We publish the specification we run in production.

1. 2013

   Yinkozi founded

   Device-side security R&D for African and Middle-Eastern financial systems.

2. 2019

   Witness layer in production

   Anchor reference at a Tier-1 South African bank — 30M+ endpoints under continuous evidence today.

3. 2023

   Hardware abstraction at scale

   ~13,000 distinct Android hardware configurations covered by a single abstraction layer.

4. 2025

   YEI-001 v1.0 published

   The architectural pattern extracted, named, and documented as a specification.

5. 2026

   Strategic engagements

   Schemes, processors, regulators, and tier-1 banks evaluating EEI as substrate.

• ·01

  No data path to YinkoShield

  The runtime ships embedded in the operator's application. The verifier runs in the operator's stack. Keys are generated inside the device's TEE and registered to the operator's backend over an operator-controlled channel that does not include us. There is no telemetry the operator did not ask for; there is no licence check at runtime.

• ·02

  Operator owns the data lifecycle end-to-end

  Evidence is generated and signed at execution time, against a device-resident append-only ledger. The ledger does not auto-upload. Device identifiers are pseudonymous (SHA-256 of the device public key); no customer PII appears in evidence. The spec enforces a privacy-profile choice — `strict` is required for South African consumers under POPIA §11; the same `strict` posture satisfies Nigeria's NDPR, Kenya's DPA 2019, Ghana's DPA 2012, Côte d'Ivoire's LPDP, Morocco's Law 09-08, Mauritius DPA, and the EU GDPR for European data subjects. These regimes apply at the operator boundary, not at ours, because the data does not cross it. The producer-conformance checklist in YEI-001 names each regime explicitly so an operator's DPO can map it to local requirements.

• ·03

  Sovereign verification — no vendor-in-the-path

  Verification of an Evidence Token requires the token, the operator-stored public key, and a verifier implementation. None of those three things has to involve YinkoShield. A YinkoShield outage does not interrupt verification. A YinkoShield termination does not interrupt verification.

• ·04

  No certification programme; the spec is the contract

  We do not certify operators, processors, or schemes. The spec, the four reference verifiers, and the cross-language test-vector corpus are sufficient. Adoption is a procurement choice, not a credential we issue.

• ·05

  PCI DSS / SOC 2 / ISO 27001 — out of scope by design

  Per the spec's CONFORMANCE.md §8: payment-scheme certification, PCI DSS, and the legal admissibility of evidence in any given jurisdiction are explicitly not what the substrate replaces. There is no cardholder-data path through YinkoShield infrastructure (we have no infrastructure in the trust path), so PCI scope does not apply at our boundary. The operator's program owns these certifications against its own deployment.

For the spec table of contents, the verifier contract, the threat-model boundary, and the standards lineage — read the specification page.

Procurement track: for our standard MSA / DPA templates, write to contact@yinkoshield.com with your jurisdiction. We share them ahead of the briefing.