Annex 2 - Current Sub-Processors

Last updated: 2025-05-16

The entities listed below (each a “Sub-processor”) are authorised to process Personal Information on behalf of SAAS First Limited solely for the purposes and in the geographic locations shown.  Where a Sub-processor is headquartered outside New Zealand / EU / UK, SAAS First ensures “comparable safeguards” under NZ IPP 12 and (where applicable) executes the 2021 EU Standard Contractual Clauses (SCCs) plus the UK Addendum.

Legend – Module-Specific = Service only transmits Customer (or End-User) data if the relevant Module / integration is enabled in the workspace.

#

Sub-processor (Legal Entity)

Primary Processing Location(s)

Purpose / Functionality

Typical Data Categories Processed

Transfer Safeguard

HOSTING / INFRASTRUCTURE

         

1

Amazon Web Services, Inc.

Australia (Sydney) & EU (Frankfurt)

Primary application hosting, databases, file storage, encrypted backups

All data uploaded to/ generated in the Service

NZ IPP 12 Comparable Safeguards + SCCs

2

Cloudflare, Inc.

USA / Global edge network

CDN, TLS termination, DDoS & WAF security

IP addresses, request headers, limited log data

SCCs

SECURITY / E-MAIL DELIVERY

         

4

GBD Software as a Service Ltd

Hungary (EU)

Bulk e-mail address validation (“hard-bounce” cleaning) – Module-Specific

E-mail address only

EU Adequacy

PAYMENTS & ACCOUNTING

         

5

Stripe Payments Europe, Ltd. & Stripe, Inc.

EU / USA

Card processing, recurring billing, invoice PDFs

Name, e-mail, billing address, last-4 card digits, tax/GST data

SCCs (when EU data routed to USA)

6

Xero Ltd.

New Zealand / USA

Accounting ledger & financial reporting

Invoice line items, payer details, tax IDs

NZ jurisdiction

7

GBD Software as a Service Ltd

Hungary (EU)

Finance & dev-ops support (restricted admin access)

Same as above where support work required

EU Adequacy

PRODUCT ANALYTICS & SESSION REPLAY

         

8

Google LLC – Google Analytics

USA

Product & website analytics*

IP (truncated), device info, page views, events

SCCs (+ IP Anonymisation)

9

Hotjar Ltd.

EU (Ireland)

Session replay & heat-maps – Module-Specific

Cursor movements, page events, truncated IP, optional survey text

EU Adequacy

VISITOR / LEAD ENRICHMENT & TRACKING*

         

10

Apollo.io (Apollo Graph Inc.)

USA

Lead enrichment & visitor identification – Marketing Module

Business e-mail, company meta-data, LinkedIn URL

SCCs

COMMUNICATION / MESSAGING INTEGRATIONS*

         

12

Twilio Inc.

USA / Ireland

WhatsApp, SMS & voice channel connector

Message content, sender/recipient details

SCCs

13

Meta Platforms Ireland Ltd.

Ireland / USA

Facebook Page & WhatsApp Business APIs; Meta Pixel

Message content, profile ID, events

SCCs

14

Telegram FZ-LLC

UAE

Telegram Bot API connector

Message content, usernames

Contractual Clauses

15

Clockify LLC

USA

Optional time-tracking integration (API key stored per user)

User ID, project/time entries

SCCs

SCHEDULING & FORMS (OPTIONAL)

         

16

Calendly LLC

USA

Meeting scheduling widget

Name, e-mail, meeting metadata

SCCs

17

Typeform S.L.

Spain (EU)

Web forms / surveys

Form answers inc. contact fields

EU Adequacy

AI / MACHINE-LEARNING PROVIDERS*

         

18

OpenAI, L.L.C.

USA

Generative AI inference for chatbot & query builder (stateless)

KB excerpts, up-to-10 latest chat messages

SCCs

19

Anthropic PBC

USA

Same as above (configurable LLM)

Same as #18

SCCs

20

Google LLC – Gemini API

USA

Same as above (configurable LLM)

Same as #18

SCCs

SALES & MARKETING OUTSOURCERS *

         

21

El-Mina Services Ltd. (“OneAWay”)

Canada

B2B cold-outreach & list research

Prospect contact details, CRM status

Canada Adequacy

22

LépéselÅ‘ny Kft.

Hungary (EU)

Call-centre appointment setting

Contact name, phone, qualification notes

EU Adequacy

23

Instantly Inc.

USA

Bulk cold-e-mail sending platform

Prospect e-mail, campaign metrics

SCCs

ADVERTISING / RETARGETING*

         

24

LinkedIn Ireland Unlimited Co.

Ireland / USA

Matched-audience uploads, ad analytics

Hash-e-mail, company ID, engagement events

SCCs

25

Microsoft Corp. – Bing Ads

USA

Ad conversion tracking

Cookie IDs, UTM refs

SCCs

26

Google LLC – Google Ads & YouTube / Wistia Inc.

USA

Ad & video engagement stats

Cookie IDs, analytics events

SCCs

INTERNAL COLLABORATION / SUPPORT

         

27

Slack Technologies LLC

USA

Internal team messaging / alerting

User display name, conversation excerpts

SCCs

28

Google Workspace (Drive, Gmail)

USA / EU

E-mail, file storage, customer-support files

Support tickets, attachments

SCCs

 

Module-Specific: SAAS First transmits Customer / End-User data to these Sub-processors only if the Customer activates the relevant Module or integration (e.g., Marketing pixels, optional AI, visitor-tracking, messaging channels).  Customers may enable/disable such integrations at any time inside workspace settings.

NOTES & CHANGE MANAGEMENT 

  • This Annex 4 is current as of the “Last Updated” date of the DPA.
    • We will notify the Customer ≥ 30 days before engaging any new Sub-processor or making a material change, in accordance with DPA clause 4.3(b).
    • A detailed description of each provider’s role, data-protection certifications and encryption practices is available on request.