1. Introduction to the UIDAI AUA/KUA Compliance Framework
The Unique Identification Authority of India (UIDAI) governs the Aadhaar ecosystem — the world's largest biometric identity programme, covering more than 1.3 billion residents. Any organisation that wishes to authenticate an individual's identity against the Central Identities Data Repository (CIDR), or to consume Aadhaar-based electronic Know-Your-Customer (e-KYC) data, must first be onboarded and certified by UIDAI. The two principal roles through which entities connect to the ecosystem are the Authentication User Agency (AUA) and the KYC User Agency (KUA). An AUA is an entity that uses Aadhaar authentication (Yes/No or e-KYC responses) to enable its services; a KUA is an AUA that is additionally authorised to receive resident demographic and photograph data through the e-KYC service.
Compliance for an AUA/KUA is not a single standard but a layered obligation set. It draws from the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (as amended by the 2019 Amendment Act); the Aadhaar (Authentication) Regulations, 2016 and the Aadhaar (Authentication and Offline Verification) Regulations, 2021; the Aadhaar (Data Security) Regulations, 2016; the UIDAI Information Security Policy — AUA/KUA/Sub-AUA/ASA; the mandatory AUA/KUA and ASA/KSA agreements; and the technical API specifications (Authentication API 2.5/2.6 and e-KYC API 2.5). Since the Aadhaar and Other Laws (Amendment) Act, 2019, private entities may authenticate only where permitted by law or notified by the Central Government, further tightening the eligibility and governance envelope.
This guide provides an auditor-grade deep-dive into the AUA/KUA compliance regime. It enumerates every obligation family — legal, contractual, technical, operational and security — and maps each to what an assessor must verify and the evidence that typically satisfies the requirement. It is intended for compliance leads, information security officers, internal auditors and the empanelled auditors who perform the mandatory UIDAI compliance audit prior to and during go-live.
It is important to appreciate why the AUA/KUA regime is unusually strict compared with ordinary information-security standards. The Aadhaar number is linked to a resident's biometrics and demographics held in a single national repository; a compromise does not merely expose one organisation's customers but can undermine trust in a foundational public-good identity system. UIDAI has therefore designed the ecosystem around three non-negotiable principles: residents must retain control through informed consent; sensitive identity data must be minimised and protected in transit and at rest; and biometric data must never leave the resident's control to reside in a requesting entity's systems. Every control described in this guide traces back to one of these principles. Auditors are expected to test not only that documentation exists, but that the live system behaves in accordance with them — for instance, by inspecting the actual data model to confirm no biometric field is ever written to disk, and by sampling real transactions to confirm consent and masking are enforced in production, not merely in policy.
The consequences of non-compliance are material. UIDAI can suspend or terminate authentication rights, disable licence and API keys, and refer serious violations for action under Chapter VII of the Aadhaar Act, which creates offences and penalties for unauthorised access, disclosure and use of identity information. Financial and reputational exposure compounds with sectoral regulatory action from the RBI, IRDAI, SEBI or DoT, and, increasingly, with obligations under the Digital Personal Data Protection Act, 2023. A disciplined, evidence-led compliance programme is therefore both a licensing prerequisite and a risk-management imperative.
Copyright and source note
UIDAI publications — the Aadhaar Act and Regulations, the Information Security Policy, API specifications and the model AUA/KUA and ASA/KSA agreements — are the copyright of the Unique Identification Authority of India and the Government of India. This guide is an original, independently authored interpretation for educational and readiness purposes. It paraphrases obligations and does not reproduce UIDAI's copyrighted text verbatim. Always validate against the current signed agreement, the latest API specification and circulars issued on uidai.gov.in, as UIDAI amends requirements periodically.
2. What is UIDAI AUA/KUA?
UIDAI AUA/KUA compliance refers to the complete set of security, privacy, technical and governance controls that a requesting entity must implement and continuously maintain to be permitted to consume Aadhaar authentication and e-KYC services. The framework exists because AUAs and KUAs handle two categories of extremely sensitive data: the Aadhaar number itself (a Sensitive Personal Data element) and, for KUAs, the resident's demographic and photograph data returned by the e-KYC service. UIDAI never permits an AUA/KUA to store the resident's biometrics (Personal Identity Data), and imposes strict rules on the handling of the Aadhaar number and e-KYC data.
The ecosystem is intermediated. An AUA/KUA does not connect directly to the CIDR; it connects through an Authentication Service Agency (ASA) or KYC Service Agency (KSA) that holds a secure leased-line or MPLS connection to the UIDAI data centres. The AUA/KUA forms the PersonID (PID) block, encrypts it using UIDAI's public key, and transmits the encrypted request through its ASA/KSA to the CIDR, which responds with a Yes/No (authentication) or an encrypted e-KYC response. This intermediated model means the AUA/KUA's compliance obligations are defined jointly by the UIDAI agreements and the back-to-back agreement with its chosen ASA/KSA.
