India Stack for Startups: UPI, Account Aggregator, and DigiLocker Integration
- India Stack is a government-built set of open APIs covering four layers: identity (Aadhaar), payments (UPI), data sharing (Account Aggregator), and documents (DigiLocker)
- UPI processed over 16.6 billion transactions worth ₹23.4 lakh crore in March 2025 alone, making it the world's largest real-time payment network
- The Account Aggregator framework enables consent-based sharing of 25 categories of financial data between RBI-regulated entities through licensed AA operators
- DigiLocker holds 6.8 billion documents across 300 million users, and its API lets startups verify KYC documents without manual uploads
- Most India Stack APIs are free at the infrastructure level, with development and compliance forming the primary integration costs
- Startups can build lending products using OCEN and the LSP model without holding an NBFC licence, partnering with licensed lenders instead
- All India Stack integrations require data localization in India per RBI circulars and the DPDP Act, 2023
India Stack has moved from a government infrastructure project to the operating system that most Indian startups build on. UPI alone processes over 16 billion transactions every month. The Account Aggregator network crossed 1.1 billion cumulative consent artefacts by early 2025. DigiLocker serves 300 million registered users with 6.8 billion verified documents. These are not abstract numbers. They represent APIs, protocols, and data pipes that startups can plug into directly, cutting the cost and time of building financial products, KYC verification, and payment infrastructure from scratch.
This guide breaks down each India Stack component, the technical requirements for integration, the regulatory compliance that applies, and the realistic costs and timelines a startup should plan for. Whether you are building a fintech lending product, an e-commerce platform with embedded payments, or a SaaS tool that needs verified business data, India Stack provides the infrastructure. The question is how to connect to it correctly.
What Is India Stack and Why Startups Should Care
India Stack is not a single product or platform. It is a collection of open APIs, shared digital infrastructure, and regulatory frameworks developed by Indian government agencies, the Reserve Bank of India, NPCI, UIDAI, MeitY, and iSPIRT. Each layer solves a specific problem that every startup faces: verifying identity, moving money, accessing financial data, and validating documents.
Before India Stack, a fintech startup building a lending product needed to partner with credit bureaus for data (months of negotiation), set up payment collection through NACH mandates (expensive and slow), verify identity through physical document collection (error-prone and unscalable), and validate income through manual bank statement uploads (easily forged). India Stack collapses each of these into a standardized API call. A Private Limited Company registered in India can access these APIs through published integration paths, most of them without paying infrastructure-level fees.
The commercial impact is direct. Startups that integrate with India Stack reduce customer onboarding time from days to minutes, cut KYC costs by 80-90% compared to physical verification, access real-time financial data instead of stale credit bureau reports, and process payments at near-zero marginal cost. The infrastructure is publicly funded. The competitive advantage comes from how creatively a startup uses it.
The Four Layers of India Stack Architecture
India Stack is organized into four functional layers, each maintained by a different government body. Understanding which layer solves which problem is the first step before writing a single line of integration code.
| Layer | Component | Maintained By | What It Solves for Startups | Key API/Protocol |
|---|---|---|---|---|
| Identity | Aadhaar (eKYC, eSign, OTP Auth) | UIDAI | Digital identity verification without physical documents | Aadhaar Auth API, eKYC API, eSign API |
| Payments | UPI (Unified Payments Interface) | NPCI (National Payments Corporation of India) | Real-time money transfer, merchant payments, recurring mandates | UPI 2.0 API, UPI AutoPay, UPI QR |
| Data | Account Aggregator (AA) | RBI (through licensed NBFC-AAs) | Consent-based access to bank statements, GST data, investments, insurance | AA API (FIU-AA-FIP protocol) |
| Documents | DigiLocker | MeitY / NeGD | Verified digital document storage, retrieval, and validation | DigiLocker Requester API, Issuer API |
A fifth emerging layer, OCEN (Open Credit Enablement Network), adds credit infrastructure to this stack, allowing startups to embed lending products through standardized loan origination APIs. OCEN is not yet as mature as the other four layers but is live with multiple lenders and LSPs as of 2025.
