Aadhaar Masking for Enterprises — UIDAI Compliance Guide

The short answer

Indian enterprises that handle Aadhaar copies during KYC, employee onboarding, tenant verification, insurance application, or any similar process must mask the Aadhaar number — leaving only the last four digits visible — when they store, display, print, or share the document outside the original verification context. The obligation flows from Section 28 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the Aadhaar (Sharing of Information) Regulations, 2016 issued by UIDAI. The Digital Personal Data Protection Act, 2023 (DPDPA) reinforces the same data minimization principle as a general obligation for all sensitive personal data.

Aadhaar masking is the operational implementation of the legal obligation. The pdfmavericks.com aadhaar-mask tool applies irreversible masking — opaque rectangles over the first 8 digits, flattened into the PDF — entirely in the browser. No upload, no retention, no third-party copy of the unmasked Aadhaar at any step. For enterprise compliance teams evaluating the masking workflow, that posture matters because it minimizes the attack surface on the unmasked original.

The legal basis — Aadhaar Act §28 and UIDAI Regulations 2016

Three documents establish the masking obligation for enterprises.

The Aadhaar Act, 2016 — Section 28. Section 28 (titled "Security and confidentiality of information") obliges UIDAI and every entity that handles identity information to ensure security and confidentiality. The full Act is published by the Ministry of Electronics and Information Technology at meity.gov.in/aadhaar and a copy of the gazette PDF is available at indiacode.nic.in. Section 29 extends the obligation by restricting how the Aadhaar number itself can be shared.

The Aadhaar (Sharing of Information) Regulations, 2016. Issued by UIDAI under the regulation-making power in Section 54 of the Act. Regulation 6 specifically prohibits publishing, displaying, or posting the Aadhaar number publicly, and requires masking when the number must be shown. The regulations are published on UIDAI's site at uidai.gov.in/en/about-uidai/legal-framework/regulations.html.

UIDAI Circular dated 18 May 2018. An advisory issued by UIDAI to all entities holding Aadhaar information, directing them to ensure that the Aadhaar number is masked in any printed or displayed material. The circular is referenced across UIDAI's compliance pages.

The Reserve Bank of India's Master Direction on KYC at rbi.org.in references the Aadhaar masking obligation for banks and NBFCs, and IRDAI has issued parallel guidance for insurers.

Who needs to mask — banks, employers, insurers, and more

The masking obligation applies to every category of entity that handles Aadhaar information. In compliance terms this covers:

• Banks and NBFCs. KYC files for new account opening, loan applications, fixed deposit setups, and credit card issuance. The RBI Master Direction on KYC requires Aadhaar masking on every retained KYC artifact.
• Insurance companies. Policy applications, claim verifications, and renewals. IRDAI guidance follows the same masking obligation.
• Employers. Employee onboarding records, payroll setup, PF registration. Aadhaar is commonly collected for EPFO linking but must be masked when stored beyond the verification step.
• Telecom operators. SIM activation and KYC re-verification.
• Real estate firms and tenant verification services. Aadhaar is commonly collected for tenant background checks; the storage copy must be masked.
• Mutual fund houses and broker-dealers. Investor KYC files for SEBI-regulated entities.
• Educational institutions. Student admissions and scholarship processing.
• Government departments handling citizen records. Any retention of Aadhaar beyond the verification window requires masking.

The principle is consistent across all categories: Aadhaar can be used at the verification step in its unmasked form (with appropriate consent and a UIDAI- authorized verification channel), but any retained or shared artifact must be masked.

What compliant masking looks like

UIDAI's masking specification is straightforward: hide the first 8 digits of the 12-digit Aadhaar number, leave only the last 4 digits visible. The masked number is written as XXXX XXXX 1234 — the first eight digits become X characters or asterisks, and the four-digit suffix remains. This matches what the resident sees when they choose a masked Aadhaar download from myaadhaar.uidai.gov.in.