Key terminology used throughout this guide:
| Term | Meaning in the Aadhaar ecosystem |
|---|
| AUA | Authentication User Agency — a requesting entity that uses Aadhaar authentication to validate the identity of a resident to deliver services. |
| KUA | KYC User Agency — an AUA additionally authorised to use the e-KYC API and receive resident demographic/photo data. |
| Sub-AUA / Sub-KUA | An entity that uses Aadhaar authentication through an existing AUA/KUA rather than contracting directly with UIDAI. |
| ASA | Authentication Service Agency — holds a secure connection to CIDR and routes authentication packets on behalf of AUAs. |
| KSA | KYC Service Agency — an ASA authorised to route e-KYC transactions. |
| CIDR | Central Identities Data Repository — UIDAI's centralised database of Aadhaar records. |
| PID block | Personal Identity Data block — the encrypted payload containing the resident's authentication factors (OTP, biometric, demographic). |
| Meta / HMAC | Metadata and the keyed-hash message authentication code that protect request integrity. |
| ASA/KSA agreement | The contract binding the AUA/KUA to its service agency and, through it, to UIDAI's technical rails. |
| Auth XML / KYC XML | The signed, encrypted request/response documents defined by the API specification. |
3. Who Must Comply
Any organisation that consumes Aadhaar authentication or e-KYC — whether directly onboarded by UIDAI or operating as a Sub-AUA under a parent AUA — is subject to AUA/KUA compliance. Post the 2019 amendment, only entities permitted by a law made by Parliament or notified by the Central Government (in the interest of the State) may perform Aadhaar authentication, so eligibility itself is a gating control.
| Category of entity | Compliance obligation |
|---|
| Banks and financial institutions | Full AUA/KUA compliance; e-KYC widely used for account opening; subject to RBI and UIDAI oversight. |
| Insurance companies / IRDAI-regulated entities | AUA/KUA where notified; e-KYC for policy onboarding under permitted-use notifications. |
| Telecom operators / DoT-licensed | Historically KUAs for SIM issuance; now restricted to permitted-use and offline modes post court ruling. |
| NBFCs, fintechs and payment aggregators | Typically Sub-AUA/Sub-KUA under a bank or licensed AUA; full downstream compliance applies. |
| Government departments and ministries | Direct AUAs for subsidy, benefit and service delivery under Section 7 of the Aadhaar Act. |
| Mutual funds / capital-market intermediaries | KUAs/Sub-KUAs for investor onboarding under permitted-use frameworks. |
| Authentication/KYC Service Agencies (ASA/KSA) | Separate, stricter empanelment; provide connectivity but must also meet UIDAI security obligations. |
| Sub-AUAs / Sub-KUAs | Bound by the parent AUA's agreement and UIDAI policy; parent is accountable for their compliance. |
- Entities must possess a valid legal basis (statute or Central Government notification) to authenticate — self-declaration is not sufficient.
- Direct AUAs/KUAs sign the AUA/KUA agreement with UIDAI and an ASA/KSA agreement with a service agency.
- Sub-AUAs inherit obligations contractually and are audited as part of the parent's ecosystem.
- All categories must clear the mandatory UIDAI compliance audit by a UIDAI-empanelled/CERT-In auditor before production access.
- Requesting entities handling e-KYC (KUAs) carry heightened data-minimisation, consent and storage obligations relative to authentication-only AUAs.
4. Structure of UIDAI AUA/KUA Compliance
There is no single numbered control catalogue as in ISO 27001 or PCI DSS. Instead, obligations are distributed across statutory, regulatory, contractual, technical and security-policy instruments. For assessment purposes it is helpful to organise them into control domains. The table below presents the domain structure used throughout this guide's master checklist.