Each India Stack layer has its own governing body, approval process, technical sandbox, and compliance requirements. There is no single "India Stack API key" that grants access to everything. A startup must integrate with each layer independently: NPCI for UPI, Sahamati for Account Aggregator, MeitY for DigiLocker, and UIDAI for Aadhaar. Plan integration timelines and compliance workflows separately for each component.
UPI Integration for Startups: Payment Collection and Disbursement
UPI is the most widely adopted India Stack component and typically the first integration point for any startup that handles money. In March 2025, UPI processed 16.6 billion transactions worth ₹23.4 lakh crore. The system supports person-to-person (P2P), person-to-merchant (P2M), recurring mandates (UPI AutoPay), and credit line on UPI.
Three Routes to UPI Integration
Startups have three paths to accepting UPI payments, each with different compliance, cost, and control trade-offs:
- Through a licensed Payment Aggregator (PA): This is the fastest and most common route. PAs like Razorpay, Cashfree, PayU, and PhonePe Business provide UPI APIs as part of their payment gateway. The startup integrates the PA's SDK or API, and the PA handles NPCI connectivity, settlement, and compliance. Requirements: GST registration, a current bank account, and the PA's KYC verification. Timeline: 2 to 4 weeks from application to live transactions
- Through a PSP (Payment Service Provider) bank: Banks like Axis, ICICI, HDFC, and YES Bank offer direct UPI API access to businesses through their PSP infrastructure. This gives more control over the payment flow but requires a banking relationship and higher technical capability. Timeline: 4 to 8 weeks including bank onboarding
- Direct NPCI membership: Available only to banks and RBI-licensed Payment Aggregators. Startups that want direct NPCI access must first obtain a PA licence from the RBI (minimum net worth ₹15 crore, application process 12-18 months). This route is viable only for scale-stage fintech companies
UPI API Capabilities for Business Applications
- UPI Collect: Send a payment request to a customer's UPI ID. The customer approves it in their UPI app. Conversion rate: 65-75%
- UPI Intent: Redirect the customer to their UPI app with pre-filled payment details. Single-tap approval. Conversion rate: 85-92%. Preferred for mobile apps
- UPI QR (Static and Dynamic): Generate QR codes for in-store or invoice-based payments. Dynamic QR includes the exact amount; static QR lets the customer enter the amount
- UPI AutoPay (Mandate): Set up recurring payments (subscriptions, EMIs, SIPs). The customer approves the mandate once, and subsequent debits happen automatically up to the mandate limit. Maximum single debit: ₹1 lakh for most categories
- UPI Credit Line: Launched in 2024, this allows pre-approved credit lines from banks to be linked to UPI. Startups partnering with banks can offer "buy now, pay later" through the UPI rail
NPCI introduced a 1.1% interchange fee on UPI payments above ₹2,000 for prepaid payment instruments (PPIs) and specific merchant categories. P2M transactions below ₹2,000 remain zero-cost. Startups must factor this interchange into their unit economics, particularly for high-value transaction models. Check NPCI's latest circular for category-specific interchange rates before finalizing your payment flow architecture.
Account Aggregator: Consent-Based Financial Data for Lending, Insurance, and Wealth
The Account Aggregator framework is the most powerful and least understood component of India Stack for startups. It solves a problem that has blocked fintech innovation for years: accessing verified financial data without asking customers to upload bank statements, share login credentials, or sign physical authorization letters.
The RBI established the AA framework through the Master Direction on NBFC-Account Aggregator, 2016 (updated September 2021). Startups building products on this framework typically register as a Private Limited Company first, then pursue the relevant financial licence. The framework defines three participants:
- Financial Information Provider (FIP): The entity that holds customer data. Banks, mutual fund registrars (CAMS, KFintech), insurance companies, GSTN, NPS, and depository participants are FIPs. They share data only when the customer provides consent through an AA
- Account Aggregator (AA): The consent manager and data pipe. Licensed by the RBI as NBFC-AA with minimum ₹2 crore NOF. The AA facilitates consent collection, transmits encrypted data from FIP to FIU, and never stores or views the data itself. Licensed AAs include Finvu, OneMoney, CAMS Finserv, NESL, Perfios AA, and Yodlee AA
- Financial Information User (FIU): The entity requesting data. Must be regulated by a financial sector regulator (RBI, SEBI, IRDAI, PFRDA). NBFCs, banks, insurance companies, and mutual fund distributors can register as FIUs
What Data Can Startups Access Through AA?
