Skip to main content

Trust  ›  Data Residency

Data Residency

Last updated: 1 April 2026

For Australian regulated industries — NDIS providers, AML/CTF reporting entities, accounting practices — knowing where your data lives is not optional. This page documents every system that touches customer data, where it is located, and why.

01

Why Data Residency Matters

Australian Privacy Principle 8 (APP 8) requires organisations to take reasonable steps to ensure overseas recipients handle personal information consistently with the APPs before any cross-border disclosure occurs.

For NDIS registered providers, the NDIS Practice Standards and the NDIS Act 2013 impose obligations around the security and appropriate handling of participant records, which include health and disability information. For AML/CTF reporting entities, AUSTRAC expectations include maintaining the integrity and confidentiality of transaction monitoring records.

Our architecture is designed so that primary customer data — participant records, transaction histories, compliance documentation — always resides in Australia. Cross-border flows are limited to transactional sub-processors (email delivery, payments) that do not store substantive customer records.

02

Where Your Data Lives

The following table sets out every system in the RedRock Systems stack that processes customer data, where it is located, and the nature of that processing.

Supabase

Primary database (PostgreSQL), authentication, file storage

Sydney, Australia — AWS ap-southeast-2

All customer records, user accounts, and uploaded documents. This is where your data permanently resides. Data does not leave this region as part of normal operations.

Vercel

Application hosting, serverless functions, edge CDN, analytics

Global edge network (primary: US)

Executes application code and serves the web interface globally. Static assets and HTML are cached at edge nodes worldwide. Vercel Analytics is aggregated and privacy-preserving — no personal data is stored by Vercel Analytics.

Stripe

Payment processing, billing, subscription management

Global — primary infrastructure in the US

Handles payment card data directly. PCI DSS Level 1 certified. We pass your billing name and amount to Stripe; we do not store raw card numbers. Payment data may transit US infrastructure per Stripe's architecture.

Resend

Transactional email delivery (receipts, account notifications, security alerts)

United States

Receives transactional email content for delivery only. No substantive customer records are stored by Resend beyond normal email delivery metadata (addresses, timestamps). Emails are not indexed or retained beyond operational delivery logs.

03

Our Commitment

Primary customer data always resides in Australia. All NDIS participant records, AML/CTF compliance data, client files, and user-generated content is stored in Supabase PostgreSQL in the AWS Sydney region (ap-southeast-2). This data does not transit overseas as part of normal operations.

Cross-border disclosure is limited and disclosed. The only cross-border data flows are to transactional sub-processors listed above (Stripe for payments, Resend for email). These are disclosed here and in our Privacy Policy under APP 8. Contractual arrangements with each sub-processor ensure an adequate level of protection consistent with the APPs.

30 days’ notice before adding new sub-processors. If we add a new sub-processor that would change the data residency picture, we will update our Sub-processor List and notify customers at least 30 days in advance.

04

APP 8 Compliance Steps

Before disclosing personal information to each overseas recipient, we take the following steps to satisfy APP 8:

  • Review the sub-processor's privacy policy and data processing agreement to confirm APPs-equivalent protections
  • Enter into a Data Processing Agreement or Standard Contractual Clauses with each overseas processor
  • Disclose the cross-border flows in this page and in our Privacy Policy, obtaining user acknowledgement on account creation
  • Periodically review each sub-processor's compliance certifications (e.g., Stripe's PCI DSS Level 1, Vercel's SOC 2 Type II)

Questions about data residency? hello@redrocksystems.com.au  ·  REDROCK SYSTEMS PTY LTD  ·  ABN 53 696 760 433