Trust & Operations

Security overview.

Last updated 20 May 2026

roc.up holds the most sensitive category of personal information that exists under Australian law: the health information of NDIS participants. We treat that responsibility as the first thing we get right. This page lays out the security posture we operate to today — what's in place, what we audit, and what we'd do if something went wrong.

1. Where your data lives

2. Access controls

2.1 Inside your workspace

Within each customer workspace, roc.up enforces a layered permission model:

2.2 roc.up staff access

3. Authentication

4. Backups and recovery

5. The AI features

Pattern Watch and AI-drafted incident reports send shift-note text and handover text to a third-party AI model provider for analysis.

Important. AI outputs are suggestions for human review. roc.up does not replace clinical, legal, or compliance judgement. Final responsibility for any incident report, care decision, or compliance record sits with you as the NDIS provider.

6. Sub-processors

The full live list of third parties we use to operate roc.up is at subprocessors.html. Each sub-processor is under a written data-processing arrangement. We commit to giving notice when we add or change one.

7. Incident response

If we become aware of a security incident affecting your data:

8. Vulnerability disclosure

If you believe you have found a security vulnerability in roc.up, please tell us at security@caringabode.com.au. We welcome responsible disclosure. Please give us a reasonable window to respond and fix before publishing details; we will acknowledge receipt within 5 business days and give you a status update at least every 14 days while we work on the issue.

We do not currently pay bug bounties, but we will publicly credit security researchers (with permission) once a fix is in place.

9. Compliance roadmap

roc.up is not currently certified to SOC 2 or ISO 27001. We are establishing the controls necessary for one or both, with a target of [REVIEW: target date]. In the meantime, our security posture is aligned with the controls expected in those frameworks even where not formally audited.

10. What you should do on your end

Security is shared. As a customer, you are responsible for:

11. Contact