We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / UIDAI AUA/KUA
UIDAI · India

UIDAI / Aadhaar (AUA-KUA)

Security and audit requirements for entities in the Aadhaar authentication ecosystem.

1. Introduction to the UIDAI AUA/KUA Compliance Framework

The Unique Identification Authority of India (UIDAI) governs the Aadhaar ecosystem — the world's largest biometric identity programme, covering more than 1.3 billion residents. Any organisation that wishes to authenticate an individual's identity against the Central Identities Data Repository (CIDR), or to consume Aadhaar-based electronic Know-Your-Customer (e-KYC) data, must first be onboarded and certified by UIDAI. The two principal roles through which entities connect to the ecosystem are the Authentication User Agency (AUA) and the KYC User Agency (KUA). An AUA is an entity that uses Aadhaar authentication (Yes/No or e-KYC responses) to enable its services; a KUA is an AUA that is additionally authorised to receive resident demographic and photograph data through the e-KYC service.

Compliance for an AUA/KUA is not a single standard but a layered obligation set. It draws from the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (as amended by the 2019 Amendment Act); the Aadhaar (Authentication) Regulations, 2016 and the Aadhaar (Authentication and Offline Verification) Regulations, 2021; the Aadhaar (Data Security) Regulations, 2016; the UIDAI Information Security Policy — AUA/KUA/Sub-AUA/ASA; the mandatory AUA/KUA and ASA/KSA agreements; and the technical API specifications (Authentication API 2.5/2.6 and e-KYC API 2.5). Since the Aadhaar and Other Laws (Amendment) Act, 2019, private entities may authenticate only where permitted by law or notified by the Central Government, further tightening the eligibility and governance envelope.

This guide provides an auditor-grade deep-dive into the AUA/KUA compliance regime. It enumerates every obligation family — legal, contractual, technical, operational and security — and maps each to what an assessor must verify and the evidence that typically satisfies the requirement. It is intended for compliance leads, information security officers, internal auditors and the empanelled auditors who perform the mandatory UIDAI compliance audit prior to and during go-live.

It is important to appreciate why the AUA/KUA regime is unusually strict compared with ordinary information-security standards. The Aadhaar number is linked to a resident's biometrics and demographics held in a single national repository; a compromise does not merely expose one organisation's customers but can undermine trust in a foundational public-good identity system. UIDAI has therefore designed the ecosystem around three non-negotiable principles: residents must retain control through informed consent; sensitive identity data must be minimised and protected in transit and at rest; and biometric data must never leave the resident's control to reside in a requesting entity's systems. Every control described in this guide traces back to one of these principles. Auditors are expected to test not only that documentation exists, but that the live system behaves in accordance with them — for instance, by inspecting the actual data model to confirm no biometric field is ever written to disk, and by sampling real transactions to confirm consent and masking are enforced in production, not merely in policy.

The consequences of non-compliance are material. UIDAI can suspend or terminate authentication rights, disable licence and API keys, and refer serious violations for action under Chapter VII of the Aadhaar Act, which creates offences and penalties for unauthorised access, disclosure and use of identity information. Financial and reputational exposure compounds with sectoral regulatory action from the RBI, IRDAI, SEBI or DoT, and, increasingly, with obligations under the Digital Personal Data Protection Act, 2023. A disciplined, evidence-led compliance programme is therefore both a licensing prerequisite and a risk-management imperative.

Copyright and source note
UIDAI publications — the Aadhaar Act and Regulations, the Information Security Policy, API specifications and the model AUA/KUA and ASA/KSA agreements — are the copyright of the Unique Identification Authority of India and the Government of India. This guide is an original, independently authored interpretation for educational and readiness purposes. It paraphrases obligations and does not reproduce UIDAI's copyrighted text verbatim. Always validate against the current signed agreement, the latest API specification and circulars issued on uidai.gov.in, as UIDAI amends requirements periodically.

2. What is UIDAI AUA/KUA?

UIDAI AUA/KUA compliance refers to the complete set of security, privacy, technical and governance controls that a requesting entity must implement and continuously maintain to be permitted to consume Aadhaar authentication and e-KYC services. The framework exists because AUAs and KUAs handle two categories of extremely sensitive data: the Aadhaar number itself (a Sensitive Personal Data element) and, for KUAs, the resident's demographic and photograph data returned by the e-KYC service. UIDAI never permits an AUA/KUA to store the resident's biometrics (Personal Identity Data), and imposes strict rules on the handling of the Aadhaar number and e-KYC data.

