Five9 Reseller Data Processing Addendum
Last updated Nov 3, 2023
This Reseller Data Processing Addendum, including its Annexes (this “Addendum”) forms the Parties’ agreement with regard to the processing of Personal Information under the Reseller Agreement (the “Agreement”) between reseller (“Reseller”) and Five9, Inc., having offices at 3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA (“Five9”), for the purchase of Services from Five9 and resale of such Services to customers of Reseller (each, a “Customer”). This Addendum may refer to Reseller and Five9 each as a “Party” and collectively as the “Parties.”
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement, which is incorporated by reference. This Addendum is effective as of the date that the Agreement is executed.
1. DEFINITIONS
1.1 “Personal Information” means “personal information” and “personal data” as defined in the Privacy Laws, that is provided by Reseller via the Services and processed by Five9.
1.2 “Privacy Laws” means all applicable statutes and regulations pertaining to privacy and information security, including but not limited to: EU General Data Protection Regulation 2016/679 (“GDPR”); United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (amendments, etc.) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2020 (“UK GDPR”); the Data Protection Act 2018; Personal Information Protection and Electronic Documents Act (“PIPEDA”); Personal Information Protection Act (Alberta) (“PIPA Alberta”); Personal Information Protection Act (British Columbia) (“PIPA BC”); Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Privacy Act”); guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45; European Directive 2002/58/EC, as amended by Directive 2009/136/EC (“ePrivacy Directive”) (as the same may be superseded by the Regulation on Privacy and Electronic Communications (“ePrivacy Regulation”)); Swiss Federal Act on Data Protection of 19 June 1992, as amended from time to time, and any successor legislation; and any other applicable laws or regulations regarding privacy and information security that are in effect or come into effect during the term of the Agreement. Privacy Laws includes US Privacy Laws.
1.3 “US Privacy Laws” mean all applicable United States state or federal statutes and regulations pertaining to privacy and information security, including but not limited to: the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act (the “CCPA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (the “VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (the “CPA”); the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (the “UCPA”); the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. Gen. Stat. 42-515 et seq. (the “PDPOM”); the Indiana Consumer Data Protection Act, S.B. 5 (the “INCDPA”); Iowa Consumer Data Protection Act, S.J. 708, (the “ICDPA”); the Montana Consumer Data Privacy Act, S.B. 384 (the “MCDPA”); the Tennessee Information Protection Act, H.B. 1181 (the “TIPA”); or any US regulations or guidance issued pursuant thereto, and any other applicable US laws or regulations regarding privacy and information security that are in effect or come into effect during the term of the Agreement.
1.4 “2021 Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses); provided that, to the extent of a conflict between the 2021 Standard Contractual Clauses and Agreement, the 2021 Standard Contractual Clauses prevail.
1.5 “UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom.
1.6 “Third Countries” means countries that are not recognized by the Privacy Laws as countries providing adequate protection of Personal Information.
1.7 The terms “business,” “collected,” “consent,” “controller,” “data subject,” “process” or “processing,” “processor,” “service provider,” “supervisory authority,” shall have the meanings given to those terms in the applicable Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect upon the execution of this Addendum. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
2. ROLES OF THE PARTIES
For the purposes of the Agreement and this Addendum, Reseller processes Personal Information as either the “business” or “controller,” or “service provider” or “processor,” as applicable, and Five9 processes Personal Information on behalf of Reseller as the “service provider” or “processor.”
3. RESELLER INSTRUCTIONS
Reseller instructs Five9 to process, and Five9 shall process, Personal Information in accordance with the Agreement, any Addendum thereto, any applicable Statement of Work or Service Order, and in compliance with other documented reasonable written instructions provided by authorized personnel of Reseller, where such instructions are consistent with the terms of the Agreement. Five9 receives no monetary or other valuable consideration in exchange for Personal Information.
4. PARTIES’ RESPONSIBILITIES
4.1 Each Party is responsible (i) for its own compliance with the Privacy Laws, where applicable; and (ii) with respect to the processing of Personal Information hereunder, for ensuring its employees, agents, and subprocessors understand and shall comply with the Privacy Laws and applicable terms of this Addendum. Each Party agrees that it will notify the other Party upon determining that it is unable to process Personal Information in compliance with the Privacy Laws.
