Backend systems prove receipt.
We prove execution.
The device-bound evidence layer for digital payments. Signed at the moment of action. Verifiable without a vendor backend. In production since 2019.
external voice · cio, tier-1 bank
“When I need user identity I use Zscaler. When I need device identity I use YinkoShield.”
CIO of an African Tier-1 bank running YinkoShield in production since 2022, across millions of endpoints. Anonymised, not invented; said unprompted in an architecture review. Name available under NDA.
in production
Built and operated by Yinkozi since 2013. Witness layer in production since 2019, anchor reference at a Tier-1 South African bank.
- scale
- 0M+ mobile endpoints in production
- device fragmentation
- ~0 Android hardware configurations handled
- geography
- 2 offices UAE · South Africa
- in production since
- 2019 anchor reference: a Tier-1 South African bank
A new category in payment trust.
policy stays with you
Conditional policy. Not a binary toggle.
Vendor-coupled tools give you a switch per check — enable, disable, or monitor. The check fires the same way regardless of what the user is trying to do.
Execution evidence inverts that. We supply signed signals; your policy engine combines them with business context. Allow a balance check on a rooted device. Refuse to add a new beneficiary on the same device. The signal is the same; the response is conditional on what's at stake.
vendor-coupled · rasp
Per-check switch: enable, disable, or monitor. In monitor mode, the vendor hands you an event handler — your team writes the policy logic against it. No way to make the check context-aware without rebuilding the vendor's engine.
decoupled · eei
Signed signals delivered to your policy engine. If rooted device and action is add beneficiary: refuse. If rooted device and action is view balance: allow. Conditional, contextual, written by you.
Two infrastructure primitives.
A trusted runtime that signs what happened — and the evidence layer that carries it. Together: a new category.
Trusted Runtime Primitive
A platform-portable execution environment that observes what the runtime actually does and signs it with a hardware-bound key. Same evidence guarantees across mobile, POS, SoftPOS, and SST estates — across ~13,000 hardware configurations.
Without the runtime, there is no consistent evidence.
READ →Execution Evidence Layer
The signed, hash-linked record of what actually happened on the device. Travels with the transaction. Verifiable with a public key alone. Replayable from the local ledger when a deeper investigation is needed.
Without the evidence, the runtime is just another runtime.
READ →Six journeys. One signed substrate.
Network. Fraud. Experience. Integrity. Operations. Autonomous. Pick the one your customers, fraud team, or operations team will name out loud.
- payments in constrained networks
Payments survive the partition.
“My terminals run on cellular and 2G/3G. Transactions fail in dead zones. I can't tell retries from duplicates.”
See the journey → - fraud, malware, and adversarial integrity
Adversarial behaviour, observable at the moment of execution.
“Mobile malware is getting better. My fraud models drown in operational noise that looks like fraud but isn't. I need clean signals.”
See the journey → - approval-rate and customer-experience integrity
False declines stop being the conservative default.
“My approval rate erodes in places I can't fully explain. App restarts, retries that look like duplicates, latency spikes. My customers blame me.”
See the journey → - execution and key integrity
Cryptographic guarantees about what executed.
“I need verifiable proof that the device-side execution is what the spec describes. I need to see when keys rotate. I need to know which tokens were rejected and why.”
See the journey → - forensics and proactive operations
See incidents coming. Investigate when they don't.
“I want to know what's about to break before my customer calls. When something does break, I want forensics without sending an engineer.”
See the journey → - agentic payments and autonomous execution
When the system acts on its own, the substrate it acted on becomes the audit.
“AI agents are about to initiate transactions. I need to prove which agent acted, in what runtime state, on which device, in what sequence — without parsing millions of logs.”
See the journey →
Mobile, POS, SST. One signed format across all of them.
The same Trusted Runtime Primitive ships across every estate. The evidence comes out in the same shape, verifiable the same way — by your stack, your dispute platform, your regulator, your partners.
- mobile →
Mobile banking, fintech, and superapps
Mobile environments run outside controlled infrastructure. Execution state, device context, and user interactions need independent verification — not assumption.
- Overlay & accessibility-service abuse, observable
- SIM swap & device compromise, signed inline
- Identity continuity across the user journey
- POS · mPOS · SoftPOS →
POS and acquiring estates
Standard terminals are opaque to the systems that depend on them. Device state, execution integrity, and transaction context become observable at the terminal boundary.
- Deterministic onboarding across the fleet
- Offline integrity continuity in dead-zone networks
- Verifiable evidence at the moment of transaction
- self-service terminals →
SST and bank self-service estates
Unattended terminals running long sessions across critical journeys — payments, account opening, identity verification. Runtime coherence is the substrate that makes those flows defensible.
- Long-session execution provenance
- Smart-ID and national-identity adjacency
- Physical-access threat boundary observable
Designed for African and emerging-market payments.
- ·01 property
~200 bytes
tiny header, big information
JWS-compact ES256 token, inline with each request. Substantial signal payload at minimal bandwidth cost — designed for cellular and 2G/3G estates.
- ·02 property
offline by design
the ledger does not depend on connectivity
Evidence is generated and signed at execution time, against a local append-only hash-linked ledger. Partition is an operating condition, not an exception. Records flush when connectivity returns — in order, signed, intact.
- ·03 property
reverse-billing compatible
works under zero-rated DNS
Compatible with mobile network operator zero-rating arrangements through the platform's network module. Customers in low-data conditions stay protected without the operator carrying the data cost.
Operators should never depend on us to verify.
YEI-001 is the specification. Reference verifiers in Python, JavaScript, Go, and Java. Any party with a public key can verify evidence independently. Currently shared with regulators and qualifying partners under NDA.
Request access to the specification{
"eid": "8f1e3a90-2b4c-4f81-b6d7-1c9c3a1f4d12",
"seq": 1044,
"tctx": "01J0T8VQ4F",
"event": "payment.initiated",
"ts": 1714323105421,
"did": "did:yks:Z2gXf...",
"kid": "k.2025-Q2.r3",
"sig_ref": { "url": "yks-ledger://...", "hash": "0x9c4a..." }
}We brief payment networks, schemes, processors, and tier-1 banks on EEI by request.
No sales pitch. A clear technical conversation about whether execution evidence is the right substrate for the problem you are trying to solve.
Request a briefing