Dear Footprint Family,
July was a nice month to continue what I’ve called “the summer of execution” internally. We now have over 850,000 (mostly not yet portable) identities in our vaults and well over 500,000 card numbers—a testament to the growing trust our customers are placing in us to vault sensitive and mission-critical data. We are also now close to going live this month with two of our larger signed customers for onboarding after weekly integration calls in July. We’ve learned a lot about CS and continued thought around how our product can be leveraged.
This update is a dive into our current product and where it is going. Alex and I had our H2 Roadmap planning last week, the results and reflections of which we presented to the team on Monday. In doing so and seeing how our own thinking had evolved, this update seemed to make sense to write. We have a lot of execution left to do this summer to delight our customers and continue with line of sight to our ambitious metrics for the year.
I hope everyone has a great August!
Best,
Eli
Essay
August will be Footprint’s 18th month in operation (and 6th month live). I thought I would take this time to write about what the company does—focused mainly on the product. A look at how we may have changed since our seed round. Our capabilities. Our vision for tomorrow. What we can do. Can’t do. Aren’t interested in doing. And will do soon. How we thought we would be different; how we are different. To present the idea at the start, I’ll be leveraging the one-pager I sent out when raising the seed round (in which I capitalized the P in Footprint for an unknown reason).
2021
“FootPrint gives enterprises the tools to verify, authenticate, authorize, and secure identity with no friction, low cost, and unparalleled accuracy, and consumers the ability to live in a secure world that trusts and rewards them for being digital citizens.” We’ve stayed largely true to the first sentence in the memo. Giving enterprises the tools to verify and secure identity with low friction and cost but high accuracy is very much at the pillars of the company today.
I suppose a lot of the memo represents the informed naïveté perhaps needed at the embarking of this journey. It focuses a lot on one-click, with a sparse roadmap of how to get there. When asked about network effects today, I reply that we’re focused on building the most accurate and frictionless onboarding and the best security around personal data.
2022
We set out to build KYC and PII Vaulting. That was the gist of our pitch, and for better or worse we were going to tie the two together. Our team spent the bulk of 2022 doing this. We learned a lot along the way. Some lessons:
- You can’t build one-click KYC with exportable decisions. You can, however, make PII portable to give consumers that experience (it does not take time to call bureaus, just to collect data)
- KYC does not have binary outcomes. One company may have the appetite to let someone in; another company may not with the same information depending on their risk thresholds.
- This is often not up to the company—they may need to adhere to a CIP by a bank or broker-dealer. This means they need to send sensitive information somewhere.
- It is a strength to integrate with multiple of the leading bureaus. However, connecting to too many could result in a waterfall that will eventually find a match, right or wrong.
- KYC outcomes have become almost too much in the grey areas. KYC companies separate themselves from fraud and punt on making prescriptive decisions
- Orchestration companies emerged to help make those decisions by bringing in often more tools than needed.
- KYC is not commoditized; access to databases is. It takes real leadership in fraud and risk to properly interpret and orchestrate through the bureaus.
- KYC sits at a weird place. It feels like there are a plethora of point solutions almost over-solving for both KYC and adjacent fields (fraud, security, internal dashboards). People captured TAMs that involve this area instead of emerging from the epicenter of it.
- Companies do not just do KYC. They often have other information needed to collect at onboarding such as business information or SEC-required broker questions.
- KYC is not static. For most companies with some scale, they’ll be constantly moving data in and out.
We planned Q1 2023 accordingly. Footprint would become an onboarding company for people and businesses—adding KYB. The company would also become PCI Level 1 compliant and add a vault proxy to be able to securely send PII (and PCI) data associated with a person at the time of onboarding.
2023
On target to launch within a year, our first customer went live 363 days from the date of our seed round. They used us for KYC and PII Vaulting, and migrated all of their prior user PII into Footprint vaults. We found a lot of bugs. But we did at a minimum what we needed to do: verify an identity and vault the associated data.
PCI + Vault Proxying
We began to see one of our bets—the vault proxy—could be a real game changer. Credit card companies need to issue and store card numbers at onboarding or later in a post-onboarding user journey. In some cases, this data is more sensitive than PII and often more regulated, but it should be validated and associated with them in a vaulting schema. However, companies faced a problem here. As discussed above, there are point solutions trying to maximize TAMs in each area we see. Vaulting is a good case study. We think this is more a feature than a product. Companies will punt on building PII vaulting until they have to, but card vaulting they will pay for from the beginning. As a result, vaulting companies charge a lot of money per each interaction. In other words, you get billed per usage (fair in a vacuum) at the expense of gating security. We realized we could charge closer to KYC terms (with unlimited interactions per user and then a flat fee per accessed user vault per month). This meant companies could use Footprint to vault cards and PII for less than they were paying to vault just PCI before. Unlock more surface area (PII + PCI vaulting) by bringing in a seemingly obvious component of onboarding for credit/debit cards. Solve customer needs.