The RBI has notified 25 categories of financial information available through the AA framework:
- Banking data: Savings and current account summaries, transaction details, deposit records, and loan account information
- Investment data: Mutual fund holdings (via CAMS and KFintech), equity and debenture holdings (via NSDL and CDSL), and NPS account details
- Insurance data: Life and general insurance policy details from IRDAI-regulated insurers
- Tax data: GST returns and filing status from GSTN, income tax profiles (planned integration)
- Pension data: EPF account balances and transaction history (integration in progress)
For lending startups, AA data replaces the manual bank statement upload entirely. A customer's 12-month transaction history, categorized and verified directly from the bank, arrives in structured JSON format within seconds of consent. This is the data quality difference between a PDF statement (which can be forged) and a digitally signed data packet from the source bank.
How Startups Register as FIUs in the Account Aggregator Ecosystem
For a startup to directly consume AA data, it must be a Financial Information User (FIU) registered with a licensed AA and regulated by a financial sector regulator. Here is the step-by-step registration process:
- Ensure regulatory eligibility: The startup must hold a licence or registration from the RBI, SEBI, IRDAI, or PFRDA. For fintech lending startups, this means an NBFC registration or a partnership agreement with a licensed NBFC that sponsors FIU access
- Register with Sahamati: DigiSahamati Foundation maintains the central registry of FIUs. Submit the FIU application with entity details, regulatory licence number, use case description, and technical contact information
- Complete technical integration: Integrate with the AA ecosystem using Sahamati's published API specifications. The integration covers consent request generation, consent artefact handling, data fetch requests, and encrypted data decryption
- Sandbox testing: Sahamati operates a sandbox environment where FIUs test their integration with simulated FIP responses. Complete all test cases covering consent flows, data fetch scenarios, consent revocation, and error handling
- Production certification: After passing sandbox tests, Sahamati certifies the FIU for production access. The FIU can then request consent and fetch data from live FIPs across all connected AAs
- Go live with customers: Deploy the AA consent flow in your product. Customers see a consent request screen, approve data sharing in their AA app, and the financial data arrives in your system within 10 to 30 seconds
Startups without RBI or SEBI registration cannot become FIUs directly. However, they can access AA data through a regulated partner (bank or NBFC) that acts as the FIU. The partner fetches data with customer consent and shares processed insights (credit scores, income estimates, cash flow summaries) with the startup under a Technology Service Provider agreement. This is the standard path for early-stage startups that have not yet obtained their own NBFC licence.
DigiLocker Integration: Digital Document Verification Without Uploads
DigiLocker eliminates the single most friction-heavy step in customer onboarding: asking users to photograph, scan, or upload identity and address documents. With DigiLocker API integration, a startup can pull verified documents (PAN, Aadhaar, driving licence, vehicle registration, educational certificates, GST certificate) directly from issuing authorities with customer consent.
