Yoti Ltd

Yoti Verify

Yoti facilitates instant digital verification of individuals, through a free app, that is reusable following initial enrolment. Incorporating leading technology with manual checks to perform liveness, and document authenticity checks matched to an individual's biometric. A GDPR compliant service which is simple and secure for users and businesses.

Features

  • A reusable, consumer centric digital identity solution.
  • 24/7 security centre staffed by super recognisers
  • Asses document validity and authenticity and reject fraudulently detected documents.
  • Smartphone NFC technology to read ICAO 9303 standard documents
  • OCR scan of government issued documents from over 160 countries
  • Individuals matched to documents through facial matching and liveness detection
  • AES 256 bit end-to-end encryption.
  • Integrates simply into platfroms (web and mobile) and enterprise ecosystems
  • Complies with data minimisation, privacy-by-design and GDPR
  • Available as an embedded solution or smartphone app

Benefits

  • Government gain from the growing Yoti identity ecosystem
  • Reduces the cost and time required to verify citizens
  • No webforms - receive verified attributes through Yoti
  • Reduces rates of identity fraud and associated costs
  • User consented data sharing, assists with GDPR compliance
  • Allows for 100% remote verification of individuals
  • Caters for individuals with and without a smartphone
  • Reduces in-house burden of authentic document checks
  • Citizens can re-use their verified identity with multiple businesses
  • Global citizen offering

Pricing

£0.015 per transaction

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11

230481526301490

Yoti Ltd

Gavin Watts

02037357842

Gavin.watts@yoti.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Both of the services Yoti app and the embedded solution require connectivity to the internet.

The federated identity service requires users to create a digital identity by downloading the free Yoti app. This takes less than 5 minutes, during which time Yoti will perform a number of checks using technology and "super recognisers" to verify the government issued details (Passport, drivers license, Citizen card) and match this to a biometric template.
Once users are verified, they will be ready to share verified attributes with third-party organisations.
System requirements
  • Yoti supports iOS 10 and later software
  • Yoti supports apple iPhone 5 and later
  • Yoti supports Android 4.1 and later software
  • Requires an internet connection and a browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We operate 24x7; however, our response times differ.

Within business hours our response time is 20 minutes. At other times, the response time is 90 minutes.

Our business hours are (UK time):
Monday to Thursday 9 am to 9 pm
Friday 9 am to 11 pm
Saturday 2 pm to 11 pm
Sunday 10 am to 7 pm
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support No
Support levels We provide customer support, integration and technical support and also on-going support. We provide these levels of support as a standard and are included in our pricing.

Tier 0- Self Service
Informative app, Video, FAQs, Developer Area/ Documentation, Social Media/ Search Engine and ZenDesk are all available to the customer

Tier 1 Customer Support Ops (response within 20 mins)
The customer can contact via App feedback, Social Media, Telephone, Email Website. Then our operations, growth and partnership or marketing teams can solve the problem or escalate it to tier 2.

Tier 2-Network Operation Centre (1hr<response time >1 day)
Our NOC team will then assess the issue, fix it or assign it to tier 3

Tier 3- In-House XFT Fix (2hr<resolution> 3 days)
The ticket is assigned to correct team for resolution or escalation to the final tier, tier 4.

Tier 4- External Supplier Fix (2hr<resolution> 3 days)
Issued solved externally.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Organisations can visit our integration guide online and follow instructions to integrate with the Yoti app. Yoti has seven SDKs and three plugins, depending on the choice it can take from 15 minutes to a few hours to integrate. For the Yoti embedded solution, organisations can send an email to us and we will provide them with the integration documentation. Yoti has a dedicated team to help organisations integrated within 24 hours, and provide ongoing support once the organisation is live.

For users, the Yoti app is designed to be intuitive and simple for users to sign up. All they have to do is download our free app and follow the instructions to set up an account which takes 5 mins. Users will need to follow a few basic steps first, add a mobile number, add a pin, complete a Liveness test and add a government-issued anchor document. Once verified, the user is prompted in-app to begin using the service. Our app has clear instructions the whole way through this process to ensure it is easy to complete. Further help is provided via our 24/7 customer support via email, comprehensive FAQs and website.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Both organisations and users are able to download all of their receipts of information that has been shared. They can then store this as CSV file.