4.2 Reseller shall ensure any processing of Personal Information is in accordance with the requirements of the applicable Privacy Laws. Reseller has the sole responsibility for the accuracy, quality, and legality of Personal Information and means by which Reseller acquired Personal Information; Reseller represents and warrants that it has provided and/or obtained, to the extent required by applicable Privacy Laws, all necessary notices, opt-out rights and/or consent to Personal Information being used and shared for the purposes described herein. Reseller shall, in writing, direct any data subject requests to Five9, and (i) verify the identity of the data subject as required by applicable Privacy Laws; (ii) assist in locating Personal Information shared with Five9; and (iii) cooperate in good faith with Five9 to determine whether a request should be complied with or whether any exceptions for compliance with the request apply. Five9 reserves all rights and asserts all exceptions and exemptions to which it is entitled under applicable Privacy Laws (such as preserving Personal Information in order to protect against malicious, deceptive, fraudulent or illegal activity; or to comply with a legal obligation, etc.).
4.3 Five9 will (i) implement and maintain the reasonable technical and organizational security measures to safeguard Personal Information as described in Annex 2 (Technical and Organizational Measures Including Technical and Organizational Measures to Secure Data); (ii) provide the level of privacy protection required by applicable Privacy Laws; and (iii) shall provide Reseller with reasonable assistance to enable Reseller to fulfill its own obligations under applicable Privacy Laws.
4.4 Five9, its employees, agents, and sub-processors are subject to a duty of confidentiality with respect to Personal Information. Five9 will not “sell” or “share” (as each are defined under the applicable US Privacy Laws) Personal Information, or retain, use, or disclose Personal Information outside of Reseller’s instructions set forth In Section 3 above.
4.5 Reseller understands and agrees that (i) it may store its reseller’ telephone numbers in the Five9 Virtual Contact Center (“VCC”); (ii) storage of Protected Health Information (PHI) in the VCC database (e.g., contact records or agent notes) is strictly prohibited unless Reseller orders Five9 encryption Services under an applicable Service Order; and (iii) storage of Payment Card Data in text format (e.g., Payment Card Data within contact records, agent notes, email, chat, SMS transcripts, etc.) is strictly prohibited. Notwithstanding anything to the contrary, Reseller may not store designated record sets (as defined by the Health Insurance Portability and Accountability Act) in the VCC.
4.6 Reseller, its affiliates, and agents agree that they will at all times (i) configure VCC technical security measures that include password requirements in a manner consistent with relevant industry standards, (ii) administer authentication and authorization based on relevant industry standards including least privilege and individual accountability for all users, and (iii) use only secure protocols as offered by Five9 including encryption of data in transit (e.g., sRTP, VPN, and sFTP) and encryption of call recordings at rest (e.g., Encrypted Storage).
5. SUB-PROCESSORS
5.1 Appointment. Reseller acknowledges and agrees that Five9 may engage third-party sub-processors in connection with the provision of the Services. Five9 will enter into a written agreement with each sub-processor containing, in substance, data protection obligations no less protective than those in the Agreement and this Addendum with respect to the protection of Personal Information to the extent applicable to the nature of the Services provided by such sub-processor.
5.2 Notice. Five9 provides its current sub-processors on the Reseller Support page at https://login.five9.com (Reseller authentication required). Reseller hereby consents to these sub-processors. If Reseller has notified Five9 in writing that Five9 may receive Personal Information from the European Economic Area and UK, Five9 shall provide notification of any new sub-processor(s) that will process Personal Information with the provision of the Services from the European Economic Area and UK at least thirty (30) days in advance of authorization.
5.3 Objection. If Reseller reasonably objects to Five9’s use of a new sub-processor which would result in Five9’s breach of this Addendum in relation to the protection of Personal Information, Reseller shall promptly notify Five9 in writing no later than within thirty (30) days of receipt of Five9’s notice. If Reseller so objects to a new sub-processor, and the Parties cannot resolve the objection within a reasonable period of time which shall not exceed sixty (60) days, Reseller may terminate the applicable Service Orders with respect to those Services which cannot be provided by Five9 without the use of the objected to new sub-processor by providing written notice to Five9. Five9 will refund Reseller any prepaid fees covering the remainder of the term of such Services following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Reseller.
