Last updated: 2025-05-16
The entities listed below (each a “Sub-processor”) are authorised to process Personal Information on behalf of SAAS First Limited solely for the purposes and in the geographic locations shown. Where a Sub-processor is headquartered outside New Zealand / EU / UK, SAAS First ensures “comparable safeguards” under NZ IPP 12 and (where applicable) executes the 2021 EU Standard Contractual Clauses (SCCs) plus the UK Addendum.
Legend – Module-Specific = Service only transmits Customer (or End-User) data if the relevant Module / integration is enabled in the workspace.
|
# |
Sub-processor (Legal Entity) |
Primary Processing Location(s) |
Purpose / Functionality |
Typical Data Categories Processed |
Transfer Safeguard |
|---|---|---|---|---|---|
|
HOSTING / INFRASTRUCTURE |
|||||
|
1 |
Amazon Web Services, Inc. |
Australia (Sydney) & EU (Frankfurt) |
Primary application hosting, databases, file storage, encrypted backups |
All data uploaded to/ generated in the Service |
NZ IPP 12 Comparable Safeguards + SCCs |
|
2 |
Cloudflare, Inc. |
USA / Global edge network |
CDN, TLS termination, DDoS & WAF security |
IP addresses, request headers, limited log data |
SCCs |
|
SECURITY / E-MAIL DELIVERY |
|||||
|
4 |
GBD Software as a Service Ltd |
Hungary (EU) |
Bulk e-mail address validation (“hard-bounce” cleaning) – Module-Specific |
E-mail address only |
EU Adequacy |
|
PAYMENTS & ACCOUNTING |
|||||
|
5 |
Stripe Payments Europe, Ltd. & Stripe, Inc. |
EU / USA |
Card processing, recurring billing, invoice PDFs |
Name, e-mail, billing address, last-4 card digits, tax/GST data |
SCCs (when EU data routed to USA) |
|
6 |
Xero Ltd. |
New Zealand / USA |
Accounting ledger & financial reporting |
Invoice line items, payer details, tax IDs |
NZ jurisdiction |
|
7 |
GBD Software as a Service Ltd |
Hungary (EU) |
Finance & dev-ops support (restricted admin access) |
Same as above where support work required |
EU Adequacy |
|
PRODUCT ANALYTICS & SESSION REPLAY |
|||||
|
8 |
Google LLC – Google Analytics |
USA |
Product & website analytics* |
IP (truncated), device info, page views, events |
SCCs (+ IP Anonymisation) |
|
9 |
Hotjar Ltd. |
EU (Ireland) |
Session replay & heat-maps – Module-Specific |
Cursor movements, page events, truncated IP, optional survey text |
EU Adequacy |
|
VISITOR / LEAD ENRICHMENT & TRACKING* |
|||||
|
10 |
Apollo.io (Apollo Graph Inc.) |
USA |
Lead enrichment & visitor identification – Marketing Module |
Business e-mail, company meta-data, LinkedIn URL |
SCCs |
|
COMMUNICATION / MESSAGING INTEGRATIONS* |
|||||
|
12 |
Twilio Inc. |
USA / Ireland |
WhatsApp, SMS & voice channel connector |
Message content, sender/recipient details |
SCCs |
|
13 |
Meta Platforms Ireland Ltd. |
Ireland / USA |
Facebook Page & WhatsApp Business APIs; Meta Pixel |
Message content, profile ID, events |
SCCs |
|
14 |
Telegram FZ-LLC |
UAE |
Telegram Bot API connector |
Message content, usernames |
Contractual Clauses |
|
15 |
Clockify LLC |
USA |
Optional time-tracking integration (API key stored per user) |
User ID, project/time entries |
SCCs |
|
SCHEDULING & FORMS (OPTIONAL) |
|||||
|
16 |
Calendly LLC |
USA |
Meeting scheduling widget |
Name, e-mail, meeting metadata |
SCCs |
|
17 |
Typeform S.L. |
Spain (EU) |
Web forms / surveys |
Form answers inc. contact fields |
EU Adequacy |
|
AI / MACHINE-LEARNING PROVIDERS* |
|||||
|
18 |
OpenAI, L.L.C. |
USA |
Generative AI inference for chatbot & query builder (stateless) |
KB excerpts, up-to-10 latest chat messages |
SCCs |
|
19 |
Anthropic PBC |
USA |
Same as above (configurable LLM) |
Same as #18 |
SCCs |
|
20 |
Google LLC – Gemini API |
USA |
Same as above (configurable LLM) |
Same as #18 |
SCCs |
|
SALES & MARKETING OUTSOURCERS * |
|||||
|
21 |
El-Mina Services Ltd. (“OneAWay”) |
Canada |
B2B cold-outreach & list research |
Prospect contact details, CRM status |
Canada Adequacy |
|
22 |
LépéselÅ‘ny Kft. |
Hungary (EU) |
Call-centre appointment setting |
Contact name, phone, qualification notes |
EU Adequacy |
|
23 |
Instantly Inc. |
USA |
Bulk cold-e-mail sending platform |
Prospect e-mail, campaign metrics |
SCCs |
|
ADVERTISING / RETARGETING* |
|||||
|
24 |
LinkedIn Ireland Unlimited Co. |
Ireland / USA |
Matched-audience uploads, ad analytics |
Hash-e-mail, company ID, engagement events |
SCCs |
|
25 |
Microsoft Corp. – Bing Ads |
USA |
Ad conversion tracking |
Cookie IDs, UTM refs |
SCCs |
|
26 |
Google LLC – Google Ads & YouTube / Wistia Inc. |
USA |
Ad & video engagement stats |
Cookie IDs, analytics events |
SCCs |
|
INTERNAL COLLABORATION / SUPPORT |
|||||
|
27 |
Slack Technologies LLC |
USA |
Internal team messaging / alerting |
User display name, conversation excerpts |
SCCs |
|
28 |
Google Workspace (Drive, Gmail) |
USA / EU |
E-mail, file storage, customer-support files |
Support tickets, attachments |
SCCs |
Module-Specific: SAAS First transmits Customer / End-User data to these Sub-processors only if the Customer activates the relevant Module or integration (e.g., Marketing pixels, optional AI, visitor-tracking, messaging channels). Customers may enable/disable such integrations at any time inside workspace settings.