These practices are derived from ICP requirements and the UAE KYC integration standard. Following them ensures your integration passes security review, goes live without delays, and stays compliant post-launch.
Protect Your Credentials & API Keys
Your API keys grant access to government-grade identity data. Treat them as secrets at all times.Never expose keys client-side
Do not include your
x-transaction-key in mobile apps, browser code, or public repositories. All API calls must originate from your backend servers.Store keys securely
Use a secrets manager or environment variables. Never hardcode keys in source code or configuration files committed to version control.
Rotate on compromise
If a key is exposed or suspected compromised, rotate it immediately and contact
support@uaekyc.ae.Network & Infrastructure Requirements
Your servers must meet ICP’s infrastructure requirements before access is provisioned.Server Location
Server Location
Servers must be physically located inside the UAE. Offshore or foreign-hosted infrastructure is not permitted for any environment that accesses UAE KYC services.
IP Address Rules
IP Address Rules
- Use separate, dedicated IP addresses for Staging and Production — the same IP cannot serve both
- Staging: minimum 1 IP, maximum 2 IPs
- Production: minimum 1 IP, maximum 5 IPs — at least 2 recommended for failover
- Submit your IPs via the Service Provisioning Form (shared during onboarding) — changes require re-whitelisting
Traffic Routing
Traffic Routing
All UAE KYC traffic must be routed through your approved connectivity method:
Implement routing rules on your WAF or gateway to enforce that all UAE KYC traffic exits through the approved path. HTTPS only — HTTP is disallowed entirely.
| Option | Suitable For |
|---|---|
| IP Whitelisting | Most clients — standard option |
| MPLS | Enterprises with existing ICP MPLS lines |
| Site-to-Site VPN | Organisations needing a dedicated encrypted tunnel |
| ADnet / FedNet | Abu Dhabi and UAE federal government entities |
Proxy & WAF
Proxy & WAF
Many clients expose UAE KYC through an internal FQDN (e.g.
stg-icp.<your-domain>.ae) on their WAF and restrict it to office/VPN networks. This adds an additional control layer and is strongly recommended. See the Proxy Setup Guide.Use the Staging Environment Correctly
Staging is for integration testing only. It has hard limits imposed by ICP — exceeding them or misusing the environment can delay your Production approval.| Limit | Value |
|---|---|
| Maximum duration | 3 months |
| Maximum validation requests | 2,000 |
| Load testing | Not permitted |
| Real customer data | Not permitted |
Use only sandbox residents
Create test users from the Dashboard by clicking Sandbox. See Sandbox Residents for a full guide on creating and managing test users.
Complete the full testing checklist
Before requesting Production access, validate all of the following:
| Test Area | What to Verify |
|---|---|
| SDK Integration | SDK loads correctly, UI renders on all target devices |
| Document Capture | Emirates ID capture works reliably |
| Face Verification | Liveness detection and face match are functional |
| API Response Handling | All response attributes are parsed correctly |
| Error Handling | All error codes are handled gracefully — no unhandled failures |
| Dashboard Access | Transaction logs are visible and reports are accessible |
| End-to-End Flow | Complete customer journey works without issues |
Data Security & Privacy
You are responsible for how ICP data is stored and handled within your systems. These controls are reviewed during the ICP security questionnaire and are required for Production access.Encryption
Encryption
- Encrypt data in transit using TLS 1.3 — required for all UAE KYC communication
- Encrypt data at rest — identity data must not be stored in plaintext
- Store encryption keys in a dedicated key management system, not alongside the data they protect
Access Controls
Access Controls
- Implement role-based access control (RBAC) — only authorised personnel may access KYC response data
- Use unique user IDs and strong password standards for all systems handling ICP data
- Restrict source code access to designated development personnel
Data Handling Rules
Data Handling Rules
- Define and enforce a data retention policy — do not store identity data longer than necessary
- Do not share ICP data with third-party vendors or external systems without explicit authorisation
- Do not store KYC data on public SaaS tools (e.g. Google Drive, OneDrive) without appropriate controls
- Restrict ICP data from being sent to external sites, webmail, or personal storage
Response Integrity
Response Integrity
Always verify the cryptographic signature on API responses to confirm they have not been tampered with in transit.
Signature Verification Guide
Verify response signatures using your certificate.
Prepare Before Going Live
Production access involves both technical validation and legal approvals. Plan these in parallel to avoid delays.Legal Documents — Start Early
Legal Documents — Start Early
These agreements must be fully executed before Production credentials are issued. Progress them in parallel with your technical integration:
| Document | Purpose |
|---|---|
| NDA | Non-disclosure of confidential information |
| MSA | Master service agreement |
| SOW | Scope, deliverables, and pricing |
| DPA | Data processing agreement (if applicable) |
| EULA | End-user licence agreement |
Volume & Capacity Planning
Volume & Capacity Planning
Before production provisioning, share your expected usage with the UAE KYC team so infrastructure capacity can be confirmed:
- Average and peak daily onboardings
- Expected concurrent requests
- Peak hours
- Re-KYC volume (if applicable)
Phased Rollout
Phased Rollout
Always roll out to Production gradually. A full immediate launch increases risk significantly.
Only proceed to the next phase when your transaction success rate is above 98% and no critical issues are open.
| Phase | Traffic | Duration |
|---|---|---|
| Pilot | 5% — internal users only | 2–3 days |
| Soft Launch | 10–25% — limited external customers | As planned |
| Ramp Up | 50–75% — gradual increase | As planned |
| Full Launch | 100% — all customers | As planned |
Rollback Plan
Rollback Plan
Define rollback criteria before go-live:
- The specific error rate or failure condition that triggers a rollback
- The fallback KYC process (if any) for affected customers
- Your communication plan for customers impacted by an outage
- The escalation path to UAE KYC support:
support@uaekyc.ae
Maintain a Security Posture
ICP requires all integrators to maintain baseline security controls throughout the integration lifecycle — not just at onboarding.Information Security Policy
Maintain a management-approved information security policy. This is required for the ICP Security Questionnaire.
Incident Response Plan
Have a documented incident response plan. Notify UAE KYC promptly if a breach involving ICP data occurs.
Audit Logging
Keep tamper-evident audit logs for all KYC-related system activity. Logs must be retained long enough to support security investigations.
Vulnerability Management
Conduct regular penetration tests and maintain a patch management process for all systems that process ICP data.
Staff Training
Train all staff with access to KYC response data on information security responsibilities.
Keep Contacts Updated
Keep your first-line support and escalation contacts up to date with UAE KYC — these are required for the ICP security questionnaire and used in production incidents.