The ecosystem is intermediated. An AUA/KUA does not connect directly to the CIDR; it connects through an Authentication Service Agency (ASA) or KYC Service Agency (KSA) that holds a secure leased-line or MPLS connection to the UIDAI data centres. The AUA/KUA forms the PersonID (PID) block, encrypts it using UIDAI's public key, and transmits the encrypted request through its ASA/KSA to the CIDR, which responds with a Yes/No (authentication) or an encrypted e-KYC response. This intermediated model means the AUA/KUA's compliance obligations are defined jointly by the UIDAI agreements and the back-to-back agreement with its chosen ASA/KSA.

Key terminology used throughout this guide:

TermMeaning in the Aadhaar ecosystem
AUAAuthentication User Agency — a requesting entity that uses Aadhaar authentication to validate the identity of a resident to deliver services.
KUAKYC User Agency — an AUA additionally authorised to use the e-KYC API and receive resident demographic/photo data.
Sub-AUA / Sub-KUAAn entity that uses Aadhaar authentication through an existing AUA/KUA rather than contracting directly with UIDAI.
ASAAuthentication Service Agency — holds a secure connection to CIDR and routes authentication packets on behalf of AUAs.
KSAKYC Service Agency — an ASA authorised to route e-KYC transactions.
CIDRCentral Identities Data Repository — UIDAI's centralised database of Aadhaar records.
PID blockPersonal Identity Data block — the encrypted payload containing the resident's authentication factors (OTP, biometric, demographic).
Meta / HMACMetadata and the keyed-hash message authentication code that protect request integrity.
ASA/KSA agreementThe contract binding the AUA/KUA to its service agency and, through it, to UIDAI's technical rails.
Auth XML / KYC XMLThe signed, encrypted request/response documents defined by the API specification.

3. Who Must Comply

Any organisation that consumes Aadhaar authentication or e-KYC — whether directly onboarded by UIDAI or operating as a Sub-AUA under a parent AUA — is subject to AUA/KUA compliance. Post the 2019 amendment, only entities permitted by a law made by Parliament or notified by the Central Government (in the interest of the State) may perform Aadhaar authentication, so eligibility itself is a gating control.

Category of entityCompliance obligation
Banks and financial institutionsFull AUA/KUA compliance; e-KYC widely used for account opening; subject to RBI and UIDAI oversight.
Insurance companies / IRDAI-regulated entitiesAUA/KUA where notified; e-KYC for policy onboarding under permitted-use notifications.
Telecom operators / DoT-licensedHistorically KUAs for SIM issuance; now restricted to permitted-use and offline modes post court ruling.
NBFCs, fintechs and payment aggregatorsTypically Sub-AUA/Sub-KUA under a bank or licensed AUA; full downstream compliance applies.
Government departments and ministriesDirect AUAs for subsidy, benefit and service delivery under Section 7 of the Aadhaar Act.
Mutual funds / capital-market intermediariesKUAs/Sub-KUAs for investor onboarding under permitted-use frameworks.
Authentication/KYC Service Agencies (ASA/KSA)Separate, stricter empanelment; provide connectivity but must also meet UIDAI security obligations.
Sub-AUAs / Sub-KUAsBound by the parent AUA's agreement and UIDAI policy; parent is accountable for their compliance.
  • Entities must possess a valid legal basis (statute or Central Government notification) to authenticate — self-declaration is not sufficient.
  • Direct AUAs/KUAs sign the AUA/KUA agreement with UIDAI and an ASA/KSA agreement with a service agency.
  • Sub-AUAs inherit obligations contractually and are audited as part of the parent's ecosystem.
  • All categories must clear the mandatory UIDAI compliance audit by a UIDAI-empanelled/CERT-In auditor before production access.
  • Requesting entities handling e-KYC (KUAs) carry heightened data-minimisation, consent and storage obligations relative to authentication-only AUAs.

4. Structure of UIDAI AUA/KUA Compliance

There is no single numbered control catalogue as in ISO 27001 or PCI DSS. Instead, obligations are distributed across statutory, regulatory, contractual, technical and security-policy instruments. For assessment purposes it is helpful to organise them into control domains. The table below presents the domain structure used throughout this guide's master checklist.