DigiLocker Ecosystem Roles
- Issuer: The government department or authorized body that pushes documents into DigiLocker. Examples: Income Tax Department (PAN), Transport Department (driving licence), CBSE/universities (mark sheets), MCA (incorporation certificates). Over 2,700 issuers are live as of 2025
- Requester: The entity (startup, enterprise, bank) that pulls documents from DigiLocker with user consent. Requesters integrate through the DigiLocker Gateway API managed by NeGD (National e-Governance Division)
- Resident/User: The individual whose documents are stored. The user controls which documents are shared and with whom through the DigiLocker app or web interface
DigiLocker Requester API Integration Process
- Apply to MeitY/NeGD as a Requester: Submit the Requester application through the DigiLocker partner portal. Provide entity details, GSTIN, use case justification, and a technical integration plan
- MeitY review and approval: MeitY evaluates the use case against DigiLocker's purpose guidelines. Financial services, employment verification, and educational admissions are approved categories. Timeline: 4 to 8 weeks
- Receive API credentials: Upon approval, MeitY issues client ID and client secret for DigiLocker Gateway API access. Sandbox credentials are provided first for testing
- Implement OAuth 2.0 consent flow: The integration uses OAuth 2.0 for user authentication and consent. The user is redirected to DigiLocker, authenticates with their credentials, selects the documents to share, and is redirected back to the startup's application with an authorization code
- Fetch and verify documents: Use the authorization code to fetch document URIs, pull the document data (XML or PDF format), and verify the digital signature against the issuer's public key. Verified documents carry legal validity equivalent to originals under Section 9 of the IT Act, 2000
| Document Type | Issuing Authority | Format Available | Startup Use Case |
|---|---|---|---|
| PAN Card | Income Tax Department / NSDL / UTI | XML (structured data) + PDF | KYC verification, financial onboarding |
| Aadhaar | UIDAI | XML (eAadhaar) | Identity + address verification |
| Driving Licence | State Transport Departments | XML + PDF | Age verification, mobility startups |
| Vehicle Registration (RC) | State Transport Departments / Vahan | XML + PDF | Insurance, fleet management, vehicle financing |
| GST Certificate | GSTN | Business verification, B2B onboarding | |
| Class 10/12 Mark Sheet | CBSE / State Boards / Universities | XML + PDF | EdTech verification, employment screening |
| Incorporation Certificate | Ministry of Corporate Affairs | Business KYC, vendor verification |
Aadhaar eKYC and Offline Verification for Startups
Aadhaar-based verification is the identity layer of India Stack, maintained by UIDAI (Unique Identification Authority of India). After the Supreme Court's Puttaswamy judgment in 2018, direct Aadhaar eKYC access was restricted to entities authorized under Section 4 of the Aadhaar (Targeted Delivery of Financial Subsidies, Benefits and Services) Act, 2016. This effectively limits direct eKYC API access to banks, telecom operators, and government agencies.
How Startups Access Aadhaar Verification
Startups that are not Section 4-authorized entities can still use Aadhaar verification through these approved channels:
- Offline Aadhaar Verification (OKYC): The customer downloads their Aadhaar XML or QR code from the UIDAI portal and shares it with the startup. The startup verifies the XML signature against UIDAI's public key without connecting to UIDAI servers. No API access required. Free and privacy-preserving
- KYC User Agency (KUA) route: The startup partners with a UIDAI-approved KUA that provides eKYC API access as a service. The KUA conducts the Aadhaar authentication, and the startup receives the verified KYC data. Cost: ₹2 to ₹5 per verification
- CKYC (Central KYC) registry: Maintained by CERSAI under RBI direction, the CKYC registry stores KYC records submitted by banks and financial institutions. Startups registered as financial entities can pull existing KYC records using the customer's PAN or Aadhaar-linked KYC Identifier (KIN)
- Video KYC (V-CKY): For RBI-regulated entities, the RBI's Video-based Customer Identification Process (V-CIP) allows live video verification with Aadhaar-based authentication conducted by a trained officer. Commonly used by NBFCs and banks for remote account opening
Using Aadhaar data without authorization under Section 4 of the Aadhaar Act attracts criminal penalties including imprisonment up to 3 years and fines up to ₹10 lakh under Section 37 of the Act. Startups must not attempt to access UIDAI's eKYC APIs through unauthorized intermediaries or screen-scraping methods. The Offline Aadhaar (OKYC) and KUA routes are the only legally compliant paths for non-authorized entities.
OCEN: Embedding Credit Products Through India Stack
The Open Credit Enablement Network (OCEN) is the newest addition to India Stack's functional layers. It standardizes the interaction between Loan Service Providers (LSPs), lenders, and borrowers through a set of open APIs maintained by iSPIRT and participating lenders.
For startups, OCEN solves a specific problem: offering credit products (working capital loans, purchase financing, invoice discounting) to your users without building a lending stack or holding an NBFC licence. The startup becomes an LSP, originating loan applications and providing the customer interface, while a licensed lender (NBFC or bank) underwrites, disburses, and collects the loan.
