BrandKwikID Documentation
Aadhaar Vault

Security and Compliance

Encryption, access control, network isolation, and UIDAI compliance for the Aadhaar Data Vault

Security and Compliance

Here we cover security and UIDAI compliance for the vault: encryption, access control, network isolation, monitoring, and data lifecycle.

Regulatory Basis

The vault’s design and operations follow:

  • Aadhaar Act 2016
  • Aadhaar (Authentication) Regulations 2016 (including Regulation 14(n))
  • Aadhaar (Sharing of Information) Regulations 2016 (Regulations 5 and 6)
  • UIDAI circulars on Aadhaar Data Vault and Reference Keys (e.g. July 2017 and subsequent updates)

Non-compliance can be dealt with under Section 42 of the Aadhaar Act 2016 and can attract financial disincentives under the AUA/KUA agreement. Building the vault as described helps you stay on the right side of these requirements.

Encryption and Key Management

RequirementImplementation
Encryption of Aadhaar dataAadhaar and any linked data (e.g. eKYC/cKYC XML) in the vault are always encrypted.
Symmetric encryptionAES 256 for data at rest.
Public key cryptographyRSA 2048 for key exchange or signatures where used.
Key storageEncryption keys live in HSM devices only, as UIDAI requires. No keys in app config or normal databases.

Network and Access Security

  • Restricted zone: The vault and its APIs sit in a locked-down network zone, separate from the internet and other internal zones.
  • Trusted traffic only: Only trusted traffic is allowed in and out. Access is through an API or microservice that handles mapping and access control, with app-level checks.
  • User access: Anyone viewing or using vault data must do it through applications that enforce auth and logging.
  • Strong controls: The vault uses strong access controls, authentication, monitoring, access logging, and alerts for odd or unauthorized attempts.

Access Control and Logging

  • Every vault access (store, resolve, delete, update) is authenticated and logged.
  • Alerts fire for odd or unauthorized access.
  • Logs support audits and incident response and are kept per your retention and regulatory needs.

Data in Other Systems

Under UIDAI:

  • You can store demographic data and photos of the Aadhaar holder in other systems (e.g. customer DBs) as long as you don’t store the Aadhaar number there. Store only the Reference Key for linking.
  • Aadhaar and linked Aadhaar data must live only in the Aadhaar Data Vault.

Data Lifecycle: Retention and Disposal

The vault supports retention and disposal in line with UIDAI and your data retention policy:

  • Secure delete/update: We support secure deletion and updates of Aadhaar and linked data when your retention policy says so.
  • No leftovers: Deletion removes Aadhaar and related data from the vault (and backups) for good, per policy and regulations.

Retention and disposal are documented and followed so the Aadhaar lifecycle stays compliant.

Benefits

  • Compliance: Matches UIDAI specs and cuts regulatory and contractual risk.
  • Security: Encryption, HSM, isolation, and access control protect Aadhaar from misuse.
  • Auditability: Logging and monitoring support audits and incident response.

Next Steps

Reference Keys

What Reference Keys are, how tokenization works, and how they replace Aadhaar numbers

Implementation and APIs

Secure APIs for vault integration, data lifecycle, and integration with other systems

On this page

Security and ComplianceRegulatory BasisEncryption and Key ManagementNetwork and Access SecurityAccess Control and LoggingData in Other SystemsData Lifecycle: Retention and DisposalBenefitsNext Steps