Yoti Ltd

Digital Identity Wallet (self-sovereign and reusable)

Digital ID app service gives citizens a convenient and privacy-friendly way to prove who they are. They verify their identity details once to create a reusable digital ID they can use to instantly access online or in-person services. Certified to UK Trust Framework (UKDIATF), to GPG45/44, eiDAS and W3C standards.

Features

• Certified to UK Digital Identity and Attributes Trust Framework
• Issue, update or revoke attributes to a secure ID wallet
• Store and manage attributes with AES-256 encryption
• Digitally issue staff identity cards and volunteer identity cards
• Digitally issue health test results, visas or other credentials
• Share attributes with relying parties through consent based model
• Display the credential on phone for in person checks
• Passports, driving licences and National IDs from over 195 countries
• Digital identity verification to GPG 44 45 Government standards
• Smartphone NFC technology to read ICAO 9303 standard documents

Benefits

• Citizens create a digital ID once, and reuse many times
• Reduces the cost and time required to verify citizens
• Reduces rates of identity fraud and associated costs
• Reduce or eliminate need for in-person checks
• Save time and costs issuing and managing physical ID cards
• Prevents the unintended individual using the credential, tied to biometric
• Reduce reliance on physical issuance centres
• Simplifies the process of updating and revoking attributes
• Facilitates the secure delivery of services on-line
• Assists with GDPR compliance

£0.20 to £2.50 a transaction

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@yoti.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

938783178811735

Contact

Carl Dawson
0000 000 0000
gcloud@yoti.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Yoti app requires connectivity to the internet.
• System requirements:
  • Yoti supports iOS 13 and later software
  • Yoti supports iPhone 6s/iPhone 6s Plus and later software
  • Android 8.0 and later software
  • Requires an internet connection and a browser (web or mobile)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Yoti has offices and operations in several global locations. ; Our network operations centre and technical support teams are contactable 24/7/365. ; Our customer service team are 24/7 and reachable via email on help@yoti.com. ; Customer service response times are under 20 mins. ; Our technical support team is available weekdays 9-6pm GMT and reachable via email on clientsupport@yoti.com. ; This uses a ticketing process. Technical support response times are within the hour during the working day. ; Depending on the level of support required, clients may also receive a dedicated support engineer.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide user support, integration and client technical support and also on-going support. We provide these levels of support as standard and are included in our pricing.; ; Tier 0 - User Self Service; Informative app, Video, FAQs, Developer Area/ Documentation, Social Media/ Search Engine and User Service Desk are all available to the user; ; Tier 1 - User Support Operations (response within 20 mins); The user can contact via App feedback, Social Media, Telephone, Email Website. Then our user support operations, sales or marketing teams can solve the problem or escalate it to Tier 2.; Also available is our Tier 1 Client Support, via email, for our business clients to gain technical or post-go-live support for their users. ; ; Tier 2 - Network Operation Centre (1hr<response time >1 day); Our NOC team will then assess the issue, fix it or assign it to Tier 3; ; Tier 3 - In-House Cross-Functional Team Fix (2hr<resolution> 3 days) ; The ticket is assigned to correct team for resolution or escalation to the final tier, Tier 4.; ; Tier 4 - External Supplier Fix (2hr<resolution> 3 days) ; Issued solved externally.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Organisations can visit our integration documentation at yoti.com and follow instructions to register, onboard and integrate with the Digital ID service. ; Yoti Digital ID has integrations in several programming languages, and integration is easy to do in a matter of hours. ; ; Yoti has a dedicated team to help organisations register, onboard, integrate, and then provide ongoing technical support and training once the service is live.; ; For end-users, both Yoti Digital ID app and Post Office EasyID app are free to download and is designed to be intuitive and simple for users to use without additional instructions to the application itself.; ; Further help is provided via our 24/7 customer support via email, comprehensive FAQs and website.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Both organisations and users are able to download all of their receipts of information that has been shared. They can then store this as CSV file. ; ; Users are able to remove their Yoti or Post Office EasyID account and permanently delete their information at any time (immutable transaction receipts/audit trail persists with the recipient of that information). ; ; We also allow organisations to delete their copy of receipts from the Dashboard.
• End-of-contract process: Users are fully able to export any information before the termination of the contract. ; ; Everything is included in the pricing.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no material difference in the service an organisation receives. The integration will vary depending on web, mobile web or native app which is further described in our service definition documents.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Our seven web software development kits (SDKs) and ready-to-go plugins can integrate the service into all major websites and mobile solutions in as little as 15 minutes (for the plugins) to a few hours (for the development kits). Yoti also has mobile SDKs to help integrate Yoti into both Android and iOS mobile apps within a few hours.; ; Yoti’s credential issuance service has been incorporated into each of our 7 SDKs,
• Accessibility standards: None or don’t know
• Description of accessibility: Yoti digital ID is offered through an app on users smartphones. Whilst we do not meet specific accessibility standards today (it is a priority on our roadmap) we do ensure we design with this in mind, such as colour contrasts meeting minimum standards and most of our screens can be read with a screen reader. ; Some areas of the digital ID app are not accessible, mainly the liveness test and scanning any id documents using a camera.; Further work is on-going this year to ensure we meet the necessary standard.
• Accessibility testing: None to date, it is in our roadmap to complete this year.
• API: Yes
• What users can and can't do using the API: Our seven web development kits and ready-to-go plugins can integrate Yoti into all major websites and mobile solutions in as little as 15 minutes (for the plugins) to a few hours. ; ; Yoti’s credential issuance service has been incorporated into each of our 7 SDKs.; Extensive documentation can be found at www.yoti.comm/developers
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Organisations can choose exactly the data items they which to request from users, enabling them to both minimise the data they obtain, and maximise the privacy of the individual.; ; Organisations issuing attributes are able to fully define that attribute via the API. The attribute is then rendered inside the individual's Yoti. As an example, the attribute could be rendered as a digital ID card, with all the necessary information, or an attribute could simple be a character string.

