Sub-processor list
| Sub-processor | Service provided | Categories of data concerned | Location / transfer status | Role |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL / Amazon Web Services, Inc. | Cloud hosting, storage, compute, databases, infrastructure security, backups | Platform data, identity verification data, document data, biometric data, technical logs, Proof Package data | EU/EEA region preferred; possible transfers depending on services and support model | Infrastructure sub-processor |
| Microsoft Ireland Operations Ltd / Microsoft Corporation | Cloud services, Entra ID integration, identity federation, enterprise services, optional hosting or monitoring components | Administrator data, authentication metadata, integration data, technical logs, support data | EU Data Boundary / EEA where configured; possible transfers depending on services | Cloud / identity integration sub-processor |
| Cloudflare, Inc. / Cloudflare Germany GmbH | CDN, DDoS protection, web application firewall, DNS, edge security | IP addresses, request metadata, security logs, device/browser metadata | Global edge network; EEA safeguards required | Security and network sub-processor |
| Okta, Inc. / Okta entities | Identity provider integration, authentication, SSO, IAM integration | Administrator data, authentication metadata, user identifiers, access logs | EEA or third-country processing depending on customer configuration | Identity integration sub-processor |
| SendGrid / Twilio Inc. | Transactional emails, verification invitations, notifications | Email address, name where applicable, invitation metadata, delivery logs | Possible non-EEA transfers; SCCs or equivalent safeguards required | Communication sub-processor |
| Stripe Payments Europe, Ltd / Stripe, Inc. | Payment processing, billing support, invoicing where applicable | Customer billing data, business contact data, payment metadata | EEA and possible international transfers | Payment / billing sub-processor |
| GitHub, Inc. / Microsoft Corporation | Software development, code repository, issue tracking, CI/CD | Developer data, limited technical metadata; no production identity verification data intended | Possible non-EEA transfers | Development infrastructure sub-processor |
| Google Firebase / Google Ireland Limited / Google LLC | Mobile application backend services, push notifications, app analytics, crash reporting, authentication support, cloud messaging and mobile infrastructure services, depending on enabled Firebase features | Mobile app identifiers, device data, push notification tokens, crash logs, technical logs, app usage metadata, user identifiers, authentication metadata; no identity document or biometric data intended unless specifically configured | EEA and possible international transfers depending on Firebase services and configuration; Google data processing terms and Firebase sub-processor list apply | Mobile app infrastructure / analytics / messaging sub-processor |
| OVHcloud / OVH SAS or relevant OVHcloud entity | Cloud hosting, infrastructure, servers, storage, networking, backups and related infrastructure services | Platform data, technical logs, security logs, customer account data, identity verification data, Proof Package data, and other data hosted on Yumipass infrastructure | France transfers outside the EEA to be confirmed depending on support, service and contractual setup | Cloud hosting / infrastructure sub-processor |
EVERYTHING YOU NEED TO KNOW
Frequently Asked Questions
If you have additional questions or need personalized assistance, feel free to reach out to our dedicated support team.
Unlike photo-based Passport verification (which can easily be faked with AI), Yumipass app cryptographically verifies the digital signatures inside the Passport’s NFC chip. This ensures:
– The Passport is real and not a forgery.
– The identity data has not been altered.
– The Passport is issued by a legitimate authority.
The Camera is only used to scan the NFC chip access code (similar to PIN), not any personal details. User may also manually enter the NFC chip access code, but where a debit card has 4 digit PIN, Passport may have up to 20 digit “PIN”, making camera more convenient.
Think of the NFC chip access code like unlocking a bank card with a PIN. Just as you need to enter a PIN to use a debit card, the Passport’s NFC chip requires a special access key, printed as a Machine Readable Zone (MRZ) or Card Access Number (CAN). This prevents unauthorised scanning of Passport by ensuring that only someone who physically sees the document can access its NFC chip. Without this code, the chip remains locked and unreadable, just like a bank card without its PIN.
No. Wallet is optional and only for convenience, so that user won’t have to NFC scan Passport on every verification.
No. Yumipass app performs on-device cryptographic verification and only transmits data if user approves a request from an online service that needs to verify the user’s identity. User may save verified Passport to the Yumipass app Wallet to avoid having to NFC re-scan the Passport in every verification, but this indeed is optional and for convenience only.
No. There are no end user accounts in the Yumipass service, therefore no PII data gets stored in the service. Yumipass is not a controller, only an identity claims processor, a secure peer-to-peer service to broker verified identity claims.