Domain codeDomain / control familyPrimary source instrument
D1Legal eligibility and licensingAadhaar Act s.4/s.7, 2019 Amendment, permitted-use notifications
D2Agreements and contractual controlsAUA/KUA agreement, ASA/KSA agreement, Sub-AUA agreements
D3Consent and resident noticeAuthentication Regulations 2016/2021, reg. on informed consent
D4Purpose limitation and permitted useAadhaar Act s.8, permitted-use circulars
D5Data storage, retention and disposalData Security Regulations 2016, Authentication Regulations
D6Encryption and key managementAPI specification, UIDAI public key, HSM guidance
D7Network and connectivity securityASA/KSA connectivity model, secure channel requirements
D8Application and API securityAuthentication API 2.5/2.6, e-KYC API, PID/Auth XML rules
D9Access control and identity managementInformation Security Policy — access management
D10Logging, audit trail and monitoringAuthentication Regulations (2-year logs), Data Security Regulations
D11Information security management (governance)UIDAI Information Security Policy for AUA/KUA/Sub-AUA/ASA
D12Human resources and awarenessInformation Security Policy — personnel security
D13Physical and environmental securityInformation Security Policy — physical controls
D14Incident management and breach reportingData Security Regulations, CERT-In directions
D15Business continuity and availabilityInformation Security Policy — continuity
D16Fraud management and exception handlingAuthentication Regulations — best-finger detection, fraud
D17Sub-AUA / third-party governanceAUA/KUA agreement — onboarding & oversight of Sub-AUAs
D18Compliance audit and reportingMandatory UIDAI compliance audit, periodic self-audit

5. Master Assessment Checklist

This is the core of the guide. Each domain from Section 4 is expanded below with the specific controls an auditor must examine. For every control the checklist states what to verify and the typical evidence that demonstrates conformity. Auditors should not skip any domain: a single unmet control — for example, storing the Aadhaar number in plain text, or retaining biometrics — can result in suspension of authentication rights.

When applying this checklist, assessors should adopt a test-of-design followed by test-of-operating-effectiveness approach. Test of design confirms that a control, as documented and architected, is capable of meeting the objective; test of operating effectiveness confirms that it has actually operated over a period, using samples of transactions, logs, tickets and reviews. For high-risk controls — the prohibition on storing biometrics, encryption of the PID block, consent capture and Aadhaar-number masking — a single point-in-time observation is insufficient; the auditor should seek independent, corroborating evidence such as database schema inspection, packet or payload review in staging, and log sampling across dates. Findings should be rated by severity, with any prohibited-data or unencrypted-transmission finding treated as critical and blocking for production access.

D1 — Legal Eligibility and Licensing

What to verifyTypical evidence
Entity has a lawful basis (statute or Central Government notification) to perform Aadhaar authenticationCopy of enabling statute / gazette notification / permitted-use approval letter from UIDAI or the sectoral regulator
Authentication is limited to the notified purpose onlyBoard/management note mapping each use case to its legal basis
Private-entity restrictions post-2019 amendment are respectedLegal opinion confirming permitted use; UIDAI approval reference
Entity registration and regulatory licences are currentRBI/IRDAI/SEBI/DoT licence copies, incorporation certificate
No use of Aadhaar for prohibited purposes (e.g. as the sole KYC where restricted)Use-case register with prohibited-use exclusions documented

D2 — Agreements and Contractual Controls

What to verifyTypical evidence
Signed AUA/KUA agreement with UIDAI is in force and unexpiredExecuted AUA/KUA agreement with valid dates and UIDAI reference
Signed ASA/KSA agreement with a UIDAI-empanelled service agencyExecuted ASA/KSA agreement; ASA/KSA empanelment proof
Back-to-back flow-down of UIDAI obligations to Sub-AUAsSub-AUA agreements incorporating UIDAI clauses
Licence-key (LK) and API-key issuance is governed and trackedKey register, issuance approvals, custody records
Obligations on liability, indemnity and termination are understood and monitoredContract-obligation register with owners and review dates

D3 — Consent and Resident Notice

What to verifyTypical evidence
Informed consent is obtained before every authentication/e-KYCConsent capture screens/forms; audit log of consent flag
Resident is told the purpose, that data will be sent to CIDR, and the alternativesDisclosure script/UI text in local language(s)
Consent is recorded and time-stamped and linked to the transactionConsent artefacts joined to auth transaction ID
Offline/alternative identity option is offered where requiredProcess note showing non-Aadhaar fallback
Children/guardian consent handled per regulation where applicableGuardian consent procedure and records

D4 — Purpose Limitation and Permitted Use

What to verifyTypical evidence
e-KYC/authentication data used only for the disclosed purpose (s.8)Data-flow diagram; purpose register per data element
No sharing of Aadhaar number or e-KYC data with unauthorised partiesAccess matrix; data-sharing register; DLP alerts
No use of core biometric information for any purpose other than authenticationArchitecture confirming biometrics are transient and never stored
Analytics/marketing use of e-KYC data is prohibited and blockedSegregation controls; policy prohibiting secondary use
Aadhaar number not published, displayed or used as a public identifierMasking rules; screen/print masking configuration

D5 — Data Storage, Retention and Disposal

What to verifyTypical evidence
Biometrics (PID) are never stored — used transiently and discardedCode review/architecture proof; memory-handling design
Aadhaar number, where stored, is encrypted and access-restricted (or replaced by reference key/UID token)Encryption config; reference-key/token mapping design
e-KYC data stored only as long as required and per agreementRetention schedule; automated purge job logs
Authentication transaction logs retained for the mandated period (2 years) then archived/6 months post-disputeLog retention policy; archival and deletion records
Secure disposal of media and data at end of lifeMedia sanitisation certificates; disposal log
Meta/PID XML and OTP values are not persistedData-inventory scan confirming absence of prohibited fields

