Skip to main content

Trust & Security

Security isn’t a feature.
It’s the foundation.

Compliance software handles sensitive, regulated data. NDIS participant records, AML/CTF transaction histories, financial client files — these are not ordinary workloads.RedRock Systems is built from the ground up with enterprise-grade security so that regulated organisations can deploy with confidence.

01

Infrastructure

  • Primary database: Supabase PostgreSQL on AWS Sydney (ap-southeast-2) — your data stays in Australia
  • Application hosting: Vercel edge network with automatic DDoS mitigation and global CDN
  • Encryption at rest: AES-256 applied to all stored data (Supabase default, cannot be disabled)
  • Encryption in transit: TLS 1.3 enforced across all connections
  • Daily automated backups with point-in-time recovery via Supabase

02

Access Control

  • Row-level security (RLS) enforced on every database table — data isolation is enforced at the storage layer
  • Multi-tenant architecture: tenants are cryptographically isolated and cannot access each other's data
  • TOTP multi-factor authentication available for all accounts
  • Role-based access control (RBAC) with granular permission sets
  • bcrypt password hashing — plaintext passwords are never stored

03

Compliance Frameworks

  • Designed to support NDIS Practice Standards — purpose-built for registered NDIS providers
  • Designed to support AML/CTF Act 2006 obligations — customer identification, transaction monitoring, record-keeping
  • Australian Privacy Act 1988 (APPs) compliant — data handling aligned to all 13 Australian Privacy Principles
  • Registered under the Notifiable Data Breaches scheme — eligible breaches reported to OAIC within statutory timeframes

04

Data Handling

  • We do not sell customer data to third parties, ever
  • Data is processed only as instructed by the Customer — we act as data processor, you are the controller
  • AML/CTF records retained for 7 years as required by Part 10 of the AML/CTF Act 2006
  • Data export available on request at any time during your subscription
  • Data deletion upon account termination after a 30-day export window

05

Development Practices

  • Automated test suites covering unit, integration, and end-to-end scenarios
  • Continuous integration and deployment — every change is tested before production
  • Code review required on every change — no direct pushes to production
  • Dependency scanning and security patching as part of the release process

Security questions or penetration test requests? hello@redrocksystems.com.au

REDROCK SYSTEMS PTY LTD  ·  ABN 53 696 760 433  ·  ACN 696 760 433  ·  Perth, Western Australia