| Domain code | Domain / control family | Primary source instrument |
|---|
| D1 | Legal eligibility and licensing | Aadhaar Act s.4/s.7, 2019 Amendment, permitted-use notifications |
| D2 | Agreements and contractual controls | AUA/KUA agreement, ASA/KSA agreement, Sub-AUA agreements |
| D3 | Consent and resident notice | Authentication Regulations 2016/2021, reg. on informed consent |
| D4 | Purpose limitation and permitted use | Aadhaar Act s.8, permitted-use circulars |
| D5 | Data storage, retention and disposal | Data Security Regulations 2016, Authentication Regulations |
| D6 | Encryption and key management | API specification, UIDAI public key, HSM guidance |
| D7 | Network and connectivity security | ASA/KSA connectivity model, secure channel requirements |
| D8 | Application and API security | Authentication API 2.5/2.6, e-KYC API, PID/Auth XML rules |
| D9 | Access control and identity management | Information Security Policy — access management |
| D10 | Logging, audit trail and monitoring | Authentication Regulations (2-year logs), Data Security Regulations |
| D11 | Information security management (governance) | UIDAI Information Security Policy for AUA/KUA/Sub-AUA/ASA |
| D12 | Human resources and awareness | Information Security Policy — personnel security |
| D13 | Physical and environmental security | Information Security Policy — physical controls |
| D14 | Incident management and breach reporting | Data Security Regulations, CERT-In directions |
| D15 | Business continuity and availability | Information Security Policy — continuity |
| D16 | Fraud management and exception handling | Authentication Regulations — best-finger detection, fraud |
| D17 | Sub-AUA / third-party governance | AUA/KUA agreement — onboarding & oversight of Sub-AUAs |
| D18 | Compliance audit and reporting | Mandatory UIDAI compliance audit, periodic self-audit |
5. Master Assessment Checklist
This is the core of the guide. Each domain from Section 4 is expanded below with the specific controls an auditor must examine. For every control the checklist states what to verify and the typical evidence that demonstrates conformity. Auditors should not skip any domain: a single unmet control — for example, storing the Aadhaar number in plain text, or retaining biometrics — can result in suspension of authentication rights.
When applying this checklist, assessors should adopt a test-of-design followed by test-of-operating-effectiveness approach. Test of design confirms that a control, as documented and architected, is capable of meeting the objective; test of operating effectiveness confirms that it has actually operated over a period, using samples of transactions, logs, tickets and reviews. For high-risk controls — the prohibition on storing biometrics, encryption of the PID block, consent capture and Aadhaar-number masking — a single point-in-time observation is insufficient; the auditor should seek independent, corroborating evidence such as database schema inspection, packet or payload review in staging, and log sampling across dates. Findings should be rated by severity, with any prohibited-data or unencrypted-transmission finding treated as critical and blocking for production access.
D1 — Legal Eligibility and Licensing
| What to verify | Typical evidence |
|---|
| Entity has a lawful basis (statute or Central Government notification) to perform Aadhaar authentication | Copy of enabling statute / gazette notification / permitted-use approval letter from UIDAI or the sectoral regulator |
| Authentication is limited to the notified purpose only | Board/management note mapping each use case to its legal basis |
| Private-entity restrictions post-2019 amendment are respected | Legal opinion confirming permitted use; UIDAI approval reference |
| Entity registration and regulatory licences are current | RBI/IRDAI/SEBI/DoT licence copies, incorporation certificate |
| No use of Aadhaar for prohibited purposes (e.g. as the sole KYC where restricted) | Use-case register with prohibited-use exclusions documented |
D2 — Agreements and Contractual Controls
| What to verify | Typical evidence |
|---|
| Signed AUA/KUA agreement with UIDAI is in force and unexpired | Executed AUA/KUA agreement with valid dates and UIDAI reference |
| Signed ASA/KSA agreement with a UIDAI-empanelled service agency | Executed ASA/KSA agreement; ASA/KSA empanelment proof |
| Back-to-back flow-down of UIDAI obligations to Sub-AUAs | Sub-AUA agreements incorporating UIDAI clauses |
| Licence-key (LK) and API-key issuance is governed and tracked | Key register, issuance approvals, custody records |
| Obligations on liability, indemnity and termination are understood and monitored | Contract-obligation register with owners and review dates |
D3 — Consent and Resident Notice
| What to verify | Typical evidence |
|---|
| Informed consent is obtained before every authentication/e-KYC | Consent capture screens/forms; audit log of consent flag |
| Resident is told the purpose, that data will be sent to CIDR, and the alternatives | Disclosure script/UI text in local language(s) |
| Consent is recorded and time-stamped and linked to the transaction | Consent artefacts joined to auth transaction ID |
| Offline/alternative identity option is offered where required | Process note showing non-Aadhaar fallback |
| Children/guardian consent handled per regulation where applicable | Guardian consent procedure and records |
D4 — Purpose Limitation and Permitted Use
| What to verify | Typical evidence |
|---|
| e-KYC/authentication data used only for the disclosed purpose (s.8) | Data-flow diagram; purpose register per data element |
| No sharing of Aadhaar number or e-KYC data with unauthorised parties | Access matrix; data-sharing register; DLP alerts |