OCEN Integration Flow for Startups
- Register as an LSP: Partner with an OCEN-participating lender (SBI, Federal Bank, Kotak Mahindra Bank, and multiple NBFCs are live). Sign the LSP agreement that defines data sharing, commission structure, and compliance responsibilities
- Integrate OCEN APIs: Implement the standardized loan application, offer, grant, and repayment APIs. OCEN uses the Account Aggregator framework for data fetching, meaning the borrower's consent and financial data flow through the AA pipe
- Embed the loan product: Add a "Get Credit" or "Apply for Loan" button within your app. When the user clicks it, the OCEN flow initiates: AA consent request, data fetch, lender underwriting, offer display, acceptance, loan agreement, and disbursement to the user's bank account
- Handle repayments: Repayment can be set up through UPI AutoPay (another India Stack component), NACH mandate, or direct bank debit. The lender manages collections, but the LSP's interface shows the repayment schedule and status
OCEN is particularly powerful for marketplace startups, SaaS platforms serving SMEs, and e-commerce businesses. A B2B marketplace can offer purchase financing at checkout. An accounting SaaS can offer working capital loans based on the GST data it already processes. An e-commerce platform can offer seller financing backed by transaction history. All three need proper GST registration before going live with OCEN-powered credit products.
Regulatory Compliance Across India Stack Integrations
Each India Stack component carries its own regulatory requirements. A startup integrating with multiple layers must map compliance obligations across all relevant regulators:
| India Stack Component | Primary Regulator | Key Compliance Requirements | Penalty for Non-Compliance |
|---|---|---|---|
| UPI Payments | NPCI / RBI | PCI-DSS certification, data localization in India, PA licence for aggregators, NPCI procedural guidelines | RBI can revoke PA licence; penalties per Payment and Settlement Systems Act, 2007 |
| Account Aggregator | RBI | FIU must be regulated entity, Sahamati certification, consent artefact compliance, data encryption | RBI directions under NBFC-AA Master Direction; licence cancellation for AAs |
| DigiLocker | MeitY / NeGD | Requester approval from MeitY, OAuth 2.0 consent flow, IT Act Section 9 compliance | API access revocation; IT Act penalties for data misuse |
| Aadhaar eKYC | UIDAI | Section 4 authorization for direct access; OKYC compliance for offline verification | Imprisonment up to 3 years + fine up to ₹10 lakh under Aadhaar Act Section 37 |
| OCEN (Credit) | RBI | Digital Lending Master Direction compliance, LSP disclosure to borrowers, KFS for every loan | RBI action against partnered lender; LSP blacklisting |
Across all India Stack integrations, the Digital Personal Data Protection Act, 2023 applies independently. Every consent request, data fetch, and document pull involves personal data processing that triggers DPDP obligations: lawful purpose, specific consent, data minimization, breach notification, and erasure upon withdrawal. Startups must implement a unified privacy framework that covers all India Stack data flows, not separate policies for each component. A Virtual CFO with regulatory experience can help structure compliance budgets across all these frameworks.
Startups accepting payments through UPI, charging fees for AA-powered services, or providing DigiLocker-verified onboarding as a service must hold GST registration. Technology services attract 18% GST under SAC code 998314. Payment aggregator commissions, AA data access fees, and KYC verification charges all fall within GST's scope. Register for GST before going live with any commercial India Stack integration.
