Frequently asked questions.

RedRock Systems builds compliance-focused software for Australian regulated industries. We develop purpose-built SaaS products — including CoordHub for NDIS providers and RedRock AML for Tranche 2 compliance — and custom software for organisations with sector-specific requirements that generic platforms cannot address.

RedRock Systems is an Australian business. Our primary infrastructure runs in Sydney, Australia, and all products are built for Australian regulatory requirements.

RedRock Systems has been building software for regulated Australian industries and has deep familiarity with the compliance obligations that apply in sectors including NDIS, aged care, AML/CTF, financial services, construction, transport, and healthcare.

Compliance is our primary focus because that is where the cost of bad software is highest. We build software where the regulatory obligations are encoded in the system — not where you adapt a generic platform to approximate compliance. We also work on non-compliance-specific projects where there is a clear fit with our capabilities.

Our current products include CoordHub (NDIS support coordination, plan management, and service delivery), RedRock PM (practice management for professional services firms with AML/CTF compliance built in), RedRock AML (standalone AML/CTF compliance for Tranche 2 DNFBPs), and Solace (practice management for sole traders and independent workers). We also build custom software for organisations with sector-specific requirements.

All RedRock Systems products are currently in active development. Join the waitlist on any product page to be notified when each product launches.

Not yet. We are in a closed development phase. The waitlist is the only way to register interest.

Primary database infrastructure is hosted in Sydney, Australia. We do not route your data through overseas servers as a primary storage location. Specific hosting details — including provider, region, and failover arrangements — are available in our Trust documentation.

Yes. Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Sensitive compliance documents — such as AML/CTF records and SMRs — are encrypted at the application layer with AES-256-GCM in addition to database-level encryption.

No. We do not sell, share, or on-disclose client data to third parties for commercial purposes. Data is used only to provide the service you have contracted. Our privacy policy sets out the full terms of data handling.

On cancellation, you retain access to your data for a 30-day period to facilitate export. After that period, data is deleted from active systems. Deletion from backups follows our standard backup rotation schedule, which is documented in our Trust documentation. We do not retain your data after the deletion period for any commercial purpose.

Our products are built on modern web technologies including Next.js, TypeScript, PostgreSQL with row-level security, and Supabase for managed infrastructure. We use Vercel for deployment and Resend for transactional communications. Technology choices are made based on fitness for the regulatory requirements of each product — not trend.

It depends on scope and complexity. A focused compliance module for a specific regulatory obligation can be scoped, designed, and delivered in 4 to 8 weeks. A full platform with multi-module compliance, role-based access, and external integrations typically takes 3 to 6 months for an initial production release. We provide a scoping estimate after a discovery session at no cost.

Yes. All custom development engagements include a post-launch support period. Ongoing support, maintenance, and product evolution are available under a retainer arrangement. For SaaS products, support is included in the subscription and escalation paths are defined in the relevant service level terms.

Yes. We build integrations with practice management systems, accounting platforms, government portals (including PRODA and HPOS), and third-party identity verification providers. Integration scope is assessed during discovery — we will tell you what is feasible before you commit to a project.

No software product is 'NDIS certified'. The NDIS Quality and Safeguards Commission audits registered providers — it does not certify or accredit software. CoordHub is designed to support providers in meeting their obligations under the NDIS Practice Standards and Code of Conduct. Whether your organisation meets those standards is a matter of your practices, policies, and people — CoordHub gives you the systems to document and demonstrate compliance.

RedRock AML and the AML/CTF module in RedRock PM are designed to assist reporting entities in meeting their obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. Compliance with those obligations is the legal responsibility of the reporting entity — not the software provider. Our software encodes the obligations and automates the workflows; your compliance officers and advisers retain responsibility for the decisions made using those systems.

Yes. Our primary database infrastructure is located in Sydney, Australia. We do not use overseas primary storage for customer data. This supports Australian data sovereignty requirements and is relevant for organisations with obligations under the Privacy Act 1988, the My Health Records Act 2012, or sector-specific data localisation requirements.