Five9 Data Processing Addendum for ISV Partners
Last Updated December 5, 2023
This Global Data Processing Addendum, including its Annexes (this “Addendum”), forms the Parties’ agreement with regard to the processing of Personal Information under the ISV Program Agreement between partner (“Partner”) and Five9, Inc., having offices at 3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA (“Five9”), with respect to Five9’s services (the “Services”) made available to mutual customers of Partner and Five9 (the “Partner Agreement”), which is incorporated by reference. This Addendum may refer to Partner and Five9 each as a “Party” and collectively as the “Parties.”
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Partner Agreement. This Addendum is effective as of the effective date of the Partner Agreement.
1. DEFINITIONS
1.1 “Personal Information” means “personal information” and “personal data” as defined in the Privacy Laws, that is provided by Five9 to Partner pursuant to the Partner Agreement.
1.2 “Independent Controllers” means two or more controllers that independently determine the purposes and means of processing Personal Information. “Independent Controller” shall be construed accordingly.
1.3 “Independent Processing” means the processing of Personal Information pursuant to the Independent Controllers relationship.
1.4 “Privacy Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”) or the United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”).
1.5 “2021 Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).
1.6 “UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom.
1.7 The terms “controller,” “data subject,” “personal data,” “process” or “processing,” “sensitive personal data,” “sub-processor,” and “supervisory authority” shall have the meanings given to those terms in the Privacy Laws.
2. ROLES OF THE PARTIES
The Parties acknowledge and agree that each is an Independent Controller in accordance with the Privacy Laws for any Independent Processing. The Parties acknowledge and agree that the details of the processing are provided in Annex 1 attached hereto.
3. PARTIES’ RESPONSIBILITIES
3.1 Partner and Five9 will each (a) individually determine the purposes and means of its processing of Personal Information; (b) will comply with the obligations applicable to it under the Privacy Laws with respect to the processing of Personal Information, including by (i) providing transparency to data subjects about transfer and processing, (ii) having a lawful basis for such transfer or processing, and (iii) responding in accordance with the Privacy Laws to any assertion of data subject rights made against it; (c) process Personal Information for the purpose(s) for which it was transferred, and as permitted under the Privacy Laws; (d) ensure that persons authorized to process Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (e) enter into appropriate terms with any third party that such Party appoints to process Personal Information in accordance with the Privacy Laws; and (f) implement technical and organizational security measures to protect Personal Information in accordance with the Privacy Laws, as described in Annex 2 hereto.
3.2 Partner will promptly give written notice to and fully cooperate with Five9 regarding (a) any breach of security or unauthorized access to the Personal Information that Partner detects or becomes aware of, and (b) any request from a data subject regarding Personal Information. Partner agrees and acknowledges that if Five9 receives a request from a government or regulatory agency, Five9 may share the terms of this Addendum, the Partner Agreement, and other information Partner provides to demonstrate compliance with this Addendum or the Privacy Laws.
4. CROSS-BORDER DATA TRANSFERS
4.1 Transfer Mechanism. With regard to any transfers of Personal Information to countries that do not provide adequate protection for such data (as determined by the Privacy Laws), the Parties hereby enter into applicable instruments in support of such transfer.
4.2 Transfers from the UK. For transfers of Personal Information from the United Kingdom, the UK Addendum (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when it is available and is a valid transfer mechanism under the Privacy Laws. The Parties further agree to the following provisions with respect to the UK Addendum:
a. Table 1 (Parties): The contents of Table 1 (Parties) shall be completed with details provided in Annex 1.
b. Table 2 (Selected SCCs, Modules, and Selected Clauses):
(i) The Addendum EU SCCs shall be the Approved EU SCCs.
(ii) Module One (transfer controller to controller) will apply.
(ii) In Clause 7, the Parties do not permit docking.
(v) In Clause 11, the Parties do not select the independent dispute resolution option.
c. Table 3 (Appendix Information): The list of parties and the description of the transfers are provided in Annex 1. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Annex 2.
d. Table 4 (Ending this Addendum when the Approved Addendum Changes): The Parties agree that Importer or Exporter may end the Addendum as set out in Section 19 of the UK Addendum.
e. Conflicts: In the event of any conflict or inconsistency between this Addendum and the UK Addendum with respect to UK data subjects, the UK Addendum shall prevail.
4.3 Transfers from the EEA. For all other transfers of Personal Information, including transfers of Personal Information from the European Economic Area, the 2021 Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under the Privacy Laws. The Parties further agree to the following provisions with respect to the 2021 Standard Contractual Clauses:
a. Identity of the Parties: The data exporter is Five9, and the data importer is Partner. Module one (transfer controller to controller) is the sole module applicable to transfers involving Personal Information.
b. Conflicts: In the event of any conflict or inconsistency between this Addendum and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
c. Appendices: Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in the Annexes attached hereto.
d. Transfer Impact Assessments: Upon Five9’s reasonable request, Partner will make available to Five9 its documented assessment of its processing of Personal Information hereunder for the purpose of Clause 14.
e. Specific Provisions: The following specific provisions apply to the 2021 Standard Contractual Clauses:
(i) In Clause 7, the Parties do not permit docking.
(ii) In Clause 11, the Parties do not select the independent dispute resolution option.
