Yoti Sign - Electronic signature
Yoti Sign offers the convenience and simplicity of e-signing platforms, with the additional option of biometric verification and cryptographic signatures, Sign with an email only authentication or choose to verify to a higher level of authentication using the individuals biometrics and the Yoti app, both on the same platform.
- Supports business requested levels of authentication
- Cryptographically secured document storage and sending
- Sign whole documents with the tap of a button
- Fully integrated to business workflows through an SDK or API
- Capability to add multiple signees in a defined sequence
- Supports bulk sending of documents to thousands of signees
- Legally compliant with eIDAS and admissible in court
- Supports signing on multiple devices
- Provides real time status updates of document signing progression
- Provides automatic reminders to signee
- Biometric verification of digital signatures
- Provides an audit trail of immutable receipts to all parties
- Full integration with existing business workflows via an API
- Seamless process flow for both businesses and signees
- Each signee can be verified to their government issued ID
- Minimal training needs for staff to use and request signatures
- Dashboard for simple management of all documents
- Biometric and government-issued ID verified signatures, every time
- Part of global identity platform utilising the Yoti app
£0 to £0.40 per unit
- Education pricing available
- Free trial available
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Yoti Sign is a standalone product for biometric digital signatures. Yoti Sign enhanced with biometrics requires the use of the free Yoti app to ensure the secure delivery of an individual's verified attributes to sign legal documents.|
|Cloud deployment model||Hybrid cloud|
Yoti Sign requires connectivity to internet.
To increase level of authentication on signature, the document can be signed with biometric and government verified information. Users are required to download the free Yoti app and create their digital identity, a process that takes 5 minutes. This process verifies government issued details and match this to a biometric template. Once the digital identity is created, users can sign documents with it and increase the level of authentication.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
We operate 24x7; however, our response times differ.
Within business hours our response time is is 20 minutes. At other times, the response time is 90 minutes.
Our business hours are (UK time):
Monday to Thursday 9am to 9pm
Friday 9am to 11pm
Saturday 2pm to 11pm
Sunday 10am to 7pm
|User can manage status and priority of support tickets||No|
|Web chat support||No|
|Support levels||Yoti provides integration, technical and on-going support. We also provide customer support. To Yoti app users. We provide levels of support as a standard to all clients, and we do not charge for any of these services.|
|Support available to third parties||Yes|
Onboarding and offboarding
If Integrating via the API, then we will provide our API documentation and an API Key once contracted.
If you choose to take Yoti Sign via the portal, then Username & Password details can be provided for a simple log in.
|Other documentation formats||
|End-of-contract data extraction||Users have full access to information and signed documents throughout the contract, which remains available beyond termination. Users will be responsible for storing this information in accordance with the applicable regulation and individual consent.|
Yoti Sign is available for a minimum of a 12 month contract.
Users are able to export data before terminating the contract.
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
Organisations using Yoti Sign require a desktop device to create and send a document.
A signee can use multiple devices to complete the sign along with the Yoti app.
|Description of service interface||Yoti Sign can be used by organisations as a stand alone product or an API.|
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
|Accessibility testing||We meet the WCAG AA standards in relation to colour contrast and text size in the app and we have also enabled inbuilt smartphone screen readers to work in conjunction with the app copy to aid the user experience.|
|What users can and can't do using the API||
API allows an organization to integrate Yoti Sign into their existing workflow, such as organization's website, programmatically.
The user will be able to setup the document's signing ceremony and if desired, can include verified details required, signatures required etc using the API.
Users will be able to set up the service using the API by reading through the API documentation.
Users will be able to make changes to their documents and other fields for signatures using the API.
There are no strong limitations, and we can work on the requirements of the organisations on a case by case basis.
Users will be able to set up the service using the REST API by reading through the API documentation.
Users will be able to make changes to their documents and other fields for signatures using the REST API.
There are no strong limitations, and we can work on the requirements of the organisations on a case by case basis.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
Yoti Sign can be fully integrated into existing workflows and tailored appropriately. Organisations can choose the level of assurance of the signature. The sender can request the signee to sign with email only, alternatively the sender can request the signee to add verified atributes from their digital identities on their signature. The sender can choose which attributes to include.
The Yoti Sign platform has a number of customisable features. For example, users can add any documents that need signing, send those documents to users of their choice, request any number of verified details from the given set, add a personalised message in the email, set automatic reminders, custom fields and date boxes are also available.
|Independence of resources||Yoti Sign has no restraints in scalability|
|Service usage metrics||Yes|
We provide detailed reporting including but not limited to the following:
# of documents uploaded
# of recipients added
# of 'signatures' added and completed
# of documents completed
# of invitations sent
# of documents signed
|Reporting types||Real-time dashboards|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||Yoti stores data in Tier-3 UK-based Data Centres. These are controlled by trained security staff 24/7, with electronic access management, proximity access control systems and CCTV. Data itself is stored within an encrypted database with several advanced cryptographic and security features: each piece of data is secured with a per-user 256-bit AES encryption key, and that key itself is encrypted by a server-supplied key held within a secure hardware device. Additionally, encrypted database records are stored in a hierarchical graph structure, which is only known to the user application which stored the records initially.|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users can log in to the secure portal and download their documents.|
|Data export formats||Other|
|Other data export formats||ZIP file|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Availability 99.8%. Allowable downtime is no more than 1hr 27 minutes in any one month and cannot roll over. Response Time 99% less than 4 seconds and none more than 10 seconds (during the 99.8% availability). We have maintained this level in the past financial year. We do not offer by default an automated refund approach should SLAs not be met; however it can be explicitly included in service contracts on a case by case basis.|
|Approach to resilience||
Yoti is a global identity platform handling millions of sensitive transactions on a daily basis. The security and reliability of our service is paramount, and we follow a range of leading-edge security processes that ensure that our service is resilient.