D6 — Encryption and Key Management

What to verifyTypical evidence
PID block encrypted with UIDAI public key using the specified algorithm (AES-256 session key, RSA/ECC per spec)API integration code; encryption library configuration
Session key generated freshly per transaction and encrypted with UIDAI keyCryptographic design document; test vectors
HMAC over the PID block is computed and validatedRequest-construction logs (non-sensitive); spec conformance test
Digital signing of Auth/KYC XML with a valid organisation certificateSigning certificate details; CA chain; expiry monitoring
Private keys and signing certificates stored in an HSM or equivalent secure storeHSM inventory; key-custody and dual-control records
Key rotation, revocation and lifecycle procedures are defined and followedKey-management policy; rotation logs; revocation records

D7 — Network and Connectivity Security

What to verifyTypical evidence
Connectivity to CIDR is only via the empanelled ASA/KSA over a secure channelNetwork diagram; ASA/KSA connectivity confirmation
Transport uses TLS with strong ciphers between AUA/KUA, ASA and endpointsTLS configuration; cipher-suite scan results
Network segmentation isolates the Aadhaar-handling environmentFirewall rule-sets; VLAN/segmentation design
Perimeter controls (firewall, IPS, WAF) protect the authentication applicationDevice configs; IPS/WAF policy exports
Egress restricted to ASA/KSA endpoints and approved destinations onlyEgress firewall rules; allow-list documentation
No direct internet exposure of internal Aadhaar componentsExternal vulnerability/attack-surface scan report

D8 — Application and API Security

What to verifyTypical evidence
Auth/KYC XML constructed exactly per the current API specification versionConformance test results against UIDAI staging
Input validation and secure coding practices applied (OWASP)SAST/DAST reports; code-review records
Error responses do not leak Aadhaar data or internal detailsError-handling review; sample masked responses
Version/end-of-life management of API (e.g. migration to latest Auth API)Change record showing supported version in use
Rate limiting and anti-automation to prevent enumeration/abuseThrottling configuration; abuse-monitoring evidence
Response decryption and handling of e-KYC XML is secure and access-controlledKYC response-handling design; access logs

D9 — Access Control and Identity Management

What to verifyTypical evidence
Role-based access control over systems handling Aadhaar dataRole definitions; access matrix; joiner-mover-leaver records
Multi-factor authentication for privileged and remote accessMFA configuration; sample authentication logs
Least-privilege and need-to-know enforced; segregation of dutiesAccess-review reports; SoD matrix
Periodic access recertification performedQuarterly/semi-annual access-review sign-offs
Default/shared/system accounts controlled and monitoredPrivileged-account inventory; vaulting evidence
Timely revocation on role change or exitDe-provisioning tickets tied to HR exit dates

D10 — Logging, Audit Trail and Monitoring

What to verifyTypical evidence
Every authentication/e-KYC transaction is logged with required metadata (no PID/biometric)Log schema; sample redacted logs
Logs retained for the mandated period and protected from tamperingRetention config; WORM/immutable storage; hash-chain evidence
Consent flag and purpose captured in the transaction logLog fields mapping to consent/purpose
Security events centralised and monitored (SIEM)SIEM dashboards; alert rule inventory
Log review procedures and anomaly detection operateLog-review records; alert-triage tickets
Time synchronisation (NTP) across logging systemsNTP configuration; time-drift monitoring

D11 — Information Security Management (Governance)

What to verifyTypical evidence
Documented information security policy aligned to UIDAI's AUA/KUA policyApproved ISP; UIDAI-alignment mapping
Named ISO/CISO accountable for Aadhaar data securityAppointment letter; org chart; RACI
Risk assessment covering the Aadhaar environment is performedRisk register; risk-treatment plan
Change management governs modifications to the auth environmentChange tickets; CAB minutes
Vulnerability management and periodic VAPT of the Aadhaar systemsVAPT reports; remediation tracker
Management review of security posture at defined intervalsManagement-review minutes; metrics packs

D12 — Human Resources and Awareness

What to verifyTypical evidence
Background verification for staff handling Aadhaar dataBGV records; screening policy
Confidentiality/NDA obligations signed by relevant personnelSigned NDAs; acknowledgement register
Role-specific security and privacy awareness trainingTraining records; completion reports; assessment scores
Disciplinary process for policy violationsDisciplinary policy; case records where applicable
Awareness of Aadhaar-specific penalties (offences under the Act)Training content covering Chapter VII offences