Users are able to remove their Yoti account and permanently delete their information at any time (immutable transaction receipts/audit trail persists with the recipient of that information).

We also allow organisations to delete their copy of receipts from the Dashboard.
End-of-contract process Users are able to export any information before the termination of the contract.

Everything is included in the pricing.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Organisations can integrate Yoti in their web, mobile web or mobile apps, to verify or authenticate individuals. Organisations will receive this information on their backend systems available only in desktop.
If verification is done via the Yoti app, users can only use the Yoti mobile app.

If verification is done via the embedded solution, the onboarding process is similar, users will need the device’s camera - desktop or mobile - to take a selfie / take a photograph of government-issued ID.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing We recently had Leonie Watson, an expert in the accessibility field carry out a live audit at our office to demonstrate how our app performs. The result was positive and she gave us some area to improve on.
Our team constantly attend accessibility conferences to be sure we are up to date.
API Yes
What users can and can't do using the API Our seven web development kits and ready-to-go plugins can integrate Yoti into all major websites and mobile solutions in as little as 15 minutes (for the plugins) to a few hours (for the development kits).
Yoti also has mobile SDKs to help integrate Yoti into both Android and iOS mobile apps within a few hours.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The Yoti service can be fully customisable for our clients and works around their needs. Our system can be integrated seamlessly with current websites or mobile apps in a matter of hours and they can customise what information they require from users.
Organisations have the ability to request as little or as much information that they require from the source government-issued documents. Additionally, we are able to provide third-party information, such as an airline boarding pass or a government-issued visa through the platform.

Scaling

Scaling
Independence of resources Currently, Yoti’s system is set up to process up to 3.7 million transactions per day. We can easily increase capacity to 7.4 million as demand requires. As we grow we will be able to further scale our infrastructure to accommodate the projected volume of checks.

Analytics

Analytics
Service usage metrics Yes
Metrics types Yoti defines 'shares' as events where identity attributes are provided to a receiving party using the Yoti platform. The metrics provided are:
- The number of shares received by a given application. (one organisation can set up multiple applications).
- The number of unique users who have shared data with any given application(s)
- The number and type of attributes shared with any given application
- For the embedded solution we provide a full list of checks and the status of each of them either pass or fail.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach Yoti stores data in Tier-3 UK-based Data Centres. These are controlled by trained security staff 24/7, with electronic access management, proximity access control systems and CCTV. Data itself is stored within an encrypted database with several advanced cryptographic and security features: each piece of data is secured with a per-user 256-bit AES encryption key, and that key itself is encrypted by a server-supplied key held within a secure hardware device. Additionally, encrypted database records are stored in a hierarchical graph structure, which is only known to the user application which stored the records initially.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Both organisations and users can export their data by logging into their secure dashboard using the Yoti app and downloading their receipts.
Data export formats CSV
Data import formats
  • CSV
  • Other
Other data import formats
  • Verified information on official ID documents
  • Inputing additional data via the Yoti app
  • Through Yoti verification embedded service

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Availability 99.8%. Allowable downtime is no more than 1hr 27 minutes in any one month and cannot roll over. Response Time 99% less than 4 seconds and none more than 10 seconds (during the 99.8% availability)
Over the last 6 months, we have maintained these levels.

We do not by default offer an automated refund approach should SLAs not be met, but these can be explicitly included in service contracts on a case by case basis.
Approach to resilience Yoti is a global identity platform handling millions of sensitive transactions on a daily basis. The security and reliability of our service is paramount, and we follow a range of leading-edge security processes that ensure that our service is resilient.

Yoti’s Business Continuity plan sets out how we will deal with severe disruption to Yoti’s business and services, including catastrophic failure of our systems, and loss of our premises.

Yoti’s production system are housed in a Tier 3 datacentre which offers strict security and runs redundancy on all its service offering. The datacentres operate two separate logical clusters who are identical. In case there is a failure in one cluster, all services can be moved over to the second cluster. Each logical cluster is spread between at least three physical machines for further redundancy. All databases are spread between at least six physical machines. All devices support redundant power supplies. These processes secure our service to meet our high SLA's.

