Trust Centre
Terms, Privacy Policy, DPA and subprocessor list, all in one place.
Everything a procurement or legal team needs to assess First Six, in one place.
Everything a procurement or legal team needs, gathered in one place rather than scattered across email threads.
Made for procurement
The paperwork a legal or procurement team needs, gathered and ready rather than scattered across email.
01
Start with the Terms
Our Terms of Service set out the rights and responsibilities on both sides in plain language.
02
Add the DPA
A Data Processing Agreement covers processing roles, security measures, subprocessors, and breach notification.
03
Check the subprocessors
A current, dated subprocessor list shows every third party, its purpose, and its region.
04
Sign and go
We can work from our paper or, for enterprise agreements, review yours. The aim is a fast, straightforward assessment.
The legal pack
What's in the set we share with procurement and legal teams.
Terms of Service
The master agreement governing use of First Six, written to be read rather than to hide things in the footnotes.
Privacy Policy
How personal data is collected, used, and protected, published and public.
Data Processing Agreement
Covers roles, security, subprocessors, and breach notification. Current draft in counsel review; working version available under NDA.
Subprocessor list
Every subprocessor, its purpose, and its region, kept current and dated.
Questionnaire support
We complete HECVAT and your institution's own security questionnaires as part of the process.
Need our legal pack?
Request the Terms, Privacy Policy, DPA and subprocessor list.
What we never do
Support means seeing the pattern, not the person. These limits are built into the product, not just promised in a policy.
We never sell or share student data
Student data is used to run First Six for your institution — never sold, rented, or handed to advertisers or data brokers. Full stop.
We never build watchlists
Individual wellbeing answers stay private to the student. Staff see aggregate trends with small groups suppressed — never a named list of who to watch.
We never train external AI on student data
Student records are not used to train third-party models. AI features process only what staff submit, and that content is not retained for training.
We never hide where data lives
The system of record stays in Australia, and every subprocessor and region is listed openly here in the Trust Centre. No surprises.
Frequently asked questions
What security, privacy, and procurement teams ask us most.
A DPA is part of our standard legal pack. It covers processing roles, security measures, our subprocessors, and breach-notification obligations. The current draft is in counsel review; we share the working version under NDA on request.
For enterprise agreements, yes: we'll review your paper. For standard agreements we start from ours to keep assessment fast, but we're happy to discuss specifics.
It's published on our site and forms part of the legal pack. It sets out what we collect, why, and the rights students and institutions have.
Your institution is the data controller; First Six is the processor acting on your instructions. The DPA sets this out in detail.
Ask through your contact or procurement, and we'll share the Terms, Privacy Policy, DPA, and subprocessor list, under NDA where needed.
See it for your next cohort.
Currently meeting with universities.