| No use of core biometric information for any purpose other than authentication | Architecture confirming biometrics are transient and never stored |
| Analytics/marketing use of e-KYC data is prohibited and blocked | Segregation controls; policy prohibiting secondary use |
| Aadhaar number not published, displayed or used as a public identifier | Masking rules; screen/print masking configuration |
D5 — Data Storage, Retention and Disposal
| What to verify | Typical evidence |
|---|
| Biometrics (PID) are never stored — used transiently and discarded | Code review/architecture proof; memory-handling design |
| Aadhaar number, where stored, is encrypted and access-restricted (or replaced by reference key/UID token) | Encryption config; reference-key/token mapping design |
| e-KYC data stored only as long as required and per agreement | Retention schedule; automated purge job logs |
| Authentication transaction logs retained for the mandated period (2 years) then archived/6 months post-dispute | Log retention policy; archival and deletion records |
| Secure disposal of media and data at end of life | Media sanitisation certificates; disposal log |
| Meta/PID XML and OTP values are not persisted | Data-inventory scan confirming absence of prohibited fields |
D6 — Encryption and Key Management
| What to verify | Typical evidence |
|---|
| PID block encrypted with UIDAI public key using the specified algorithm (AES-256 session key, RSA/ECC per spec) | API integration code; encryption library configuration |
| Session key generated freshly per transaction and encrypted with UIDAI key | Cryptographic design document; test vectors |
| HMAC over the PID block is computed and validated | Request-construction logs (non-sensitive); spec conformance test |
| Digital signing of Auth/KYC XML with a valid organisation certificate | Signing certificate details; CA chain; expiry monitoring |
| Private keys and signing certificates stored in an HSM or equivalent secure store | HSM inventory; key-custody and dual-control records |
| Key rotation, revocation and lifecycle procedures are defined and followed | Key-management policy; rotation logs; revocation records |
D7 — Network and Connectivity Security
| What to verify | Typical evidence |
|---|
| Connectivity to CIDR is only via the empanelled ASA/KSA over a secure channel | Network diagram; ASA/KSA connectivity confirmation |
| Transport uses TLS with strong ciphers between AUA/KUA, ASA and endpoints | TLS configuration; cipher-suite scan results |
| Network segmentation isolates the Aadhaar-handling environment | Firewall rule-sets; VLAN/segmentation design |
| Perimeter controls (firewall, IPS, WAF) protect the authentication application | Device configs; IPS/WAF policy exports |
| Egress restricted to ASA/KSA endpoints and approved destinations only | Egress firewall rules; allow-list documentation |
| No direct internet exposure of internal Aadhaar components | External vulnerability/attack-surface scan report |
D8 — Application and API Security
| What to verify | Typical evidence |
|---|
| Auth/KYC XML constructed exactly per the current API specification version | Conformance test results against UIDAI staging |
| Input validation and secure coding practices applied (OWASP) | SAST/DAST reports; code-review records |
| Error responses do not leak Aadhaar data or internal details | Error-handling review; sample masked responses |
| Version/end-of-life management of API (e.g. migration to latest Auth API) | Change record showing supported version in use |
| Rate limiting and anti-automation to prevent enumeration/abuse | Throttling configuration; abuse-monitoring evidence |
| Response decryption and handling of e-KYC XML is secure and access-controlled | KYC response-handling design; access logs |
D9 — Access Control and Identity Management
| What to verify | Typical evidence |
|---|
| Role-based access control over systems handling Aadhaar data | Role definitions; access matrix; joiner-mover-leaver records |
| Multi-factor authentication for privileged and remote access | MFA configuration; sample authentication logs |
| Least-privilege and need-to-know enforced; segregation of duties | Access-review reports; SoD matrix |
| Periodic access recertification performed | Quarterly/semi-annual access-review sign-offs |
| Default/shared/system accounts controlled and monitored | Privileged-account inventory; vaulting evidence |
| Timely revocation on role change or exit | De-provisioning tickets tied to HR exit dates |
D10 — Logging, Audit Trail and Monitoring
| What to verify | Typical evidence |
|---|
| Every authentication/e-KYC transaction is logged with required metadata (no PID/biometric) | Log schema; sample redacted logs |
| Logs retained for the mandated period and protected from tampering | Retention config; WORM/immutable storage; hash-chain evidence |
| Consent flag and purpose captured in the transaction log | Log fields mapping to consent/purpose |
| Security events centralised and monitored (SIEM) | SIEM dashboards; alert rule inventory |
| Log review procedures and anomaly detection operate | Log-review records; alert-triage tickets |
| Time synchronisation (NTP) across logging systems | NTP configuration; time-drift monitoring |
D11 — Information Security Management (Governance)
| What to verify | Typical evidence |
|---|
| Documented information security policy aligned to UIDAI's AUA/KUA policy | Approved ISP; UIDAI-alignment mapping |
| Named ISO/CISO accountable for Aadhaar data security | Appointment letter; org chart; RACI |
| Risk assessment covering the Aadhaar environment is performed | Risk register; risk-treatment plan |
