Skip to main content

Security Notice

Last updated: 14 May 2026

Root Cause Analytics Pty Ltd ("we", "us", "our") takes security seriously. This notice describes how we secure the products we ship and the operational practices we follow. For privacy questions, see the Privacy Policy.

RCA Extract on Snowflake

RCA Extract is delivered as a Snowflake Native App through the Snowflake Marketplace (listing GZSUZU1HJP). The product runs entirely inside the customer's own Snowflake account.

  • Patient data, documents and extracted output remain entirely within your Snowflake environment.
  • Root Cause Analytics does not have access to your documents or the extracted data.
  • Your existing Snowflake security controls, audit logs and access policies apply to every document processed.
  • No external API calls. No third-party data processors involved in extraction.
  • Encryption at rest and in transit, provided by Snowflake.

Synthetic training document libraries

The RCA Insurance Library, RCA Medical Library and RCA Benchmark Packs are synthetic. They are generated by a deterministic Python pipeline from curated case files and phrase banks. No real patient, claimant, broker, insurer, or customer data is held, transmitted or stored anywhere in the generator or the libraries.

  • Every PDF carries a visible synthetic disclaimer on every page.
  • Libraries are delivered as direct downloads. We do not introduce third-party file-share processors unless the customer requests one and a data agreement is in place.
  • The libraries are not licensed for clinical, claims, underwriting, accounting, regulatory or legal use. See the Terms of Service.

Website

  • HTTPS everywhere. HSTS enabled.
  • Hosted on Vercel with their default security controls.
  • Static site generation reduces server-side attack surface.
  • Contact form submissions are emailed to the founder inbox; no public-facing customer database is exposed.
  • Analytics via Google Analytics 4 (aggregate metrics only).

Operational practices

  • Source code stored in a private GitHub repository under access controls.
  • Two-factor authentication enabled on all administrative accounts (GitHub, Vercel, Snowflake Marketplace publisher account, email).
  • Production deployments are gated on the main branch and trigger an immediate auditable build on Vercel.
  • Credentials and secrets are managed via Vercel environment variables. None are committed to source.
  • No production access from personal mobile devices.

Reporting a vulnerability

If you discover a security issue affecting our website, our products, or the synthetic libraries, please report it to jack.webb@rootcauseanalytics.com.au.

Coordinated disclosure

Please give us a reasonable opportunity to investigate and resolve the issue before publishing details. We will acknowledge your report within five business days (AEST).

Customer security questionnaires

We respond to security and procurement questionnaires from prospective customers. Email jack.webb@rootcauseanalytics.com.au with the questionnaire attached and a reasonable response window.

See also: Privacy Policy and Terms of Service.