Yoti is ISAE 3000 (SOC 2) Type I certified. Our SOC 2 report details our security controls and is available under request.
Outage reporting In the first instance, all issues are logged into Yoti logging system (Jira). Incidents shall be categorised against severity, with the response and resolution times set out below. For the most serious cases, Yoti will contact the relevant parties within an hour and have a target resolution of 2 hours. For cases lower in severity Yoti’s target resolution dates are up to 3 days.

Yoti reports this process through regular specific email alerts, on our public website and customer service notifications. Moreover, our personal account managers are on hand to help in any way they can via telephone or email.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Other
Other user authentication Yoti focuses on both strong identification and authentication of users. Yoti has an industry-leading identification process that matches a user's biometric facial template to their government photo ID that is verified by our physical secure checking facility. Once verified, this information is then stored in the user's free Yoti app (something they own), protected by a pin code (something them know) and verified by their biometrics (some they are). Yoti can then support multi-factor authentication using biometric checking (face, fingerprint, PIN) to ensure the same identified person is accessing the service.
Organisations need a Yoti account to access their dashboard.
Access restrictions in management interfaces and support channels Internally, staff access to the system is restricted by clearance level from our Senior Management team, to Leadership team to internal documents. Each level has an owner and these are periodically reviewed. All accounts are owned by individuals and are managed by secure passwords conforming to the NIST guidelines and use 2FA when technically possible.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DAS Certification Limited
ISO/IEC 27001 accreditation date 30/04/2018
What the ISO/IEC 27001 doesn’t cover The operation of Yoti's ISO27001 Information Security Management System is to cover the operational and technical business functions and the physical and logical security of Yoti Limited. The scope supports the on-going business for Yoti Limited in both its London and Chelmsford sites. Those assets that are managed by third parties under SLA are excluded from the scope.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Secure by Design
  • ISAE 3000 (SOC 2) Type I certified.

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards ISAE 3000 (SOC 2) Type I
Information security policies and processes Yoti is certified to ISO 27001 and to ISAE 3000 (SOC 2). Yoti operates a Information Security Management System (ISMS) which outlines management commitment to information security. This system includes people, processes and IT systems by applying a risk management process. We have two main internal mechanisms to ensure our systems remain secure:
1. The Security Forum meets regularly to discuss reported security issues and ongoing security measures; and
2. Each quarter the Yoti ‘Risk Champions’ - experts from each department - update the Risk Register and present identified risks to the senior management team, who can then decide how to mitigate the risk (this provides a bottom-up security risk assessment).

As part of our commitment to security, all staff receive training in information security and privacy within 1 month of of joining Yoti and have annual refrehing.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach We have formal change management processes for software and for infrastructure which both comply with SOC 2 and ISO27001. These use ticketing systems to implement a full audit trail for change workflow with management approval required at every stage to ensure security and accountability. Changes are approved by the appropriate member of staff who is qualified to the correct assessment of security impact.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Yoti uses well-supported Operating Systems and software for all production services. The Network Operations Centre (NOC) manage the services on a 24-hour basis. The NOC subscribe to the security release notifications for all relevant software vendors and suppliers (e.g. Debian DSA). Patches and updates to services are assessed based on their security impact, particularly the CVSS rating, and scheduled for deployment in accordance with the change control process. Change Requests for Package updates are raised within, at most, two of notification of availability.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Yoti's Network Operations Centre (NOC) monitors production infrastructure 24/7 for correct operation using the Nagios monitoring tool. Additional monitoring is carried out using the Site24x7. Any alerts are dealt with immediately. Internal security network behavioural monitoring is carried out using the Darktrace machine-learning Enterprise Immune System. Distributed Denial-of-Service (DDoS) protection is carried out and automatically triaged by a third-party network provider.

If an incident is detected, Yoti's NOC follows the pre-determined Incident Management Process which details procedures for incident responsibility, lines of communication, resolution and ultimately root-cause analysis.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Yoti’s environments are monitored 24x7, an incident is raised by Yoti’s NOC. The NOC has predefined processes for different severities of incidents. Users can report incidents by emailing hello@yoti.com. After an incident has been resolved an in-house report is generated and reviewed by the Incident team. Our incident management process conforms to SOC2 and ISO27001.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.015 per transaction
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Yoti is open for discussions on free trials and would depend on the service required. Please contact directly for more information.

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