D13 — Physical and Environmental Security

What to verifyTypical evidence
Physical access controls to data centres/rooms hosting Aadhaar systemsAccess-control logs; badge/biometric records
Restricted, monitored zones for authentication infrastructureCCTV coverage; visitor logs; zoning plan
Environmental controls (power, cooling, fire) for availabilityFacility maintenance and test records
Secure handling of media and printouts containing Aadhaar dataClear-desk/clear-screen policy; secure print controls
Cloud/hosting provider physical controls (if applicable) are assuredProvider audit reports (e.g. SOC 2/ISO 27001) and data-localisation proof

D14 — Incident Management and Breach Reporting

What to verifyTypical evidence
Documented incident response plan covering Aadhaar data breachesIR plan; playbooks for Aadhaar-specific scenarios
Defined breach-notification path to UIDAI and CERT-In within timelinesNotification procedure; contact matrix; CERT-In 6-hour rule reference
Incidents logged, triaged, contained and closed with root-cause analysisIncident register; RCA reports
Tabletop/simulation exercises conducted periodicallyExercise reports; lessons-learned actions
Forensic readiness for Aadhaar-related incidentsLog preservation and forensic-tooling readiness evidence

D15 — Business Continuity and Availability

What to verifyTypical evidence
Business continuity and DR plans cover the authentication serviceBCP/DR documents; RTO/RPO definitions
Redundant ASA/KSA connectivity or failover arrangementsConnectivity architecture; failover test records
Periodic DR testing performed and results reviewedDR test reports; management sign-off
Capacity and performance managed for authentication volumesCapacity plans; performance-monitoring dashboards
Backup and restore procedures protect non-prohibited dataBackup policy; restore-test evidence (excluding prohibited data)

D16 — Fraud Management and Exception Handling

What to verifyTypical evidence
Handling of authentication failures without denying legitimate serviceException-handling SOP; fallback authentication modes
Best-finger detection / multi-modal biometric fallback where usedBFD implementation; alternate-factor procedure
Monitoring for anomalous authentication patterns and misuseFraud-analytics rules; alert review records
Controls against operator-driven fraud at the point of captureOperator authentication; capture-device controls
Grievance mechanism for residents affected by failuresGrievance SOP; resolution logs

D17 — Sub-AUA / Third-Party Governance

What to verifyTypical evidence
Formal onboarding and due-diligence of every Sub-AUA/Sub-KUAOnboarding checklist; due-diligence reports
Flow-down of UIDAI obligations into Sub-AUA agreementsExecuted Sub-AUA agreements with mandated clauses
Periodic audit/monitoring of Sub-AUA complianceSub-AUA audit reports; oversight register
Segregation of licence keys and traceability per Sub-AUAKey-mapping per Sub-AUA; transaction attribution
Prompt off-boarding and key revocation for non-compliant Sub-AUAsOff-boarding records; revocation evidence

D18 — Compliance Audit and Reporting

What to verifyTypical evidence
Mandatory UIDAI compliance audit completed before go-liveAudit report by UIDAI-empanelled/CERT-In auditor; UIDAI acceptance
Periodic (typically annual) self-audit or third-party audit performedAudit calendar; latest audit report
Findings tracked to closure with management oversightRemediation tracker; closure evidence
Reports and confirmations submitted to UIDAI as requiredSubmission acknowledgements; correspondence
Continuous monitoring bridges the gap between auditsContinuous-control-monitoring dashboards

6. Scoping

Correct scoping determines audit effort and, more importantly, ensures that no system that touches Aadhaar data escapes control coverage. The scope is defined by the flow of the Aadhaar number, the PID block and (for KUAs) the e-KYC response — from the point of resident interaction, through the AUA/KUA application, to the ASA/KSA gateway and back.

  • In scope: all applications, APIs and micro-services that construct the PID block, encrypt/sign requests, or receive and decrypt e-KYC responses.
  • In scope: databases and stores that hold the Aadhaar number, reference keys/UID tokens, or e-KYC demographic/photo data.
  • In scope: the ASA/KSA integration layer, connectivity, keys, HSMs and certificates.
  • In scope: logging, SIEM, backup and monitoring systems that process Aadhaar-related transaction metadata.
  • In scope: Sub-AUA integration points and any partner that relays authentication through the entity.
  • Explicitly out of design (prohibited): storage of biometrics/PID; these must be architected out rather than 'scoped out'.
  • Consider network segmentation to reduce scope — isolating the Aadhaar environment limits which systems are subject to full control assessment.
  • Cloud/hosted components are in scope; verify data localisation within India and provider assurances.
Scoping principle
Unlike PCI DSS where cardholder data can sometimes be tokenised out of scope, the Aadhaar model forbids certain data (biometrics) from ever being stored. Scope reduction therefore comes from segmentation and from replacing the Aadhaar number with reference keys/UID tokens — never from ignoring systems that handle it.

