensure that there is an appropriate level of security awareness and training among Yoti employees, and reviewing key inputs such as security incidents and audit reports
  • Policies: ISMS, SOC2 Controls Peer Review policy
  • Employee training: All employees receive mandatory security and data privacy training during their probation period, and then have to take an annual refresher.
  • Employee background checks: Potential employees are subject to ID verification checks prior to commencing employment, along with a CIFAS fraud check for UK-based staff. Roles defined as sensitive are subject to further checks, such as PEP and Court Judgements, as well as DBS checks for UK-based staff and police verification for India-based staff.