Three properties make a masking implementation actually compliant:

1. Irreversibility. The masked digits must be unrecoverable. A redaction that just sets the text color to white or hides it behind an annotation layer fails — the underlying text is still in the PDF stream and can be recovered by copy-paste, text extraction, or a PDF inspection tool. Compliant masking either deletes the digit characters from the PDF text stream or rasterizes the masked region.
2. QR code handling. The Aadhaar card and e-Aadhaar PDF both include a QR code that encodes the demographic data. The QR code is signed by UIDAI and is a valid verification artifact, but it also contains the unmasked Aadhaar number. Whether to mask the QR code depends on the use case — masking removes the verification utility but may be necessary for retention copies.
3. Page rotation and metadata. A masked PDF copy should not contain the unmasked number in any field — including hidden form fields, comments, document metadata, or older revisions. The aadhaar-mask tool produces a clean flattened output where no unmasked trace remains.

Enterprise workflow with browser-local masking

For a typical KYC desk, the day-to-day workflow with browser-local masking looks like this:

1. Customer or employee shares the unmasked Aadhaar PDF with the enterprise. (At the verification step UIDAI permits the unmasked Aadhaar to be seen by the authorized verifier.)
2. The verifier completes any required real-time check against UIDAI's authentication API.
3. Before storing the Aadhaar artifact in the KYC file, the verifier opens pdfmavericks.com/aadhaar-mask in a browser tab, drops the PDF, and applies the standard UIDAI mask.
4. The masked PDF is downloaded and stored in the KYC system. The original unmasked PDF is securely deleted from the verifier's device per the enterprise's data retention policy.
5. Any later sharing of the document — internal audit, external regulator inspection, fraud investigation request — uses the masked copy.

Throughout this flow, the unmasked Aadhaar exists only on the verifier's device for the duration of the verification step. There is no third-party server in the masking chain because the browser tool runs locally. For an enterprise that has to evidence its data-minimization posture during a regulatory audit, having a zero-upload masking step is a stronger story than relying on a cloud KYC vendor's retention controls.

Intersection with DPDPA 2023

The Digital Personal Data Protection Act, 2023 (DPDPA) does not replace the Aadhaar Act's masking obligation — it sits alongside it. The DPDPA is the general personal data law in India, and Aadhaar is treated as personal data under its scope. Three DPDPA principles align with the masking obligation:

• Purpose limitation. Personal data can be processed only for the purpose specified in the consent. Storing an unmasked Aadhaar beyond the verification purpose violates purpose limitation.
• Data minimization. Only the data necessary for the purpose may be retained. The last 4 digits of Aadhaar plus the masked artifact are usually sufficient for identification in a stored record — the first 8 digits are not.
• Storage limitation. Data may be retained only as long as necessary. Masking is the operational mechanism that lets enterprises satisfy the retention obligation for the customer record without retaining the unmasked identifier indefinitely.

The DPDPA full text is available on the Ministry of Electronics and Information Technology site.

Penalties and audit posture

Three regimes can impose penalties for non-compliance with Aadhaar masking.

Aadhaar Act 2016 §§38–47. Sections 38 and 39 criminalize unauthorized disclosure of identity information with imprisonment up to three years and a fine. The threshold for criminal liability is high but the deterrent is real for individual officers responsible for breach.

DPDPA 2023 — Data Protection Board penalties. The Board can impose civil monetary penalties up to ₹250 crore for breach of personal data protection obligations under Schedule 1 of the Act. The penalty depends on the category of breach; failing to mask Aadhaar on stored or shared copies is the kind of operational failure that draws regulator attention during inspection.

Sectoral regulator action. RBI, IRDAI, SEBI, and TRAI each have their own supervisory powers over the entities they regulate. An RBI inspection of a bank's KYC files that finds unmasked Aadhaar in stored records is a finding the bank's compliance department has to remediate, separate from any DPDPA or Aadhaar Act consequence.

For audit readiness, three artifacts help. First, a documented masking policy that specifies who masks, when, and using which tool. Second, evidence that the masking process is browser-local or otherwise minimizes the unmasked footprint (relevant under DPDPA data minimization). Third, sample masked PDFs from production that an auditor can inspect to confirm the masking is irreversible. The browser-local workflow with pdfmavericks.com supports all three.

For the consumer-facing version of this guide aimed at individual residents, see our consumer Aadhaar masking guide. For the Hindi-language version covering Aadhaar PDF password removal, see Aadhaar PDF password kaise hatayen. For the broader argument on browser-local PDF tooling, see why server-side PDF tools leak data.