A common scoping error is to treat only the customer-facing application as in scope while overlooking downstream systems that inadvertently receive Aadhaar data — data warehouses, analytics platforms, customer-service tools, backup repositories and log aggregators. Auditors should perform data-flow tracing from the point of capture to every terminal store, and use data-discovery scanning to detect Aadhaar-number patterns (the twelve-digit Verhoeff-checksummed number) in unexpected locations. The UID token, or reference key, mechanism provided by UIDAI is the recommended way to avoid storing the raw Aadhaar number at all: the entity stores an opaque token that can be resolved back only through UIDAI, dramatically shrinking the sensitive-data footprint and the audit scope.

7. Implementation Approach

A phased implementation aligns technical build with contractual onboarding and the mandatory pre-production audit. The following four phases take an entity from intent to certified production operation.

Phase 1 — Eligibility, Onboarding and Design

  • Activities: confirm legal basis/permitted use; select and contract an ASA/KSA; execute the AUA/KUA agreement; define use cases and data flows; design the target architecture (encryption, HSM, no-biometric-storage, reference keys).
  • Deliverables: signed agreements; use-case register; data-flow diagrams; solution architecture and security design; UIDAI onboarding references and licence/API keys.

Phase 2 — Build and Secure Integration

  • Activities: implement PID-block construction, AES/RSA encryption with UIDAI public key, HMAC and XML signing; integrate with ASA/KSA staging; deploy HSM and key-management; implement consent capture, logging and masking; harden network and application layers.
  • Deliverables: working integration in UIDAI staging; encryption/key-management runbooks; consent and logging implementation; hardening baselines and configuration standards.

Phase 3 — Testing, Pre-Production Audit and Certification

  • Activities: conduct functional and conformance testing against staging; run VAPT/SAST/DAST; remediate findings; engage a UIDAI-empanelled/CERT-In auditor for the mandatory compliance audit; close audit findings.
  • Deliverables: conformance-test evidence; VAPT and remediation reports; the UIDAI compliance audit report and UIDAI production-access approval.

Phase 4 — Production Operation and Continuous Compliance

  • Activities: go live; operate logging/monitoring; run periodic access reviews, patching and DR tests; onboard and monitor Sub-AUAs; perform annual audits and self-assessments; manage change and incidents.
  • Deliverables: production runbooks; monitoring dashboards; periodic audit reports; incident and change records; annual compliance attestation to UIDAI.

8. Maturity / Capability Model

UIDAI does not publish a formal maturity scale, but a capability model is a useful lens for internal benchmarking and for demonstrating a trajectory of improvement to auditors and management. The five-level model below adapts common maturity thinking to the AUA/KUA control domains. In practice, an entity must reach at least Level 3 (Defined) to pass the mandatory compliance audit, because standardised, consistently operating controls are what the auditor tests. Levels 4 and 5 reflect the operational maturity expected of high-volume AUAs/KUAs — banks and large government departments — where continuous monitoring and automation are necessary to sustain compliance across millions of daily transactions and a wide Sub-AUA network.

LevelCapability stateCharacteristics
Level 1 — InitialAd hocControls exist informally; reliance on individuals; no consistent evidence; gaps likely to fail audit.
Level 2 — ManagedDocumentedPolicies and procedures documented; controls implemented but inconsistently monitored.
Level 3 — DefinedStandardisedControls standardised across the Aadhaar environment; consent, logging, encryption operating consistently; passes audit.
Level 4 — MeasuredMonitoredContinuous control monitoring; metrics and KPIs tracked; access reviews and VAPT on schedule; findings trended.
Level 5 — OptimisingContinuously improvingAutomated evidence, proactive fraud analytics, mature Sub-AUA governance, rapid incident handling, drives improvement.

9. Assessment and Audit Approach

The mandatory UIDAI compliance audit is performed by an auditor empanelled by UIDAI/CERT-In. The following ordered steps describe a rigorous assessment lifecycle for both the initial and periodic audits.

  1. Define scope: identify all systems, data stores, integrations and Sub-AUAs that touch Aadhaar data, and confirm the applicable agreement version and API version.
  2. Review documentation: examine agreements, security policy, risk assessment, data-flow diagrams, key-management and retention policies.
  3. Assess design: evaluate the architecture for no-biometric-storage, correct encryption/signing, HSM use, masking and segmentation.
  4. Test controls: verify consent capture, logging, access control, encryption in practice; sample transactions and logs (redacted).
  5. Conduct technical testing: perform or review VAPT, configuration reviews and conformance tests against UIDAI staging.
  6. Interview stakeholders: confirm roles, awareness, incident and change processes with ISO, developers and operations.
  7. Evaluate Sub-AUA governance: review onboarding, agreements, key segregation and oversight of downstream entities.
  8. Rate findings: classify gaps by severity and impact on Aadhaar data protection and regulatory obligations.
  9. Report and remediate: issue the audit report, agree remediation plans and owners, and revalidate closure of critical findings.
  10. Submit and attest: provide the report/attestation to UIDAI as required and schedule the next periodic audit.