| Change management governs modifications to the auth environment | Change tickets; CAB minutes |
| Vulnerability management and periodic VAPT of the Aadhaar systems | VAPT reports; remediation tracker |
| Management review of security posture at defined intervals | Management-review minutes; metrics packs |
D12 — Human Resources and Awareness
| What to verify | Typical evidence |
|---|
| Background verification for staff handling Aadhaar data | BGV records; screening policy |
| Confidentiality/NDA obligations signed by relevant personnel | Signed NDAs; acknowledgement register |
| Role-specific security and privacy awareness training | Training records; completion reports; assessment scores |
| Disciplinary process for policy violations | Disciplinary policy; case records where applicable |
| Awareness of Aadhaar-specific penalties (offences under the Act) | Training content covering Chapter VII offences |
D13 — Physical and Environmental Security
| What to verify | Typical evidence |
|---|
| Physical access controls to data centres/rooms hosting Aadhaar systems | Access-control logs; badge/biometric records |
| Restricted, monitored zones for authentication infrastructure | CCTV coverage; visitor logs; zoning plan |
| Environmental controls (power, cooling, fire) for availability | Facility maintenance and test records |
| Secure handling of media and printouts containing Aadhaar data | Clear-desk/clear-screen policy; secure print controls |
| Cloud/hosting provider physical controls (if applicable) are assured | Provider audit reports (e.g. SOC 2/ISO 27001) and data-localisation proof |
D14 — Incident Management and Breach Reporting
| What to verify | Typical evidence |
|---|
| Documented incident response plan covering Aadhaar data breaches | IR plan; playbooks for Aadhaar-specific scenarios |
| Defined breach-notification path to UIDAI and CERT-In within timelines | Notification procedure; contact matrix; CERT-In 6-hour rule reference |
| Incidents logged, triaged, contained and closed with root-cause analysis | Incident register; RCA reports |
| Tabletop/simulation exercises conducted periodically | Exercise reports; lessons-learned actions |
| Forensic readiness for Aadhaar-related incidents | Log preservation and forensic-tooling readiness evidence |
D15 — Business Continuity and Availability
| What to verify | Typical evidence |
|---|
| Business continuity and DR plans cover the authentication service | BCP/DR documents; RTO/RPO definitions |
| Redundant ASA/KSA connectivity or failover arrangements | Connectivity architecture; failover test records |
| Periodic DR testing performed and results reviewed | DR test reports; management sign-off |
| Capacity and performance managed for authentication volumes | Capacity plans; performance-monitoring dashboards |
| Backup and restore procedures protect non-prohibited data | Backup policy; restore-test evidence (excluding prohibited data) |
D16 — Fraud Management and Exception Handling
| What to verify | Typical evidence |
|---|
| Handling of authentication failures without denying legitimate service | Exception-handling SOP; fallback authentication modes |
| Best-finger detection / multi-modal biometric fallback where used | BFD implementation; alternate-factor procedure |
| Monitoring for anomalous authentication patterns and misuse | Fraud-analytics rules; alert review records |
| Controls against operator-driven fraud at the point of capture | Operator authentication; capture-device controls |
| Grievance mechanism for residents affected by failures | Grievance SOP; resolution logs |
D17 — Sub-AUA / Third-Party Governance
| What to verify | Typical evidence |
|---|
| Formal onboarding and due-diligence of every Sub-AUA/Sub-KUA | Onboarding checklist; due-diligence reports |
| Flow-down of UIDAI obligations into Sub-AUA agreements | Executed Sub-AUA agreements with mandated clauses |
| Periodic audit/monitoring of Sub-AUA compliance | Sub-AUA audit reports; oversight register |
| Segregation of licence keys and traceability per Sub-AUA | Key-mapping per Sub-AUA; transaction attribution |
| Prompt off-boarding and key revocation for non-compliant Sub-AUAs | Off-boarding records; revocation evidence |
D18 — Compliance Audit and Reporting
| What to verify | Typical evidence |
|---|
| Mandatory UIDAI compliance audit completed before go-live | Audit report by UIDAI-empanelled/CERT-In auditor; UIDAI acceptance |
| Periodic (typically annual) self-audit or third-party audit performed | Audit calendar; latest audit report |
| Findings tracked to closure with management oversight | Remediation tracker; closure evidence |
| Reports and confirmations submitted to UIDAI as required | Submission acknowledgements; correspondence |
| Continuous monitoring bridges the gap between audits | Continuous-control-monitoring dashboards |
6. Scoping
Correct scoping determines audit effort and, more importantly, ensures that no system that touches Aadhaar data escapes control coverage. The scope is defined by the flow of the Aadhaar number, the PID block and (for KUAs) the e-KYC response — from the point of resident interaction, through the AUA/KUA application, to the ASA/KSA gateway and back.
- In scope: all applications, APIs and micro-services that construct the PID block, encrypt/sign requests, or receive and decrypt e-KYC responses.
- In scope: databases and stores that hold the Aadhaar number, reference keys/UID tokens, or e-KYC demographic/photo data.
- In scope: the ASA/KSA integration layer, connectivity, keys, HSMs and certificates.
- In scope: logging, SIEM, backup and monitoring systems that process Aadhaar-related transaction metadata.
- In scope: Sub-AUA integration points and any partner that relays authentication through the entity.