Vault Proxy Examples
To expand here, I’m including a few examples of how the vault proxy is used. Our belief is that it dramatically increases the value of vaulting because it is no longer a compliance checkbox or safety measure, but a way to more easily send critical data to the places it must go.
Use Case 1: Payments
Footprint helps companies alike proxy payment information without the sensitive data ever touching their backend systems or infrastructure. Here customers can transparently and securely use the data with their partners. For example, we can help process payments on Stripe, Checkout.com, or any other processor, and our vault proxy easily lets customers transform PII and PCI without decrypting them first.
Use Case 2: Account Opening Broker Dealer CIPs
Footprint is helping investment platforms create accounts and maintain compliance with brokers, all while not touching sensitive user identity data like SSNs, DoBs, Names, addresses, and government documents. Investment platforms that operate on broker-dealer partners need to send CIP information to their Broker-Dealers. They use Footprint to securely collect and securely forward all PII details to BD partner for account opening all while never touching the data themselves
Use Case 3: Legacy Finance/ Credit Score Reports
Footprint is helping lending tools and credit builders work with customers to improve credit and send those reports to bureaus in a safe way. Today, there are several archaic processes that involve large file transfers with lots of PII (SSNs, credit info, and more) using legacy transfer protocols. This is highly sensitive information that must be sent as frequently as every day, week, or month. Using Footprint, companies can build these file and template out the PII, then send it through the Vault Proxy where it is hydrated with all the PII, and then securely sent to the third-party (i.e. a credit bureau).
Typeform for Onboarding
KYB we did prematurely. As we told the team, you could make an argument the ends justified the means (and don’t worry I am about to), but Alex and I own the mistake. We perhaps had the luxury to get a lot of balls in the air to see which one would bring us to larger customers. We no longer have that luxury as our customer base grows. The reason it did not derail us as much as it could (for reference we had KYB ~working~ by April; our first customer may go live on KYB in September) was because it got us thinking about two important things. How do you architect an onboarding flow for more than just KYC PII, and how do you make a flow dynamic for different portable information? The first question would become especially salient as an investment platform was willing to take a bet on us against the field as an early customer. One of the core reasons: Footprint had the makings of a “Typeform for Onboarding.” We could dynamically add the SEC questions required to be asked at onboarding for these platforms.
App Clip
These two learnings showed us where to double down. The first: Footprint will always differentiate as a security company. Even if we were now selling to Heads of Products first and then having them bring a head of eng/risk, that would always be at the root of our pitch. The second learning we had not considered when we started the company, but was a byproduct of achieving the first goal (security). To create an environment where companies never touched the sensitive data, it always made sense to us to build the onboarding flow. That way, PII would never touch their systems. However, in our burgeoning quest to become the onboarding platform for fintechs and marketplaces, we realized UX was neglected by the leaders in the space. They were backend tools. You can’t sell frontend complexity, but if you want to stack modules API integrations to data sources is the way to go at the problem.
We had already been using passkeys to bind a biometric to PII. These allowed us to have strong security for re-authenticating users for one-click in the future (and auth in the present). By doing the passkey in an app clip, however, we could accomplish several goals. The first is stronger fraud prevention, with Footprint becoming arguably the best preventer of duplicate devices—see blog post here. App Clips also give us industry-leading document and selfie scanning by leveraging Apple’s and Google's native device image/face detection and capture SDKs, and an unparalleled UX by making custom-branded native app clip experiences for each customer.
Alex built the first app clip demo in July 2022. We then shelved it because no one asked for one. And why would they? App clips are most commonly used today at some restaurants when you scan a QR code for a menu. The way we detect duplicate identities per device leverages device fraud technologies that companies like Spotify and Netflix use to ensure only authentic and authorized devices running legitimate software access precious digital content. But these early experiences gave us the confidence to go for it in Q2 of 2023, and I think it was the best product decision we have made as a company. It opened up the ability to win two large contracts with companies on average doing 15k+ doc scans a month.