Scaling

• Independence of resources: Currently, Yoti’s system is set up to process up to 3.7 million transactions per day. We can easily increase capacity to 7.4 million as demand requires. As we grow we will be able to further scale our infrastructure to accommodate the projected volume of checks.

Analytics

• Service usage metrics: Yes
• Metrics types: Yoti defines 'shares' as events where identity attributes are provided to a receiving party using the Yoti platform. The metrics provided are:; - The number of shares received by a given application. (one organisation can set up multiple applications).; - The number of unique users who have shared data with any given application(s) ; - The number and type of attributes shared with any given application
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Yoti stores data in Tier-3 UK-based Data Centres. These are controlled by trained security staff 24/7, with electronic access management, proximity access control systems and CCTV. Data itself is stored within an encrypted database with several advanced cryptographic and security features: each piece of data is secured with a per-user 256-bit AES encryption key, and that key itself is encrypted by a server-supplied key held within a secure hardware device. Additionally, encrypted database records are stored in a hierarchical graph structure, which is only known to the user application which stored the records initially.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Both organisations and users can export their data by logging into their secure dashboard using the Yoti app and downloading their receipts.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Verified information on official ID documents
  • Inputing data from ICO9303 documents
  • W3C credentials issued via our API

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Availability 99.9%. ; Response Time 99% less than 4 seconds and none more than 10 seconds.; ; Over the last 6 months, we have maintained these levels. ; ; We do not by default offer an automated refund approach should SLAs not be met, but these can be explicitly included in service contracts on a case by case basis.
• Approach to resilience: Yoti is a global identity platform handling millions of sensitive transactions on a daily basis. The security and reliability of our service is paramount, and we follow a range of leading-edge security processes that ensure that our service is resilient. ; ; Yoti’s Business Continuity plan sets out how we will deal with severe disruption to Yoti’s business and services, including catastrophic failure of our systems, and loss of our premises. ; ; Yoti’s production system are housed in a Tier 3 datacentre which offers strict security and runs redundancy on all its service offering. The datacentres operate two separate logical clusters who are identical. In case there is a failure in one cluster, all services can be moved over to the second cluster. Each logical cluster is spread between at least three physical machines for further redundancy. All databases are spread between at least six physical machines. All devices support redundant power supplies. These processes secure our service to meet our high SLA's.; ; Yoti is ISAE 3000 (SOC 2) Type II certified. Our SOC 2 report details our security controls and is available under request.
• Outage reporting: In the first instance, all issues are logged into Yoti logging system (Jira). Incidents shall be categorised against severity, with the response and resolution times set out below. For the most serious cases, Yoti will contact the relevant parties within an hour and have a target resolution of 2 hours. For cases lower in severity Yoti’s target resolution dates are up to 3 days.; ; Yoti reports this process through regular specific email alerts, on our public website and customer service notifications. Moreover, our personal account managers are on hand to help in any way they can via telephone or email.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Yoti focuses on both strong identification and authentication of users. Yoti has an industry-leading identification process that matches a user's biometric facial template to their government photo ID that is verified by our physical secure checking facility. Once verified, this information is then stored in the user's free Yoti app (something they own), protected by a pin code (something them know) and verified by their biometrics (some they are). Yoti can then support multi-factor authentication using biometric checking (face, fingerprint, PIN) to ensure the same identified person is accessing the service.; Organisations need a Yoti account to access their dashboard.
• Access restrictions in management interfaces and support channels: Internally, staff access to the system is restricted by clearance level from our Senior Management team, to Leadership team to internal documents. Each level has an owner and these are periodically reviewed. All accounts are owned by individuals and are managed by secure passwords conforming to the NIST guidelines and use 2FA when technically possible.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: DAS Certification Limited
• ISO/IEC 27001 accreditation date: 30/04/2018
• What the ISO/IEC 27001 doesn’t cover: The operation of Yoti's ISO27001 Information Security Management System is to cover the operational and technical business functions and the physical and logical security of Yoti Limited. The scope supports the on-going business for Yoti Limited in both its London and Chelmsford sites. Those assets that are managed by third parties under SLA are excluded from the scope.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Secure by Design
  • ISAE 3000 (SOC 2) Type II certified.

