UIDAI sets strict security and audit requirements for entities in the Aadhaar authentication ecosystem. Given the sensitivity of Aadhaar and biometric data, independent audits by CERT-In empanelled auditors are mandatory.
Roles in the Aadhaar ecosystem
| Entity | Role |
|---|---|
| AUA (Authentication User Agency) | Uses Aadhaar authentication for its services |
| KUA (KYC User Agency) | Uses Aadhaar e-KYC to verify identity |
| Sub-AUA | Uses authentication through an existing AUA |
| ASA (Authentication Service Agency) | Provides secure connectivity to the UIDAI CIDR |
Key requirements
- Compliance with the Aadhaar Act, regulations and UIDAI circulars.
- Secure handling and encryption of Aadhaar data; non-storage of prohibited data (e.g., biometrics after authentication).
- Strict access control, logging and audit trails for authentication requests.
- Network segregation and secure connectivity to the ASA/CIDR.
- A periodic information-security audit by a CERT-In empanelled auditor.
- Incident reporting to UIDAI.
Process
- Map Aadhaar data flows and the authentication/e-KYC architecture.
- Assess against UIDAI security requirements and circulars.
- Implement encryption, access control, logging and network segregation.
- Undergo the periodic UIDAI compliance/security audit (CERT-In empanelled).
- Remediate and report to UIDAI.
Evidence checklist
- Aadhaar data-flow and architecture diagrams.
- Encryption, access-control and logging evidence.
- Non-storage compliance for prohibited data elements.
- Network segregation and ASA connectivity evidence.
- The UIDAI compliance/security audit report.
- Incident-reporting records.
How CyberSigma helps
CyberSigma is CERT-In empanelled — we perform the UIDAI AUA/KUA information-security audit, assess Aadhaar data handling and connectivity, and issue the report UIDAI requires.
Frequently asked questions
Who performs the UIDAI AUA/KUA audit?
A CERT-In empanelled auditor performs the information-security audit for AUAs/KUAs. CyberSigma is CERT-In empanelled.
Official documents
CyberSigma resources
Need help with UIDAI AUA/KUA?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