10. Evidence Request List

The following categorised list is a practical pull-list an auditor issues at kick-off. Providing these promptly accelerates the assessment.

  • Legal and contractual: enabling statute/notification, permitted-use approvals, executed AUA/KUA and ASA/KSA agreements, Sub-AUA agreements, licence/API key register.
  • Governance: information security policy, risk assessment and treatment plan, ISO/CISO appointment, management-review minutes, roles and RACI.
  • Consent and privacy: consent capture screens/scripts, disclosure notices, purpose register, data-flow diagrams.
  • Data protection: retention schedule, purge/deletion logs, encryption and key-management policy, HSM inventory, masking configuration.
  • Technical: API integration/design documents, conformance-test results, SAST/DAST/VAPT reports, network and segmentation diagrams, TLS/cipher scans.
  • Access control: role matrix, MFA configuration, access-review sign-offs, joiner-mover-leaver records, privileged-account inventory.
  • Logging and monitoring: log schema and samples (redacted), retention/immutability config, SIEM dashboards and alert rules, NTP configuration.
  • Operations: change tickets/CAB minutes, patch records, BCP/DR plans and test reports, backup/restore evidence.
  • People: BGV records, signed NDAs, training completion reports and content.
  • Incident and fraud: IR plan and playbooks, incident register, CERT-In/UIDAI notification procedure, fraud-analytics rules, grievance logs.
  • Third party: Sub-AUA onboarding/due-diligence, oversight audits, cloud/hosting provider assurance reports and data-localisation proof.
  • Audit: previous UIDAI compliance audit report, remediation trackers, UIDAI correspondence and approvals.

11. Roles and Responsibilities

RoleResponsibility in the AUA/KUA compliance programme
Board / Senior ManagementAccountable for lawful use, resource allocation and overall compliance posture; approves policy.
Chief Information Security Officer (CISO)Owns the Aadhaar security programme, risk management, audit closure and UIDAI security alignment.
Data Protection / Privacy OfficerEnsures consent, purpose limitation, retention and resident-rights obligations are met.
Compliance / LegalMaintains legal basis, agreements, permitted-use validity and regulatory reporting.
Solution / Security ArchitectDesigns no-biometric-storage architecture, encryption, HSM, segmentation and masking.
Development / Integration TeamImplements API integration, PID construction, signing and secure coding to spec.
IT Operations / InfrastructureRuns connectivity, HSM, patching, backups, DR and availability of the auth service.
SOC / Security MonitoringOperates SIEM, log review, alerting and incident detection for Aadhaar systems.
Internal AuditPerforms periodic self-audit and validates control effectiveness and evidence.
ASA/KSA LiaisonManages connectivity, keys and coordination with the service agency and UIDAI.
Sub-AUA ManagersOnboard, contract, monitor and off-board downstream Sub-AUAs and their compliance.

12. KPIs to Track

  • Authentication success rate and failure-reason distribution (to detect issues without denying service).
  • Percentage of transactions with valid, recorded consent (target 100%).
  • Number of prohibited-data findings (biometrics/PID/OTP persisted) — target zero.
  • Encryption/signing conformance rate against the current API specification.
  • Mean time to detect and mean time to respond for Aadhaar-related incidents.
  • Percentage of privileged accesses under MFA and coverage of access recertification.
  • VAPT critical/high findings open beyond SLA and average remediation time.
  • Log completeness and retention compliance (mandated retention met, tamper-evidence intact).
  • Percentage of Sub-AUAs with current agreements and passed compliance reviews.
  • Audit findings closed on time; recurrence rate of previously closed findings.
  • DR test success and RTO/RPO adherence for the authentication service.
  • Training completion rate for personnel handling Aadhaar data.