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: ISAE 3000 (SOC 2) Type II
• Information security policies and processes: Yoti is certified to ISO 27001 and to ISAE 3000 (SOC 2). Yoti operates a Information Security Management System (ISMS) which outlines management commitment to information security. This system includes people, processes and IT systems by applying a risk management process. We have two main internal mechanisms to ensure our systems remain secure: ; 1. The Security Forum meets regularly to discuss reported security issues and ongoing security measures; and; 2. Each quarter the Yoti ‘Risk Champions’ - experts from each department - update the Risk Register and present identified risks to the senior management team, who can then decide how to mitigate the risk (this provides a bottom-up security risk assessment).; ; As part of our commitment to security, all staff receive training in information security and privacy within 1 month of of joining Yoti and have annual refrehing.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We have formal change management processes for software and for infrastructure which both comply with SOC 2 and ISO27001. These use ticketing systems to implement a full audit trail for change workflow with management approval required at every stage to ensure security and accountability. Changes are approved by the appropriate member of staff who is qualified to the correct assessment of security impact.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Yoti uses well-supported Operating Systems and software for all production services. The Network Operations Centre (NOC) manage the services on a 24-hour basis. The NOC subscribe to the security release notifications for all relevant software vendors and suppliers (e.g. Debian DSA). Patches and updates to services are assessed based on their security impact, particularly the CVSS rating, and scheduled for deployment in accordance with the change control process. Change Requests for Package updates are raised within, at most, two of notification of availability.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Yoti's Network Operations Centre (NOC) monitors production infrastructure 24/7 for correct operation using the Nagios monitoring tool. Additional monitoring is carried out using the Site24x7. Any alerts are dealt with immediately. Internal security network behavioural monitoring is carried out using the Darktrace machine-learning Enterprise Immune System. Distributed Denial-of-Service (DDoS) protection is carried out and automatically triaged by a third-party network provider.; ; If an incident is detected, Yoti's NOC follows the pre-determined Incident Management Process which details procedures for incident responsibility, lines of communication, resolution and ultimately root-cause analysis.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Yoti’s environments are monitored 24x7, an incident is raised by Yoti’s NOC. The NOC has predefined processes for different severities of incidents. Users can report incidents by emailing hello@yoti.com. After an incident has been resolved an in-house report is generated and reviewed by the Incident team. Our incident management process conforms to SOC2 and ISO27001.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  By utilising a reusable digital ID, organisations are reducing the need for users to travel to a physical location and present their physical identity documents. This saves on fuel and on congestion.
• Covid-19 recovery:

  Covid-19 recovery

  The pandemic highlighted the need for several new ways of living and working. Being able to conduct business remotely, in a secure and trusted way, has served to accelerate the awareness of and need for remote identity verification. This not only helps prevent fraud, but allows businesses to grow quicker and at larger scale than previously possible.
• Tackling economic inequality:

  Tackling economic inequality

  Our identity service verifies people (their facial biometric) to their government issued ID document (Passport, Driving Licence, National ID) from over 195 countries, but also to other official UK ID sources such as the Young Scot card and Citizen card. These can be obtained at a lower cost than traditional government identity documents, and so reduces the economic barrier. Our partnership with Post Office allows this technology to be accessed in-person at a Post Office branch, and so reduces any barriers for computer ownership or home internet connection costs.

Pricing

• Price: £0.20 to £2.50 a transaction
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: There is the ability to undergo a free live production period on discussion with your account manager. This can vary on both volumes of transactions and the period (from 1 week to several months). If a free trial period is agreed, then it includes everything the live production service would.
• Link to free trial: Www.yoti.com/hub

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@yoti.com. Tell them what format you need. It will help if you say what assistive technology you use.