Yoti’s Business Continuity plan sets out how we will deal with severe disruption to Yoti’s business and services, including catastrophic failure of our systems, and loss of our premises.
Yoti’s production system are housed in a Tier 3 datacentre which offers strict security and runs redundancy on all its service offering. The datacentres operate two separate logical clusters who are identical. In case there is a failure in one cluster, all services can be moved over to the second cluster. Each logical cluster is spread between at least three physical machines for further redundancy. All databases are spread between at least six physical machines. All devices support redundant power supplies. These processes secure our service to meet our high SLA's.
Yoti is ISAE 3000 (SOC 2) Type I certified. Our SOC 2 report details our security controls and is available under request.
|Outage reporting||Yoti will contact the relevant parties within an hour and have a target resolution of 2 hours. For cases lower in severity Yoti’s target resolution dates are up to 3 days. Yoti reports this process through regular specific email alerts, on our public website and customer service notifications. Moreover, our personal account managers are on hand to help in any way they can via telephone or email.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Yoti focuses on both strong identification and authentication of users. Yoti has a secure and industry-leading identification process that verifies a user's email address. Once verified, this information is then stored in the user's free Yoti app (something they own), protected by a pin code (something them know) and verified by their biometrics (some they are). Yoti can then support multi-factor authentication using biometric checking to ensure the same identified person is accessing the service.|
|Access restrictions in management interfaces and support channels||Internally, staff access to the system is restricted by clearance level from our Senior Management team, to Leadership team to internal documents. Each level has an owner and these are periodically reviewed. All accounts are owned by individuals and are managed by secure passwords conforming to the NIST guidelines and use 2FA when technically possible.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||DAS Certification Limited|
|ISO/IEC 27001 accreditation date||30/04/2018|
|What the ISO/IEC 27001 doesn’t cover||The operation of Yoti's ISO27001 Information Security Management System is to cover the operational and technical business functions and the physical and logical security of Yoti Limited. The scope supports the on-going business for Yoti Limited in both its London and Chelmsford sites. Those assets that are managed by third parties under SLA are excluded from the scope.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
Yoti is ISAE-3000 (SOC2) Type I certified for its technical and organisational security processes. We are delighted to have achieved an unqualified Type I report from a top-four auditor. We are due to undergo a Type II audit in the summer 2019.
Yoti app is accredited by Secure by Designed
|Information security policies and processes||
Yoti is certified to ISO 27001 and to ISAE 3000 (SOC 2). Yoti operates a Information Security Management System (ISMS) which outlines management commitment to information security. This system includes people, processes and IT systems by applying a risk management process. We have two main internal mechanisms to ensure our systems remain secure:
1. The Security Forum meets regularly to discuss reported security issues and ongoing security measures; and
2. Each quarter the Yoti ‘Risk Champions’ - experts from each department - update the Risk Register and present identified risks to the senior management team, who can then decide how to mitigate the risk (this provides a bottom-up security risk assessment).
As part of our commitment to security, all staff receive training in information security and privacy within 1 month of of joining Yoti and have annual refreshing.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||We have formal change management processes for software and for infrastructure which both comply with SOC 2 and ISO27001. These use ticketing systems to implement a full audit trail for change workflow with management approval required at every stage to ensure security and accountability. Changes are approved by the appropriate member of staff who is qualified to the correct assessment of security impact.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Yoti uses well-supported Operating Systems and software for all production services. The Network Operations Centre (NOC) manage the services on a 24-hour basis. The NOC subscribe to the security release notifications for all relevant software vendors and suppliers (e.g. Debian DSA). Patches and updates to services are assessed based on their security impact, particularly the CVSS rating, and scheduled for deployment in accordance with the change control process. Change Requests for Package updates are raised within, at most, two of notification of availability.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||Yoti's Network Operations Centre (NOC) monitors production infrastructure 24/7 for correct operation using the Nagios monitoring tool. Additional monitoring is carried out using the Site24x7. Any alerts are dealt with immediately. Internal security network behavioural monitoring is carried out using the Darktrace machine-learning Enterprise Immune System. Distributed Denial-of-Service (DDoS) protection is carried out and automatically triaged by a third-party network provider. If an incident is detected, Yoti's NOC follows the pre-determined Incident Management Process which details procedures for incident responsibility, lines of communication, resolution and ultimately root-cause analysis.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Yoti’s environments are monitored 24x7, an incident is raised by Yoti’s NOC. The NOC has predefined processes for different severities of incidents. Users can report incidents by emailing email@example.com. After an incident has been resolved an in-house report is generated and reviewed by the Incident team. Our incident management process conforms to SOC2 and ISO27001.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0 to £0.40 per unit|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||We can offer a 30-day trial|