Cost and Timeline for India Stack Integration
One of India Stack's strongest advantages is that API access is largely free at the infrastructure level. The costs come from development, compliance setup, and operational maintenance. Here is a realistic breakdown for a startup integrating with all four core layers:
Development Costs
- UPI integration (through payment aggregator): ₹50,000 to ₹2 lakh for SDK integration, webhook handling, and reconciliation dashboard. 2 to 4 weeks with 1 to 2 developers
- Account Aggregator (FIU integration): ₹3 lakh to ₹8 lakh for consent flow, data decryption, and financial data parsing. 8 to 12 weeks with 2 to 3 developers. Includes Sahamati sandbox testing
- DigiLocker Requester API: ₹1 lakh to ₹3 lakh for OAuth flow, document pull, and signature verification. 6 to 10 weeks including MeitY approval wait time
- Aadhaar OKYC verification: ₹50,000 to ₹1.5 lakh for XML parsing and signature verification. 2 to 4 weeks. If using a KUA, add ₹2 to ₹5 per verification as ongoing cost
- OCEN LSP integration: ₹2 lakh to ₹6 lakh for loan origination flow, AA data integration, and repayment tracking. 6 to 10 weeks
Compliance and Operational Costs
- PCI-DSS certification: ₹2 lakh to ₹5 lakh (annual) for Level 2 or Level 3 compliance. Required for payment data handling
- DPDP Act compliance setup: ₹3 lakh to ₹8 lakh for consent framework, privacy policy, data mapping, and breach notification protocol across all India Stack data flows
- Data localization infrastructure: ₹1 lakh to ₹5 lakh (annual) for India-region cloud hosting (AWS Mumbai, Azure Central India, GCP Mumbai). Required for UPI and AA data
- Annual compliance review: ₹2 lakh to ₹5 lakh for a compliance services partner to audit India Stack integrations against current regulatory requirements
Total first-year cost for a startup integrating with all four India Stack layers ranges from ₹12 lakh to ₹35 lakh, including development, compliance, and infrastructure. A Virtual CFO can structure these costs for optimal tax treatment, including R&D expense classification and input tax credit claims on technology infrastructure.
Common Integration Challenges and How to Solve Them
India Stack APIs are well-documented, but production integration exposes edge cases that sandbox testing does not cover. Based on patterns across hundreds of startup integrations, these are the recurring challenges:
- AA consent drop-off rates: 30-40% of users abandon the AA consent flow because they do not understand what data they are sharing or do not have the AA app installed. Solution: add a pre-consent explainer screen, support multiple AA discovery methods (mobile number, UPI handle), and implement deep linking to AA app installation if not present
- DigiLocker approval delays: MeitY approval for Requester status takes 4 to 8 weeks, and rejections often lack specific reasons. Solution: submit a detailed use case document with data flow diagrams, user consent screenshots, and reference to similar approved Requesters in your industry. Follow up through the NeGD helpdesk at weekly intervals
- UPI payment failure rates: Industry-wide UPI success rates hover around 96-97%, meaning 3-4% of transactions fail due to bank server timeouts, daily transaction limits, or incorrect VPA entries. Solution: implement automatic retry logic with exponential backoff, offer UPI Intent as the primary flow (higher success rate), and provide fallback to other payment methods
- FIP data availability gaps: Not all banks are live as FIPs on the AA network. As of 2025, most large banks (SBI, HDFC, ICICI, Axis, Kotak, Yes Bank, PNB) are live, but some cooperative banks and regional rural banks are not yet connected. Solution: implement a fallback manual document upload flow for users whose banks are not on the AA network
- Data format inconsistencies: Bank statement data from different FIPs arrives in slightly different formats despite the AA specification. Transaction categorization, balance computation logic, and date formats vary. Solution: build a data normalization layer that handles FIP-specific variations and run validation checks on every data fetch. Engaging a compliance services provider for periodic AA integration audits helps catch format-related data quality issues
- Aadhaar OKYC signature verification failures: Aadhaar XML files downloaded from the UIDAI portal use a specific cryptographic signature scheme. Verification fails if the public key is outdated or the XML is modified (even whitespace changes). Solution: use UIDAI's published public key bundle (updated quarterly) and parse XML without any modification
Building Your India Stack Integration Roadmap
Trying to integrate all India Stack components simultaneously creates complexity without proportional benefit. A phased approach aligned with your product's growth stage produces better results:
Phase 1: Payments and Identity (Month 1-2)
Start with UPI payment collection through a licensed PA and Aadhaar OKYC for identity verification. These two integrations handle the most basic startup needs: collecting money and verifying customers. Both can be implemented in 2 to 4 weeks with minimal compliance overhead. Register your Private Limited Company, obtain GST registration, and go live with payments and KYC.
