Five9 Privacy Addendum
This Addendum (“Addendum”) to the Five9 Master Agreement (“Agreement”) between Five9 and Customer (each as defined in the Agreement) applies to Customer’s use of the Services under the Agreement.
Five9 has implemented and will maintain appropriate administrative, technical and physical safeguards to protect the Services and Customer Data as set forth in this Addendum (including the security and technical measures set forth in Attachment A). Five9 may update its privacy and security measures from time to time, but will not materially diminish the administrative, technical and physical safeguards set forth herein.
Five9 has designed and implemented administrative, physical, and technical safeguards in accordance with a number of data protection laws, regulations and standards including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and the Data Protection Act 2018 (collectively, “Data Protection Legislation”).
Administrative safeguards include an information security management process aligned with ISO 27001/27002, full-time security personnel, processes for information access management, workforce training and awareness, and ongoing evaluation of the control environment. Physical safeguards include facility access controls and workstation/device security measures. Technical safeguards include controls for role-based access, audit logs, data integrity and data transmission security.
Each party shall comply with its obligations under applicable Data Protection Legislation and pursuant to the Standard Contractual Clauses in respect of any personal data processed or collected under the Agreement. To the extent Customer Data is processed by Five9 on Customer’s behalf and is subject to Data Protection Legislation that requires a Data Processing Amendment (“DPA”), Customer and Five9 will enter into a DPA.
- Processing Authorization. Customer authorizes and instructs Five9 to process its Customer Data for the purpose of providing the services and as set forth in the Agreement (e.g., complying with Data Protection Legislation, or court or regulatory order). Five9 will not “sell” Customer Data without Customer’s explicit written consent.
- Data Transfer. Customer authorizes the transfer of the personal data to Five9 and sub-processors at their global locations where such transfer is required under, or in connection with, the provision of the services, and/or is necessary in the normal course of business. Five9 shall ensure that any sub-processors are contractually bound to respect the confidentiality of Customer's personal data or are under a statutory obligation of confidentiality.
- Sub-processors. Customer authorizes Five9 to appoint and use telecommunications carriers and other sub-processors to process the personal data where doing so is necessary for the provision of the services subject to Five9 putting in place a written contract with each sub-processor that imposes obligations that are: (a) relevant to the services to be provided by the relevant sub-processors; and (b) materially equivalent to the obligations imposed on Five9 under this Amendment and the Agreement in respect of the personal data to be processed.
- Notice and Authentication. Five9 shall provide the Customer with the current listing of sub-processors by posting the Subprocessor Listing on Five9’s System Status site located at https://community.five9.com/s/subprocessor-list. This site requires authentication. The Customer may only object to such changes on reasonable and substantive grounds and within 14 days of being notified of the addition or replacement. If the Customer objects in accordance with this paragraph to the appointment of a sub-processor, and it is not practicable or cost effective for Five9 to provide the services without the use of such sub-processor(s), the Customer shall have the right to terminate the Agreement.
- Data Requests. To the extent the Customer does not itself hold or otherwise have access to the personal data, but Five9 is able to reasonably access such personal data, Five9 shall use reasonable efforts to assist the Customer to: (a) fulfill the Customer’s obligation to respond to requests from data subjects to exercise their rights under Data Protection Legislation (including without limitation, their right of access, correction, rectification and restriction); and (b) respond to any other requests and/or notifications from third parties (including without limitation from regulatory or supervisory authorities).
- Notifications. Unless prohibited by applicable law, Five9 shall, as soon as reasonably practicable, forward to the Customer all requests and/or notifications received from any person in respect of the personal data and shall follow the Customer’s reasonable and lawful instructions in respect of the handling of such requests and/or notifications. Five9 shall not respond to any request or notification unless instructed to do so in writing by the Customer or otherwise required to do so by applicable law. Five9 reserves the right to charge the Customer for any reasonable costs and expenses incurred by Five9 in providing assistance under this paragraph if such costs and expenses exceed a nominal amount.
- Data Breach. Five9 shall notify the Customer without undue delay after becoming aware of the personal data breach. Five9 shall reasonably cooperate and assist the Customer with any investigation into, and/or remediation of, a personal data breach. Except where a personal data breach is caused by Five9’s failure to comply with its obligations under this Amendment, the Customer shall pay all reasonable costs and expenses (including without limitation any charges for the time engaged by external counsel and professional advisers) incurred by Five9 in complying with this paragraph.