6. RIGHTS OF DATA SUBJECTS
Five9 shall promptly notify Reseller, to the extent legally permitted, of any request it has received from a data subject arising from data subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to an automated individual decision making, each such request being a “data subject request.” Five9 shall not respond directly to a data subject, except if Reseller authorizes Five9 to redirect the data subject request as necessary to allow Reseller to respond directly. Five9 will make available self-service functionality to allow Reseller to respond to the data subject requests in accordance with the Privacy Laws. If, and to the extent Reseller in its use of such functionality is unable to address such request, and taking into account the nature of the processing, Five9 shall use commercially reasonable efforts to assist Reseller to the extent Five9 is legally permitted.
7. INCIDENT MANAGEMENT AND NOTIFICATION
Five9 shall promptly notify Reseller without undue delay, but no later than 72 hours, upon confirmation of unauthorized disclosure, use, or access to Personal Information transmitted, stored or otherwise processed by Five9 (a “Personal Data Breach”). Five9 shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as Five9 deems necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within Five9’s reasonable control. In accordance with applicable Privacy Laws, Reseller has the right, upon reasonable written notice to Five9, to take reasonable and appropriate steps to stop and remediate Five9’s unauthorized use of Personal Information.
8. DATA RETENTION, USE, AND DESTRUCTION
Five9 retains data according to Five9’s data retention practices, which are set forth at https://www.five9.com/legal/dataretention. The Parties agree that return/deletion of Personal Information of Five9 shall be in accordance with Clauses 8.5 and 8.9, respectively, of the 2021 Standard Contractual Clauses.
9. DATA PROTECTION IMPACT ASSESSMENT
Upon Reseller’s request, Five9 shall provide Reseller with commercially reasonable cooperation needed to fulfil Reseller’s obligation under applicable Privacy Laws to carry out a data protection impact assessment related to data processed pursuant to Reseller’s use of the Services, to the extent Reseller does not otherwise have access to the relevant information, and to the extent such information is reasonably available to Five9.
10. CROSS-BORDER DATA TRANSFERS
10.1 Transfer Mechanism. With regard to any transfers of Personal Information from the European Economic Area or the United Kingdom to countries that do not provide adequate protection for such data (as determined by the applicable Privacy Laws), the Parties hereby enter into applicable instruments in support of such transfer as set forth below.
10.2 Transfers from the UK. For transfers of Personal Information from the United Kingdom, the UK Addendum (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when it is available and is a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the UK Addendum:
a. Table 1 (Parties). The contents of Table 1 (Parties) shall be completed with details provided in Annex 1.
b. Table 2 (Selected SCCs, Modules, and Selected Clauses):
(i) The Addendum EU SCCs shall be the Approved EU SCCs.
(ii) Module Two (controller-to-processor) or Module Three (processor-to-processor) will apply, as applicable pursuant to section 2 of this Addendum.
(iii) In Clause 7, the Parties do not permit docking.
(iv) In Clause 9(a), the Parties select Option 2.
(v) In Clause 11, the Parties do not select the independent dispute resolution option.
c. Table 3 (Appendix Information). The list of parties and the description of the transfers are provided in Annex 1. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Annex 2.
d. Table 4 (Ending this Addendum when the Approved Addendum Changes). The Parties agree that Importer or Exporter may end the Addendum as set out in Section 19 of the UK Addendum.
e. Conflicts. In the event of any conflict or inconsistency between this Addendum and the UK Addendum with respect to UK data subjects, the UK Addendum shall prevail.