(iii) In Clause 17 (Option 1), the Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
(iv) In Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland.
5. MISCELLANEOUS
5.1 Severability. If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
5.2 Survival. All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
5.3 General. Except as expressly set forth herein, the terms of the Partner Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Partner Agreement and the terms of this Addendum, the terms of this Addendum shall control.
ANNEX 1: DESCRIPTION OF DATA PROCESSING/TRANSFER
A. LIST OF PARTIES
| Role of Five9 | As set forth in Section 2 of the Addendum. To the extent of any cross-border data transfers under the Partner Agreement, Five9 is the data exporter. |
| Address | 3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA |
| Name and Contact Details | privacy@five9.com |
| Signature and Date | Effective date is: (i) the Effective Date of the Addendum; or (ii) should the Addendum be included in the Partner Agreement, the effective date of the Partner Agreement. |
| Activities relevant to the data processed/transferred | As set forth in this Annex. |
| Role of Partner | As set forth in Section 2 of the Addendum. To the extent of any cross-border data transfers under the Partner Agreement, Partner is the data importer. |
| Address | As set forth in the Partner Agreement. |
| Contact Details | As set forth in the Partner Agreement. |
| Signature and Date | Effective date is: (i) the Effective Date of the Addendum; or (ii) should the Addendum be included in the Partner Agreement, the effective date of the Partner Agreement. |
| Activities relevant to the data processed/transferred | As set forth in this Annex. |
B. DESCRIPTION OF PROCESSING/CROSS-BORDER TRANSFER (IF APPLICABLE)
| Categories of data subjects whose personal information is processed/transferred | Current, past, and future customers and employees of Five9. Any other data subject whose data is processed as part of the Services being: (a) someone who is a party to a communication; or (b) someone whose personal data is included in content hosted or transferred on behalf of Five9. |
| Categories of personal data processed/transferred | Contact information (incl. [name], [e-mail address], [work extension number] and [log-in details]) of employees of the data exporter; personal data contained in any content that is hosted or managed on behalf of the data exporter (e.g., voice recordings, data exporter's customer database); and as set out in the Partner Agreement, and the Addendum, as evidenced in the communications between the Parties. |
| Types of sensitive (or special) categories of personal data that will be processed/transferred and applicable restrictions or safeguards | Special categories of personal data that may be incidentally contained in telephone call recordings or transcripts. |
| Frequency of the transfer | Continuous |
| Nature of the processing | Such processing as described in the Partner Agreement, the Addendum, and to enable the Five9 to comply with its obligations and exercise its rights under the Partner Agreements, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities. |
| Purpose of the processing/data transfer and further processing | In connection with the provision of the Services as set forth in the Partner Agreement. |
| Time period personal data will be retained | In accordance with https://www.five9.com/legal/dataretention, as required for compliance with law. |
| Sub-processor transfers | N/A |
C. COMPETENT SUPERVISORY AUTHORITY. EEA data subjects: Republic of Ireland. UK data subjects: United Kingdom.
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
1. Access control to premises and facilities. Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include access control system; ID reader, chip card; issue of keys; door locking (electric door openers, etc.); video/CCTV monitor; logging of facility exits/entries. | 5. Change management controls. Measures must be put in place to ensure all changes to production systems are logged, tested, and approved. Measures must include change request and approval required prior to implementation into production; critical application changes tested and approved prior to implementation into production; access to migrate changes into production restricted to appropriate individuals; critical changes reviewed monthly basis to confirm appropriateness and authorization. |
2. Access controls to systems. Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication: anti-virus protection; stateful inspection firewalls; internal and external vulnerability scans; intrusion detection and prevention systems; least-privilege access to IT systems based on job role and segregation of duties; password procedures (incl. special characters, minimum length, periodic changes); no access for guest users or anonymous accounts; two-factor authentication for privileged IT administrators who access production. | 6. Data processing controls. Measures must be put in place to ensure that data is processed strictly in compliance with the Data Exporter's instructions. These measures must include unambiguous wording of contractual instructions; monitoring of contract performance; monitoring of service level agreements. |
3. Access controls to data. Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights. These measures shall include: least-privilege access rights based on job role and segregation of duties; management approval required for new or modified access prior to provisioning or change; terminated user access disabled within 72 hours of notification from human resources; monthly logical and physical access review for workforce members with access to production; quarterly administrator access revalidated by management; physical access to the data centres restricted to appropriate individuals; two-factor authentication for privileged IT administrators who access production. | 7. Availability controls. Measures must be put in place to ensure that data are protected against accidental destruction or loss. These measures must include data backup procedures; uninterruptible power supply (UPS); business continuity procedures; 24x7 Network Operations Centre (NOC) monitoring; critical jobs monitored for successful completion and error resolution; problem and incident management and response procedures; security incident management and response procedures; root cause analysis required for problems and incidents affecting production. |
4. Disclosure controls. Measures must be taken to prevent the unauthorized access, alteration, or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include: encryption using a VPN for remote access; secure File Transfer Protocol (SFTP) for transport and communication of data; prohibition of portable media; media sanitization and destruction procedures. | 8. Segregation controls. Measures must be put in place to allow data collected for different purposes to be processed separately. These must include restriction of access to data according to job role and segregation of duties; segregation of business IT systems; segregation of IT testing and production environment. |