- Data Retention. To maximize system performance, Five9 retains the right to and the Customer agrees that Five9 may periodically purge Customer Data from Five9 servers. Data retention policies are set forth at https://www.five9.com/dataretention (as may be amended by Five9 from time to time).
- Authorized Use. Customer acknowledges and agrees that, in its use of the Services, it shall use the features provided by Five9 and as required to comply with all applicable Data Protection Legislation. In accordance with the foregoing, Customer shall be responsible for: (a) all authorized and unauthorized access, activities, and charges associated with Customer’s, its Affiliates’ and Clients’ account and/or password(s) with Five9 to the extent that such access, activities and charges are attributable to Customer’s subscription to the Services; and (b) obtaining and maintaining the Internet connectivity necessary to utilize the Services.
- Consent. Customer shall ensure that it has provided notice and obtained all necessary consents under such legislation for Five9 to lawfully process Customer Data under the Agreement and agrees to provide full cooperation and assistance to Five9 in ensuring that the rights under Data Protection Legislation of the individuals of whom Customer Personal Data are input into the Services are appropriately addressed.
- Prohibited Use. For the duration of the term of the Agreement, Customer, its Affiliates and agents agree that they will not: (a) use Five9’s Virtual Contact Center (“VCC”) for any purpose except for call center purposes; (b) store or process any personal information or sensitive information pursuant to Data Protection Legislation other than telephone numbers in Five9’s VCC database; or (c) use the VCC to store or process designated record sets or serve as a database of record.
- Security. Customer, its Affiliates and agents agree that they will at all times configure VCC technical security measures which include password requirements in a manner consistent with industry best practices; administer authentication and authorization based on industry best practice and principles including least privilege and individual accountability for all users; and use only secure protocols as offered by Five9 including encryption of data in transit (e.g. sRTP, VPN, and sFTP) and encryption of call recordings at rest (e.g. Encrypted Storage).
 Customers who order the security features required to comply with the PCI DSS standard, including encryption of voice in transit (sRTP or VPN) and encryption of call recordings at rest (encrypted storage), are provided a PCI compliant environment for their contact center services.
Attachment A: Security Measures
- Access controls to premises and facilities
Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include: access control system; ID reader, chip card; issue of keys; door locking (electric door openers, etc.); video/CCTV monitor; logging of facility exits/entries.
- Access controls to systems
Measures must be taken to prevent unauthorized access to IT systems. Measures must include the following technical and organizational measures for user identification and authentication: anti-virus protection; stateful inspection firewalls; internal and external vulnerability scans; intrusion detection and prevention systems; least-privilege access to IT systems based on job role and segregation of duties; password procedures (incl. special characters, minimum length, periodic changes); no access for guest users or anonymous accounts; two-factor authentication for privileged IT administrators who access production.
- Access controls to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights. Measures shall include: least-privilege access rights based on job role and segregation of duties; management approval required for new or modified access prior to provisioning or change; terminated user access disabled within 72 hours of notification from human resources; monthly logical and physical access review for workforce members with access to production; quarterly administrator access revalidated by management; physical access to the data centres restricted to appropriate individuals; two-factor authentication for privileged IT administrators who access production.
- Disclosure controls
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer and to ensure that all transfers are secure and are logged. Measures shall include: encryption using a VPN for remote access; secure File Transfer Protocol (SFTP) for transport and communication of data; prohibition of portable media; media sanitization and destruction procedures.
- Change management controls
Measures must be put in place to ensure all changes to production systems are logged, tested and approved. Measures must include: change request and approval required prior to implementation into production; critical application changes tested and approved prior to implementation into production; access to migrate changes into production restricted to appropriate individuals; critical changes reviewed on a monthly basis to confirm appropriateness and authorization.
- Data processing controls
Measures must be put in place to ensure that data is processed strictly in compliance with the Data Exporter's instructions. Measures must include: unambiguous wording of contractual instructions; monitoring of contract performance; monitoring of service level agreements.
- Availability controls
Measures must be put in place to ensure that data are protected against accidental destruction or loss. Measures must include: data backup procedures; uninterruptible power supply (UPS); business continuity procedures; 24x7 Network Operations Centre (NOC) monitoring; critical jobs monitored for successful completion and error resolution; problem and incident management and response procedures; security incident management and response procedures; root cause analysis required for problems and incidents affecting production.
- Segregation controls
Measures must be put in place to allow data collected for different purposes to be processed separately. Measures must include: restriction of access to data according to job role and segregation of duties; segregation of business IT systems; segregation of IT testing and production environments.