Product
Platform
Weekly briefings
Wellbeing check-ins
Help inbox
Cohort insights
Student workspace & timetable
Branding & white-label
Writing assistant
Before & after the six weeks
Rolling & staggered intakes
Trust Centre
Security
Privacy
Data residency
Compliance
Accessibility
Reliability
Legal
Subprocessors
HECVAT
Solutions
Why students leave
Student success & retention
Orientation & transition
Wellbeing & counselling
IT, security & procurement
First-year retention
Belonging & engagement
Early intervention
Support for Students obligation
Leading indicators
Join the waitlistView preview

Data Processing Agreement

**Last updated: 29 June 2026**

**Version: 2.0**

‍

This DPA forms part of the Agreement between the Institution ("Controller") and First Six Pty Ltd First Six Technologies Pty Ltd (ACN 699 938 817, ABN 19 699 938 817) ("Processor") and governs processing of personal information on the Controller's behalf. Where it conflicts with the Terms on data protection, this DPA prevails.

‍

## 1. Definitions

- **"Affiliate"** means an entity that controls, is controlled by, or is under common control with a party.

- **"Agreement"** has the meaning given in the Terms of Service.

- **"Controller"** means the Institution.

- **"Customer Data"** has the meaning given in the Terms of Service.

- **"Data Subject"** has the meaning given in the *Privacy Act 1988* (Cth) — the individual to whom personal information relates.

- **"Eligible Data Breach"** has the meaning given in the *Privacy Act 1988* (Cth), Part IIIC.

- **"Personal Information"** has the meaning given in the *Privacy Act 1988* (Cth).

- **"Personnel"** means employees and contractors of a party.

- **"Processing"** means any operation performed on Personal Information.

- **"Processor"** means First Six.

- **"Service"** has the meaning given in the Terms of Service.

- **"Subprocessor"** means a third party engaged by the Processor to process Personal Information.

‍

## 2. Roles and scope

The Controller determines the purposes and means of Processing; the Processor processes Personal Information only on the Controller's documented instructions, including as set out in **Annex 1**, except where law requires otherwise (in which case the Processor will notify the Controller unless prohibited).

‍

## 3. Processor obligations

The Processor will:

- process Personal Information only for the purposes in Annex 1;

- ensure Personnel are bound by confidentiality and limit access to Personal Information to Personnel with a need to know;

- implement the security measures in **Annex 2**;

- not sell Personal Information, and not use student data to train third-party AI models;

- assist the Controller, so far as reasonable, with Data Subject requests, security, breach notification, and any privacy impact assessments.

‍

## 4. Controller responsibilities

The Controller will:

- maintain the accuracy of roster and other Customer Data provided to the Processor;

- ensure it has a lawful basis under the Privacy Act (and any other applicable law) to provide Personal Information to the Processor;

- communicate Data Subject requests it receives to the Processor where Processor assistance is required;

- nominate a primary contact for data-protection matters.

‍

## 5. Subprocessors

- The Controller authorises the Subprocessors listed in **Annex 3**.

- The Processor imposes data-protection obligations on each Subprocessor consistent with this DPA and remains responsible for their performance.

- The Processor will give **at least 30 days' advance notice** of any intended addition or replacement of a Subprocessor (via the maintained subprocessor page and the Controller's nominated contact); the Controller may object on reasonable data-protection grounds within that period.

‍

## 6. Data Subject rights

The Processor will, taking account of the nature of Processing, assist the Controller in fulfilling its obligations to respond to requests under APP 12 (access), APP 13 (correction), and a request for deletion under the Privacy Act. **The Processor does not delete Personal Information on its own initiative and does not act on Data Subject deletion requests received directly; such requests are redirected to the Controller.** Where the Controller instructs the Processor to action a deletion request, the Processor will do so **within 30 days** of receiving the instruction.

‍

## 7. Data breach notification

The Processor will notify the Controller **within 72 hours of becoming aware** of an actual or suspected Eligible Data Breach affecting the Controller's Personal Information, with information reasonably available to support the Controller's assessment and any obligations under the Notifiable Data Breaches scheme (including the 30-day assessment window). The Processor will take reasonable steps to contain and remediate.

‍

## 8. International transfers

Personal Information forming the system of record is hosted in Australia. The Subprocessors in Annex 3 that operate outside Australia do so for defined functions; the Processor takes reasonable steps so that overseas recipients handle Personal Information consistently with the APPs, and minimises the Personal Information disclosed.

**EU and UK Data Subjects:** the Service is designed for and offered to Australian institutions. The Processor does not target the EU or UK. Where the Controller chooses to extend the Service to Data Subjects in the EU or UK, the Controller is responsible for assessing its own GDPR / UK GDPR position, including whether Standard Contractual Clauses (or equivalent) are required between the Controller and any overseas Subprocessor. The Processor will cooperate in good faith with such assessment.