- Explicitly out of design (prohibited): storage of biometrics/PID; these must be architected out rather than 'scoped out'.
- Consider network segmentation to reduce scope — isolating the Aadhaar environment limits which systems are subject to full control assessment.
- Cloud/hosted components are in scope; verify data localisation within India and provider assurances.
Scoping principle
Unlike PCI DSS where cardholder data can sometimes be tokenised out of scope, the Aadhaar model forbids certain data (biometrics) from ever being stored. Scope reduction therefore comes from segmentation and from replacing the Aadhaar number with reference keys/UID tokens — never from ignoring systems that handle it.
A common scoping error is to treat only the customer-facing application as in scope while overlooking downstream systems that inadvertently receive Aadhaar data — data warehouses, analytics platforms, customer-service tools, backup repositories and log aggregators. Auditors should perform data-flow tracing from the point of capture to every terminal store, and use data-discovery scanning to detect Aadhaar-number patterns (the twelve-digit Verhoeff-checksummed number) in unexpected locations. The UID token, or reference key, mechanism provided by UIDAI is the recommended way to avoid storing the raw Aadhaar number at all: the entity stores an opaque token that can be resolved back only through UIDAI, dramatically shrinking the sensitive-data footprint and the audit scope.
7. Implementation Approach
A phased implementation aligns technical build with contractual onboarding and the mandatory pre-production audit. The following four phases take an entity from intent to certified production operation.
Phase 1 — Eligibility, Onboarding and Design
- Activities: confirm legal basis/permitted use; select and contract an ASA/KSA; execute the AUA/KUA agreement; define use cases and data flows; design the target architecture (encryption, HSM, no-biometric-storage, reference keys).
- Deliverables: signed agreements; use-case register; data-flow diagrams; solution architecture and security design; UIDAI onboarding references and licence/API keys.
Phase 2 — Build and Secure Integration
- Activities: implement PID-block construction, AES/RSA encryption with UIDAI public key, HMAC and XML signing; integrate with ASA/KSA staging; deploy HSM and key-management; implement consent capture, logging and masking; harden network and application layers.
- Deliverables: working integration in UIDAI staging; encryption/key-management runbooks; consent and logging implementation; hardening baselines and configuration standards.
Phase 3 — Testing, Pre-Production Audit and Certification
- Activities: conduct functional and conformance testing against staging; run VAPT/SAST/DAST; remediate findings; engage a UIDAI-empanelled/CERT-In auditor for the mandatory compliance audit; close audit findings.
- Deliverables: conformance-test evidence; VAPT and remediation reports; the UIDAI compliance audit report and UIDAI production-access approval.
Phase 4 — Production Operation and Continuous Compliance
- Activities: go live; operate logging/monitoring; run periodic access reviews, patching and DR tests; onboard and monitor Sub-AUAs; perform annual audits and self-assessments; manage change and incidents.
- Deliverables: production runbooks; monitoring dashboards; periodic audit reports; incident and change records; annual compliance attestation to UIDAI.
8. Maturity / Capability Model
UIDAI does not publish a formal maturity scale, but a capability model is a useful lens for internal benchmarking and for demonstrating a trajectory of improvement to auditors and management. The five-level model below adapts common maturity thinking to the AUA/KUA control domains. In practice, an entity must reach at least Level 3 (Defined) to pass the mandatory compliance audit, because standardised, consistently operating controls are what the auditor tests. Levels 4 and 5 reflect the operational maturity expected of high-volume AUAs/KUAs — banks and large government departments — where continuous monitoring and automation are necessary to sustain compliance across millions of daily transactions and a wide Sub-AUA network.
| Level | Capability state | Characteristics |
|---|
| Level 1 — Initial | Ad hoc | Controls exist informally; reliance on individuals; no consistent evidence; gaps likely to fail audit. |
| Level 2 — Managed | Documented | Policies and procedures documented; controls implemented but inconsistently monitored. |
| Level 3 — Defined | Standardised | Controls standardised across the Aadhaar environment; consent, logging, encryption operating consistently; passes audit. |
| Level 4 — Measured | Monitored | Continuous control monitoring; metrics and KPIs tracked; access reviews and VAPT on schedule; findings trended. |
| Level 5 — Optimising | Continuously improving | Automated evidence, proactive fraud analytics, mature Sub-AUA governance, rapid incident handling, drives improvement. |
9. Assessment and Audit Approach
The mandatory UIDAI compliance audit is performed by an auditor empanelled by UIDAI/CERT-In. The following ordered steps describe a rigorous assessment lifecycle for both the initial and periodic audits.
- Define scope: identify all systems, data stores, integrations and Sub-AUAs that touch Aadhaar data, and confirm the applicable agreement version and API version.
- Review documentation: examine agreements, security policy, risk assessment, data-flow diagrams, key-management and retention policies.
