Knowledge Center / UIDAI AUA/KUA
UIDAI · India

UIDAI / Aadhaar (AUA-KUA)

Security and audit requirements for entities in the Aadhaar authentication ecosystem.

UIDAI sets strict security and audit requirements for entities in the Aadhaar authentication ecosystem. Given the sensitivity of Aadhaar and biometric data, independent audits by CERT-In empanelled auditors are mandatory.

Roles in the Aadhaar ecosystem

EntityRole
AUA (Authentication User Agency)Uses Aadhaar authentication for its services
KUA (KYC User Agency)Uses Aadhaar e-KYC to verify identity
Sub-AUAUses authentication through an existing AUA
ASA (Authentication Service Agency)Provides secure connectivity to the UIDAI CIDR

Key requirements

  • Compliance with the Aadhaar Act, regulations and UIDAI circulars.
  • Secure handling and encryption of Aadhaar data; non-storage of prohibited data (e.g., biometrics after authentication).
  • Strict access control, logging and audit trails for authentication requests.
  • Network segregation and secure connectivity to the ASA/CIDR.
  • A periodic information-security audit by a CERT-In empanelled auditor.
  • Incident reporting to UIDAI.

Process

  1. Map Aadhaar data flows and the authentication/e-KYC architecture.
  2. Assess against UIDAI security requirements and circulars.
  3. Implement encryption, access control, logging and network segregation.
  4. Undergo the periodic UIDAI compliance/security audit (CERT-In empanelled).
  5. Remediate and report to UIDAI.

Evidence checklist

  • Aadhaar data-flow and architecture diagrams.
  • Encryption, access-control and logging evidence.
  • Non-storage compliance for prohibited data elements.
  • Network segregation and ASA connectivity evidence.
  • The UIDAI compliance/security audit report.
  • Incident-reporting records.
How CyberSigma helps
CyberSigma is CERT-In empanelled — we perform the UIDAI AUA/KUA information-security audit, assess Aadhaar data handling and connectivity, and issue the report UIDAI requires.

Frequently asked questions

Who performs the UIDAI AUA/KUA audit?
A CERT-In empanelled auditor performs the information-security audit for AUAs/KUAs. CyberSigma is CERT-In empanelled.

Need help with UIDAI AUA/KUA?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.