Embedded Onboarding
We saw that the holistic offering was working with security. Companies would vault more in Footprint because it was easier to do so (at the time of ingestion) and had more aligned pricing. Our desire to help with security led to our obsession with frontend (I do believe we have more frontend/product engineers and designers at Footprint than companies in our space with 200 more people). And this infatuation with frontend placed us in hosting onboarding. We began to speak to companies who could not outsource their KYC (a BaaS platform or a Stripe connect required them to use their KYC). However, this could be a prime market for us. Offer an embedded onboarding with strong UX and security, but proxy the PII Data to the provider. We give companies ownership of their flows and data—allowing them optionality if they ever want to change end-providers. In turn, we could get portable identities, more practice onboarding for different industries, and more use cases for our vaulting and proxying.
Segment for Data and Fraud
When you start onboarding more, you begin having a familiar conversation with companies: how do we track fraud by how the users sign-up for accounts? Just as companies would KYC and then turn over data to a vaulting company, they would host an onboarding and connect some fancy fraud tools. The problem here was that no one was the decision-maker. The company would pass the PII to KYC tools to verify it (and then pass the PII back to a vault); the fraud tools would compute their heuristics and then pass the signals back to the company to put into a very fancy decision engine required to try to bring together all of these signals.
Once again, by going ~75% deep in a space (only defined as possible features to build, not results for target customers), we could get very good results. I am purposefully using vague words there; our vaulting does not have all the tools of the older companies in the space, and our fraud does not have as many arrows in the quiver as leading fraud tools. However, as previously discussed in vaulting, those companies perhaps offer more elixirs than healthy in order to grow their market, and suffered from only being able to vault what they were given. Likewise, fraud tools made money by selling more fraud modules with increasingly difficult ROI to be derived. I am sure those companies would have critical responses here rooted in sincere domain expertise. These are just our opinions, weekly and then more firmly held, and I state them only to explain the rationale behind our own product thinking.
The fraud landscape showed that Footprint could run our vaulting playbook here. Use the app clip for duplicate fraud prevention, work with device fingerprinting tools, and build our own behavioral risk modules. At the same time, we could give you the option over time to bring in those more advanced tools into our onboarding session if you so desired. Each company has their own needs and thresholds. In this way, we would become a Segment for data and fraud. Tell us what sources to bring in and then we can inject them into your onboarding flow automagically to give you the insights you need with no extra code.
Where are we Today
Typically, onboarding, KYC/KYB, security, and fraud are all disjointed topics solved by point solutions. Our goal is to offer a best-in-class onboarding experience to tie together these four areas. As a result, Footprint is able to help companies onboard good users and offload the risk of storing their data. By bringing them together and leveraging novel technology like Nitro Enclaves, App Clips, and Passkeys, we see a true 1+1=3 for each.
Onboarding + KYC
- Footprint’s dynamic flow smartly collects information in a beautiful UX to boost conversion. It has 80+ customizable attributes to match your look and feel
KYC + Fraud
- We compute device and behavioral signals to see the people behind the information and triple bind identity. This is possible due to Footprint owning the onboarding flow.
KYC + Security
- Information is automatically vaulted in our nitro enclave infrastructure as it enters the onboarding flow. Combined with our vault proxy, you’ll never need to touch sensitive data.
Security + KYC
- We have validated each part of the identity (and associated instruments like payment cards) all linked to a single "user token”, resulting in a friendly developer experience and simple integration. This prevents you from storing countless tokens for every PII/PCI field.
Where are we going
Footprint has become a compound platform that's complex yet simple to use. We encompass onboarding (KYC + KYB), security (PII + PCI Vaulting + Proxying), fraud, and auth. This is currently tied together in a dashboard we offer our customers. The goal is this dashboard can replace the need to use a low-code tool like a Retool used to stitch these elements together today. Our top goal is to make this experience better.
Playbooks
KYC companies like to use the term workflows. Our problem is that workflows can be complex, choose your own adventure creations. Customers say they want a level of customization, but we believe they really want decisions. Footprint playbooks will be how we instruct companies to choose the right tools from Footprint to onboard their customers. We will guide you through a few questions and then give you a suggested playbook. For example, an investment platform using Alpaca which is experiencing synthetic fraud will have different needs than a marketplace that wants to use KYC to build trust. Playbooks will be an experience like an App Store, or to steal a page from one of our customers, like Composer strategies. It will also bring transparent pricing into developer experiences. Experiencing fraud? Turn on device fingerprinting for 10 cents/1000 onboards, or gate dollar increments with our embedded components to collect more information at $1.00 a document. Transparent controls you can turn on and off when you need them for real results. At the same time, avoiding the world of adjusting risk score thresholds with the bureaus and spending time writing lots of integration code when the house is on fire. The UX here is beautiful—I’ll share a demo video in the next update.