13. Readiness Checklist

  • Lawful basis / permitted use confirmed and documented.
  • AUA/KUA and ASA/KSA agreements executed and current.
  • Architecture verified to never store biometrics/PID/OTP.
  • Aadhaar number encrypted or replaced by reference key/UID token where stored.
  • PID block encryption, HMAC and XML signing implemented per current API spec.
  • Private keys and certificates held in an HSM with lifecycle management.
  • Informed consent captured, disclosed and logged for every transaction.
  • Aadhaar number masking enforced on screens, prints and logs.
  • Transaction logs retained for the mandated period on tamper-evident storage.
  • Network segmentation and TLS with strong ciphers in place.
  • RBAC, MFA for privileged access and periodic recertification operating.
  • SIEM, log review and alerting active for the Aadhaar environment.
  • Incident response plan with UIDAI/CERT-In notification path tested.
  • BCP/DR for the authentication service tested within the last cycle.
  • VAPT/SAST/DAST completed and critical findings remediated.
  • Sub-AUA onboarding, agreements and oversight in place.
  • Security awareness training completed for relevant staff.
  • Mandatory UIDAI compliance audit passed and production access approved.
  • Remediation tracker maintained with owners and closure evidence.

14. Common Gaps

  • Storing biometric/PID data or persisting OTP values — an outright prohibition breach.
  • Storing the Aadhaar number in plain text or without adequate access restriction, instead of using a reference key/UID token.
  • Weak or missing masking of the Aadhaar number on screens, receipts, exports and logs.
  • Consent not genuinely informed, not recorded, or not linked to the transaction.
  • Using e-KYC data for purposes beyond the disclosed and permitted use (secondary use).
  • Private keys/certificates held in software rather than an HSM, or with no rotation/revocation process.
  • Running an outdated API version or non-conformant PID/XML construction.
  • Logs missing required metadata, under-retained, or stored without tamper-evidence.
  • Inadequate Sub-AUA governance — no flow-down clauses, key segregation or oversight audits.
  • No defined UIDAI/CERT-In breach-notification path or untested incident response.
  • Missing or expired legal basis/permitted-use approval, especially for private entities post-2019.
  • Skipping periodic audits or leaving prior audit findings unremediated.

15. UIDAI AUA/KUA Mapped to Other Frameworks

Entities usually operate multiple compliance regimes concurrently. The mapping below helps reuse controls and evidence across frameworks. Mappings are indicative, not one-to-one; UIDAI obligations remain authoritative for Aadhaar handling.

UIDAI AUA/KUA control areaISO/IEC 27001:2022NIST CSF 2.0PCI DSS v4.0India DPDP Act 2023
Legal eligibility / permitted useA.5.31 Legal requirementsGOVERN (GV.OC)Req. 12 policy/scopeLawful processing, purpose
Consent and noticeA.5.34 Privacy/PIIGOVERN / IDENTIFYN/A (privacy)Consent, notice obligations
Purpose limitationA.5.34, A.8.11 Data maskingGOVERN (GV.PO)Req. 3 data retentionPurpose limitation, storage limitation
Encryption / key managementA.8.24 CryptographyPROTECT (PR.DS)Req. 3.5/3.6 keys, Req. 4Reasonable security safeguards
Data storage / retentionA.8.10 Deletion, A.5.33PROTECT (PR.DS)Req. 3.1/3.2 retentionStorage limitation, erasure
Network securityA.8.20/8.21/8.22PROTECT (PR.IR)Req. 1 network securitySecurity safeguards
Access controlA.5.15/8.2/8.3/8.5PROTECT (PR.AA)Req. 7/8 access & authAccess-limitation safeguards
Logging and monitoringA.8.15/8.16DETECT (DE.CM)Req. 10 loggingSecurity safeguards
Incident and breach reportingA.5.24-5.28RESPOND (RS)Req. 12.10 IRBreach notification to Board
Business continuityA.5.29/8.14RECOVER (RC)Req. 12.10.1Availability safeguards
Third-party / Sub-AUA governanceA.5.19-5.22GOVERN (GV.SC)Req. 12.8 service providersData processor obligations
Audit and assuranceA.5.35/5.36GOVERN / IDENTIFYReq. 12.11 reviewAccountability, DPIA where applicable

16. How CyberSigma Helps

Partner with CyberSigma for UIDAI AUA/KUA readiness and audit
CyberSigma's CERT-In empanelled and PCI QSA-qualified assessors guide organisations end-to-end through the Aadhaar AUA/KUA journey — from confirming permitted-use eligibility and selecting an ASA/KSA, to designing a no-biometric-storage architecture with HSM-backed encryption, implementing consent, masking and tamper-evident logging, and conducting VAPT. We prepare you for, and perform, the mandatory UIDAI compliance audit, drive remediation to closure, and stand up continuous control monitoring, Sub-AUA governance and annual re-audits. The result: secure, lawful and audit-ready Aadhaar authentication and e-KYC operations. Contact CyberSigma to accelerate your UIDAI AUA/KUA compliance with confidence.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Who performs the UIDAI AUA/KUA audit?
A CERT-In empanelled auditor performs the information-security audit for AUAs/KUAs. CyberSigma is CERT-In empanelled.

Need help with UIDAI AUA/KUA?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.