Phase 2: Document Verification (Month 2-4)
Add DigiLocker Requester API to replace manual document uploads in your onboarding flow. Apply to MeitY early (the 4-8 week approval process runs in parallel with Phase 1). Once approved, integrate the OAuth flow and deploy verified document pulls for PAN, driving licence, and other relevant documents.
Phase 3: Financial Data Access (Month 4-8)
Integrate with the Account Aggregator framework to access verified bank statements and financial data. This phase requires either direct FIU registration (if you hold an NBFC or other financial licence) or a partnership with a regulated entity. Complete Sahamati sandbox testing and production certification before deploying to users.
Phase 4: Embedded Credit (Month 6-12)
If your product has a credit use case, integrate with OCEN to offer lending products through your platform. This phase requires a lending partner (NBFC or bank), Digital Lending Master Direction compliance, and integration of UPI AutoPay for repayment collection.
Consider applying for Startup India registration before beginning Phase 1. The 3-year tax holiday under Section 80-IAC, angel tax exemption, and access to SIDBI's Fund of Funds can offset early-stage integration and compliance costs significantly.
India Stack and the DPDP Act: Building a Unified Privacy Framework
Every India Stack integration processes personal data. UPI transactions contain payment data linked to an individual. AA fetches deliver bank statements, investment records, and tax filings. DigiLocker pulls return identity documents, addresses, and financial identifiers. Aadhaar verification processes biometric or demographic data. All of this falls squarely within the Digital Personal Data Protection Act, 2023.
Startups integrating with multiple India Stack layers must build a unified consent and privacy framework rather than treating each integration separately. The DPDP Act requires:
- Single, comprehensive privacy notice: Cover all India Stack data flows (UPI, AA, DigiLocker, Aadhaar) in one privacy notice, specifying the purpose, retention period, and third-party sharing for each data type
- Granular consent management: While the AA framework has its own consent mechanism, DPDP consent must independently cover data processing activities that extend beyond the AA's scope (storing derived insights, using data for model training, sharing with partners)
- Data minimization across all layers: Fetch only the data you need. Requesting 5 years of bank statements when 6 months suffices, or pulling all DigiLocker documents when only PAN is needed, violates the purpose limitation principle
- Unified breach notification: A breach affecting data from multiple India Stack sources must be reported to all relevant regulators (RBI for payment/AA data, MeitY for DigiLocker data, UIDAI for Aadhaar data, and the Data Protection Board under DPDP) within their respective timelines. Build a single incident response plan that triggers all necessary notifications
- Data erasure workflow: When a customer withdraws consent or requests data deletion, the erasure must cover data from all India Stack sources, derived data (credit scores, risk assessments), and backups, while preserving data that must be retained under RBI directions (minimum 5-year retention for financial records)
India Stack Integration for Specific Startup Categories
The combination of India Stack layers a startup needs depends on its business model. Here is a mapping of common startup categories to the India Stack components they should prioritize:
- Fintech lending (NBFC or LSP): All four layers plus OCEN. UPI for disbursement and repayment, AA for bank statement and financial data access, DigiLocker for KYC document verification, Aadhaar for identity verification. This is the maximum integration scenario
- E-commerce and D2C: UPI (payment collection) and DigiLocker (seller verification for marketplace models). AA integration is relevant only if offering embedded credit through OCEN
- Insurance distribution: AA (policy aggregation and financial data for underwriting), DigiLocker (KYC and vehicle RC for motor insurance), UPI (premium collection and claims disbursement)
- Wealth management and advisory: AA (mutual fund, equity, and NPS data aggregation), DigiLocker (PAN and identity verification), UPI (SIP and investment payment collection)
- HR and payroll SaaS: DigiLocker (employee document verification, educational certificates, identity proof), UPI (salary disbursement), Aadhaar OKYC (identity verification for new hires)
- B2B marketplace: DigiLocker (GST certificate and incorporation certificate verification for vendor onboarding), UPI (payment collection and settlement), AA (financial health assessment for credit decisions through OCEN)
Every startup category above benefits from registering under Startup India for the tax benefits and from maintaining ongoing compliance services to manage the regulatory obligations that accumulate as more India Stack layers are integrated.