Insights
Speaking of transparent pricing, we will be bringing a dashboard to explain usage for KYC and Security to our customers. Each of these areas charges differently, and we want to make it easy for customers to track their spending (and the ROI on that spend). The larger goal here though is to securely provide insights around onboards. This overtime will get us to a realm of pre-onboarding. For now, we’ve had customers who we have shown this to compare it to a Stripe dashboard.
Embedded Footprint Dashboard
On the topic of letting our customers export insights from Footprint to their customers, we are enabling our customers to embed parts of the Footprint dashboard into their own products. Think one-time access views that securely embed PII for a manual review, or a dual audit view for partner banks to see approval decisions or compliance reports. For example, we sell to a tenant screening company that aggregates demand for hundreds of real estate owners and a digital bank account opening company that has hundreds of FIs that use their product. With Footprint, they can offer their property managers embedded components with rich views into applicant risk signals, PII, and manual reviews. Or take a digital account opening company that will be adopting Footprint and can share this with their banks. Through this, Footprint empowers our customers to delight their own customers and makes us stickier as more people in more companies become reliant on it.
Fraud and Security
We will continue to broader our vaulting and proxying suite to compete with other companies in the space. On fraud, we’ll be rolling out more behavioral signals, device fingerprinting, and leveraging the native device capabilities from our app clip/instant app as well as from our mobile SDKs. Apologies for being vague here—will say more once these products are released.
Auth
We are not going to compete with Auth0 or the myriad of other auth companies all competing (we even prefer to partner with some of these companies). Rather, we want to use our passkeys at a natural insertion point from KYC to offer a lightweight feature requested by customers. We see auth as a nice way to tie together a few objectives:
- No longer view users in the vacuum of account creation, but in how they interact over time — think step ups for secure actions like updating/adding PII
- Connect to our offboard API (feedback fraud labels)
- Way to portabalize the close to a million NYPIDs we have
- Bring strong security with low friction to our customers
- Help ensure high data fidelity by asking users to confirm their information securely
Vision In the original memo, I wrote: “FootPrint wants to tokenize identity so that we can replace archaic identification processes with trust. We want to be the last verification form people ever go through, enable companies to no longer treat users as strangers, and make people feel safe while they are online.” That still rings true. To get there, we will follow the path needed to achieve that mission: become the best onboarding platform for companies which enables them to solve issues stemming from KYC, data security, and fraud.
If we are successful in that, we should be able to put our money where our mouth is:
- Dollars of identity theft in the US should begin to go down (we should have the same goal as climate tech startups with global temperature)
- We should have such conviction in the fidelity of our one-click population that we are able to indemnify fraud losses on one-click population, and be able to charge accordingly (bps on LTV for one-click accounts or bps saved from fraud budget)
We have a long way to go. We have not added up all of those 1+1 equations to equal three. There are smart and talented teams building across all of these spaces, with multi-year headstarts in some areas. I am sure we will continue to evolve greatly in the next 18 months, and see what assumptions we had today were incorrect. But I thought the 18-month mark may be a good time to reflect, and share how our product and the thinking behind it has evolved.
Product Releases From last Month
We’re trying to post most product releases on our change log here. Highlighting a few below!
Fine-grained Vault Proxy ACLs for API Keys
- Footprint's identity and access management controls for API Keys just got even more superpowers. Use the same roles you manage accounts to also manage API keys – but now with additional conditions to make it easier and more secure to control access to specific vault proxy configurations. To get started simply create a new role in the Footprint Dashboard, and assign it to an API Key.
- Identity just got smoother. Footprint now automatically defaults to using passkeys if a user has one setup. Simply use your biometric (like FaceID) and you're in! No passwords, two-factor or SMS codes. Secure and simple.
- Similar to common template languages like Jinja and Handlebars, Footprint's templates support filter functions to help transform encrypted data so you can more easily send it securely to your partners. Filter functions work both on EGRESS (transforming data as it leaves the vault) and INGRESS (secure data entering the vault via proxy). Read about how to use Filter Functions to simply and power the secure movement of data in your infrastructure.
Goals From Last Month
Meaningful work on Mobile SDK and Android Instant App
- One of top goals for this month is to get these ready to ship
Improve waterfall & workflow decision engine
- Incorporating more signals + work being leveraged for playbooks
App clip improvements and enable it live for more customers
- Done
Goals For the Rest of Q3
- 50k+ vers a month running Live
- >1 Million identities vaulted in Footprint
- Shipped Instant App + Mobile SDK
- Ready for Auth Beta
- Ship billing insights
- Ship V1 Playbooks
Where we could use help
Open Roles for Recruiting
- Backend Engineer
- Ideal profile: Skilled in building performant, scalable distributed systems. Experience in one or more of Rust, payments, and security/cryptography is a huge plus.