- Assess design: evaluate the architecture for no-biometric-storage, correct encryption/signing, HSM use, masking and segmentation.
- Test controls: verify consent capture, logging, access control, encryption in practice; sample transactions and logs (redacted).
- Conduct technical testing: perform or review VAPT, configuration reviews and conformance tests against UIDAI staging.
- Interview stakeholders: confirm roles, awareness, incident and change processes with ISO, developers and operations.
- Evaluate Sub-AUA governance: review onboarding, agreements, key segregation and oversight of downstream entities.
- Rate findings: classify gaps by severity and impact on Aadhaar data protection and regulatory obligations.
- Report and remediate: issue the audit report, agree remediation plans and owners, and revalidate closure of critical findings.
- Submit and attest: provide the report/attestation to UIDAI as required and schedule the next periodic audit.
10. Evidence Request List
The following categorised list is a practical pull-list an auditor issues at kick-off. Providing these promptly accelerates the assessment.
- Legal and contractual: enabling statute/notification, permitted-use approvals, executed AUA/KUA and ASA/KSA agreements, Sub-AUA agreements, licence/API key register.
- Governance: information security policy, risk assessment and treatment plan, ISO/CISO appointment, management-review minutes, roles and RACI.
- Consent and privacy: consent capture screens/scripts, disclosure notices, purpose register, data-flow diagrams.
- Data protection: retention schedule, purge/deletion logs, encryption and key-management policy, HSM inventory, masking configuration.
- Technical: API integration/design documents, conformance-test results, SAST/DAST/VAPT reports, network and segmentation diagrams, TLS/cipher scans.
- Access control: role matrix, MFA configuration, access-review sign-offs, joiner-mover-leaver records, privileged-account inventory.
- Logging and monitoring: log schema and samples (redacted), retention/immutability config, SIEM dashboards and alert rules, NTP configuration.
- Operations: change tickets/CAB minutes, patch records, BCP/DR plans and test reports, backup/restore evidence.
- People: BGV records, signed NDAs, training completion reports and content.
- Incident and fraud: IR plan and playbooks, incident register, CERT-In/UIDAI notification procedure, fraud-analytics rules, grievance logs.
- Third party: Sub-AUA onboarding/due-diligence, oversight audits, cloud/hosting provider assurance reports and data-localisation proof.
- Audit: previous UIDAI compliance audit report, remediation trackers, UIDAI correspondence and approvals.
11. Roles and Responsibilities
| Role | Responsibility in the AUA/KUA compliance programme |
|---|
| Board / Senior Management | Accountable for lawful use, resource allocation and overall compliance posture; approves policy. |
| Chief Information Security Officer (CISO) | Owns the Aadhaar security programme, risk management, audit closure and UIDAI security alignment. |
| Data Protection / Privacy Officer | Ensures consent, purpose limitation, retention and resident-rights obligations are met. |
| Compliance / Legal | Maintains legal basis, agreements, permitted-use validity and regulatory reporting. |
| Solution / Security Architect | Designs no-biometric-storage architecture, encryption, HSM, segmentation and masking. |
| Development / Integration Team | Implements API integration, PID construction, signing and secure coding to spec. |
| IT Operations / Infrastructure | Runs connectivity, HSM, patching, backups, DR and availability of the auth service. |
| SOC / Security Monitoring | Operates SIEM, log review, alerting and incident detection for Aadhaar systems. |
| Internal Audit | Performs periodic self-audit and validates control effectiveness and evidence. |
| ASA/KSA Liaison | Manages connectivity, keys and coordination with the service agency and UIDAI. |
| Sub-AUA Managers | Onboard, contract, monitor and off-board downstream Sub-AUAs and their compliance. |
12. KPIs to Track
- Authentication success rate and failure-reason distribution (to detect issues without denying service).
- Percentage of transactions with valid, recorded consent (target 100%).
- Number of prohibited-data findings (biometrics/PID/OTP persisted) — target zero.
- Encryption/signing conformance rate against the current API specification.
- Mean time to detect and mean time to respond for Aadhaar-related incidents.
- Percentage of privileged accesses under MFA and coverage of access recertification.
- VAPT critical/high findings open beyond SLA and average remediation time.
- Log completeness and retention compliance (mandated retention met, tamper-evidence intact).
- Percentage of Sub-AUAs with current agreements and passed compliance reviews.
- Audit findings closed on time; recurrence rate of previously closed findings.
- DR test success and RTO/RPO adherence for the authentication service.
- Training completion rate for personnel handling Aadhaar data.
13. Readiness Checklist
- Lawful basis / permitted use confirmed and documented.
- AUA/KUA and ASA/KSA agreements executed and current.
- Architecture verified to never store biometrics/PID/OTP.
- Aadhaar number encrypted or replaced by reference key/UID token where stored.
- PID block encryption, HMAC and XML signing implemented per current API spec.