‍

## 9. Return and deletion

On termination or expiry, the Processor will, **at the Controller's instruction**, return or delete Personal Information **within 30 days**, in a documented machine-readable format (currently JSON), except where retention is required by law. The Processor will not delete Personal Information without that instruction.

‍

## 10. Audit

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA (including HECVAT responses and security documentation under NDA) and will contribute to reasonable audits on reasonable notice, subject to confidentiality. Audits are limited to once per 12 months and the Controller bears reasonable cost unless the audit reveals material breach.

‍

## 11. Liability and governing law

Liability under this DPA is subject to the limitations in the Agreement. This DPA is governed by the laws of **Queensland, Australia**.

‍

## Annex 1 — Details of Processing

- **Subject matter:** provision of the First Six student-experience platform.

- **Duration:** the term of the Agreement.

- **Nature & purpose:** delivering weekly content, wellbeing check-ins, help inbox, aggregate cohort insights, workspace/timetable, and branding.

- **Types of Personal Information:** identity and enrolment data; student-generated content (notes, to-dos, timetable); wellbeing check-in responses; help-inbox messages; operational and audit logs.

- **Sensitive information:** wellbeing check-in responses constitute sensitive information (health information) within the meaning of *Privacy Act 1988* (Cth) s.6.

- **Categories of Data Subjects:** the Institution's students, staff, alumni (if applicable), and applicants; and visitors to the Processor's websites.

‍

## Annex 2 — Security measures

- Per-tenant isolation via database row-level security.

- Single sign-on through the Controller's identity provider; no shared passwords held by the Processor.

- Encryption in transit (TLS 1.2+) and at rest (managed by AWS).

- Least-privilege access functions; role-based access controls on all administrative interfaces.

- Immutable audit logging of sensitive actions (append-only, enforced at database level).

- Rate limiting and payload caps on public endpoints.

- Secrets held in a secrets manager and compared in constant time.

- Automated backups, with point-in-time recovery capability under test.

- Monitored infrastructure with a documented incident-response runbook.

- PII-scrubbed diagnostics; no personal information transmitted to error-monitoring tools.

- Periodic access reviews of Personnel.

- Documented change-management process for production deployments.

- Vendor risk management for new Subprocessors.

‍

## Annex 3 — Approved Subprocessors

| Name | Location | Purpose | Data classes |

|---|---|---|---|

| Supabase (AWS) | Australia (Sydney) | Database, authentication, file storage — system of record | All Customer Data |

| Vercel | Sydney compute; global CDN | Application hosting and content delivery | Inbound requests; no Customer Data at rest |

| SendGrid | United States | Transactional email | Recipient email; message subject and body |

| Twilio | United States | Crisis SMS (where enabled) | Recipient phone number; crisis-context message |

| Sentry | United States | Error monitoring | PII-scrubbed diagnostics only |

| Anthropic | United States | Staff-facing AI assistant; no model training on customer data | Staff prompts and Service context only; no student-private content |

Current list maintained at [subprocessor page](/trust/subprocessors).

‍

## Annex 4 — Retention schedule

| Data class | Retention period after Institution's term ends |

|---|---|

| Operational and technical logs | 90 days |

| Personal Information (roster, student-generated, wellbeing, help inbox) | 24 months, unless earlier deletion is requested or longer is required by law |

| Aggregate, de-identified statistics | May be retained indefinitely |

**Related:** [Privacy Policy](/legal/privacy-policy) · [Terms of Service](/legal/terms-of-service) · [Cookie Policy](/legal/cookie-policy)

‍

Join the waitlist
 
View the preview
 

Product

Platform
Weekly briefings
Wellbeing check-ins
Help inbox
Cohort insights
Student workspace & timetable
Branding & white-label
Writing assistant
Before & after the six weeks
Rolling & staggered intakes

Trust centre

Knowledge Base
Security
Privacy
Data residency
Compliance
Accessibility
Reliability
Legal
Subprocessors
HECVAT
Status

resources

GuidesKnowledge Base

Solutions

Why students leave
Student success & retention
Orientation & transition
Wellbeing & counselling
IT, security & procurement
First-year retention
Belonging & engagement
Early intervention
Support for Students obligation
Leading indicators

Leading Indicators

DVC & PVC Students
Director of Student Experience
Wellbeing & Counselling
IT, Procurement & Privacy
Equity & Inclusion

Company

AboutCareersPress & Media Kit

Contact Us

Join the waitlistContact usReport a bugView preview

Platform Entry

Student platformStaff console
Privacy PolicyTerms of ServiceData Processing AgreementCookie Policy
© 2026 First Six. ACN: 699938817 - All rights reserved.