Subprocessors
A subprocessorA third-party service that processes data on our behalf as part of running First Six. is any third party that touches your data as part of running First Six. We keep the list short and disclose it plainly, because the fewer hands on the data, the smaller the surface for something to go wrong.
The current list
| Subprocessor | What it does | Data it touches | Region |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All application data (system of record) | Australia (AWS Sydney) |
| Vercel | Application hosting + CDN | Requests in transit, PII-minimised runtime logs | Sydney edge + global CDN |
| Twilio SendGrid | Transactional email | Recipient email, student first name + program, help category, message excerpt | United States |
| Sentry | Error monitoring | Diagnostics with personal data scrubbed before egress | United States |
| Anthropic | Staff-only AI drafting assistant | Staff prompts + tenant content; never student welfare records | United States |
| Your IdP (e.g. Microsoft Entra) | Single sign-on | Identity assertions (email, subject, name) | You control it |
Primary data stays in Australia. The two US services that touch content are email (which carries notification text, including some welfare-relevant excerpts) and the AI assistant (staff-only, never sent student welfare records). Error monitoring is US-hosted but personal data is scrubbed before it leaves the app, and session replays are fully masked.
Not subprocessors
The marketing site runs on Webflow, but it serves only the public website and does not process application data — the apps run on their own subdomains. So Webflow is not a subprocessor of your student data.
How we manage them
- The list is maintained and kept current; the version here reflects the latest review date at the top of this page.
- Data-processing agreement coverage is tracked per provider.
- If a subprocessor changes, it shows up here, and the full current list is available on request for a formal assessment.
Common questions
Can we get a formal, signed subprocessor list?
Yes — request it as part of a security or procurement assessment and we'll provide the current list with DPA status per provider.
Why is email a US service?
Transactional email currently runs through a US-hosted provider, and some notification content travels in email bodies. We disclose this rather than bury it; if AU-region delivery is a hard requirement, raise it early.
Is student welfare data ever sent to the AI vendor?
No. The AI assistant is staff-only and is never sent student welfare records; its inputs are staff prompts and tenant content such as tags and cohort settings.
Related
The fastest answer is usually one question away.