- Private keys and certificates held in an HSM with lifecycle management.
- Informed consent captured, disclosed and logged for every transaction.
- Aadhaar number masking enforced on screens, prints and logs.
- Transaction logs retained for the mandated period on tamper-evident storage.
- Network segmentation and TLS with strong ciphers in place.
- RBAC, MFA for privileged access and periodic recertification operating.
- SIEM, log review and alerting active for the Aadhaar environment.
- Incident response plan with UIDAI/CERT-In notification path tested.
- BCP/DR for the authentication service tested within the last cycle.
- VAPT/SAST/DAST completed and critical findings remediated.
- Sub-AUA onboarding, agreements and oversight in place.
- Security awareness training completed for relevant staff.
- Mandatory UIDAI compliance audit passed and production access approved.
- Remediation tracker maintained with owners and closure evidence.
14. Common Gaps
- Storing biometric/PID data or persisting OTP values — an outright prohibition breach.
- Storing the Aadhaar number in plain text or without adequate access restriction, instead of using a reference key/UID token.
- Weak or missing masking of the Aadhaar number on screens, receipts, exports and logs.
- Consent not genuinely informed, not recorded, or not linked to the transaction.
- Using e-KYC data for purposes beyond the disclosed and permitted use (secondary use).
- Private keys/certificates held in software rather than an HSM, or with no rotation/revocation process.
- Running an outdated API version or non-conformant PID/XML construction.
- Logs missing required metadata, under-retained, or stored without tamper-evidence.
- Inadequate Sub-AUA governance — no flow-down clauses, key segregation or oversight audits.
- No defined UIDAI/CERT-In breach-notification path or untested incident response.
- Missing or expired legal basis/permitted-use approval, especially for private entities post-2019.
- Skipping periodic audits or leaving prior audit findings unremediated.
15. UIDAI AUA/KUA Mapped to Other Frameworks
Entities usually operate multiple compliance regimes concurrently. The mapping below helps reuse controls and evidence across frameworks. Mappings are indicative, not one-to-one; UIDAI obligations remain authoritative for Aadhaar handling.
| UIDAI AUA/KUA control area | ISO/IEC 27001:2022 | NIST CSF 2.0 | PCI DSS v4.0 | India DPDP Act 2023 |
|---|
| Legal eligibility / permitted use | A.5.31 Legal requirements | GOVERN (GV.OC) | Req. 12 policy/scope | Lawful processing, purpose |
| Consent and notice | A.5.34 Privacy/PII | GOVERN / IDENTIFY | N/A (privacy) | Consent, notice obligations |
| Purpose limitation | A.5.34, A.8.11 Data masking | GOVERN (GV.PO) | Req. 3 data retention | Purpose limitation, storage limitation |
| Encryption / key management | A.8.24 Cryptography | PROTECT (PR.DS) | Req. 3.5/3.6 keys, Req. 4 | Reasonable security safeguards |
| Data storage / retention | A.8.10 Deletion, A.5.33 | PROTECT (PR.DS) | Req. 3.1/3.2 retention | Storage limitation, erasure |
| Network security | A.8.20/8.21/8.22 | PROTECT (PR.IR) | Req. 1 network security | Security safeguards |
| Access control | A.5.15/8.2/8.3/8.5 | PROTECT (PR.AA) | Req. 7/8 access & auth | Access-limitation safeguards |
| Logging and monitoring | A.8.15/8.16 | DETECT (DE.CM) | Req. 10 logging | Security safeguards |
| Incident and breach reporting | A.5.24-5.28 | RESPOND (RS) | Req. 12.10 IR | Breach notification to Board |
| Business continuity | A.5.29/8.14 | RECOVER (RC) | Req. 12.10.1 | Availability safeguards |
| Third-party / Sub-AUA governance | A.5.19-5.22 | GOVERN (GV.SC) | Req. 12.8 service providers | Data processor obligations |
| Audit and assurance | A.5.35/5.36 | GOVERN / IDENTIFY | Req. 12.11 review | Accountability, DPIA where applicable |
16. How CyberSigma Helps
Partner with CyberSigma for UIDAI AUA/KUA readiness and audit
CyberSigma's CERT-In empanelled and PCI QSA-qualified assessors guide organisations end-to-end through the Aadhaar AUA/KUA journey — from confirming permitted-use eligibility and selecting an ASA/KSA, to designing a no-biometric-storage architecture with HSM-backed encryption, implementing consent, masking and tamper-evident logging, and conducting VAPT. We prepare you for, and perform, the mandatory UIDAI compliance audit, drive remediation to closure, and stand up continuous control monitoring, Sub-AUA governance and annual re-audits. The result: secure, lawful and audit-ready Aadhaar authentication and e-KYC operations. Contact CyberSigma to accelerate your UIDAI AUA/KUA compliance with confidence.