10.3 Transfers from the EEA. For all other transfers of Personal Information, including transfers of Personal Information from the European Economic Area, the 2021 Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the 2021 Standard Contractual Clauses:
a. Identity of the Parties. The data exporter is Reseller, and the data importer is Five9. Module Two (controller-to-processor) shall be applicable to transfers involving Personal Information; except where, pursuant to section 2 of this Addendum, Reseller is a processor acting on behalf of a controller and Five9 is a processor to Reseller, in which case Module Three (processor-to-processor) shall apply.
b. Additional Terms Applicable to Module Three. For the purposes of Clause 8.1(a), Reseller hereby informs Five9 that it acts as processor under the instructions of the relevant controller and that Reseller’s instructions as set out in this Addendum have been authorized by the relevant controller. Reseller shall be solely responsible for forwarding any notifications received from Five9 to the relevant controller where appropriate.
c. Conflicts. In the event of any conflict or inconsistency between this Addendum and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
d. Appendices. Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in Annexes 1 and 2 attached hereto.
e. Specific Provisions. The following specific provisions apply to the 2021 Standard Contractual Clauses:
In Clause 7, the Parties do not permit docking.
(i) In Clause 9, the Parties select Option 2 and a time period of 30 days.
(ii) In Clause 11, the Parties do not select the independent dispute resolution option.
(iii) In Clauses 17 (Option 2) and 18(b), the Parties agree that the jurisdiction is the member state in which controller is established, or if the controller is not established in a member state, the Republic of Ireland.
11. AUDIT RIGHTS
At Reseller’s written request, Five9 shall provide third party attestations demonstrating compliance with its obligations under the Privacy Laws with respect to Personal Information. To the extent such attestations do not adequately address Five9’s compliance with such Privacy Laws, Five9 shall permit and contribute to remote audits of information reasonably necessary to demonstrate Five9’s compliance with its obligations under such Privacy Laws. Reseller shall make reasonable efforts to minimize disruption to Five9’s business during any such audit. Such audits shall be conducted during normal business hours and shall occur no more than once per year or in the confirmed event of non-compliance, and be limited to Personal Information. Reseller shall provide Five9 written notice of any such audit at least sixty (60) days in advance with a finalized audit scope and evidence request list provided in writing no less than thirty (30) days in advance of such audit.
12. MISCELLANEOUS
12.1 Severability. If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
12.2 Survival. All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
12.3 General. The terms and conditions of the Agreement are incorporated by reference into this Addendum with full force and effect. Except as expressly set forth herein, the terms of the Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum shall control. Headers are for convenience and do not affect the interpretation of the terms of this Addendum.
ANNEX 1: DESCRIPTION OF DATA PROCESSING/TRANSFER
A. List of Parties
| Role of Reseller | As set forth in Section 2 (Roles of the Parties) of the Addendum. For purposes of the Agreement and this Addendum, Reseller processes Personal Information as either the “business” or “controller,” or “service provider” or “processor,” as applicable. To the extent of any cross-border data transfers under the Agreement, Reseller is the data exporter. |
| Address | Reseller address as set forth in the Agreement. |
| Name and Contact Details | Reseller and Reseller’s authorized affiliates, as set forth in the Agreement. Reseller’s account contact email and business contact as communicated to Five9 in registering and maintaining Reseller’s Five9 account. |
| Signature and Date | Effective date is: (i) the date of the Reseller signature; or (ii) should the Addendum be included in the Agreement, the Effective Date of the Agreement. |
| Activities relevant to the data processed/transferred | As set forth in Section 3 (Reseller Instructions) of the Addendum. |
| Role of Five9 | As set forth in Section 2 (Roles of the Parties) of the Addendum. |
| Address | 3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA. |
| Contact Details | privacy@five9.com |
| Signature and Date | Effective date is: (i) the date of the Reseller signature; or (ii) should the Addendum be included in the Agreement, the Effective Date of the Agreement. |
| Activities relevant to the data processed/transferred | As set forth in Section 3 (Reseller Instructions) of the Addendum. |
B. Description of PROCESSING/CROSS-BORDER Transfer (IF APPLICABLE)
| Categories of data subjects whose personal information is processed/transferred | Current, past, and future customers and employees of Reseller. Any other data subject whose data is processed as part of the Services being: (a) someone who is a party to a communication; or (b) someone whose Personal Information is included in content hosted or transferred on behalf of Reseller. |
| Categories of personal data processed/transferred | Contact information (incl. [name], [e-mail address], [work extension number] and [log-in details]) of employees of the Data Exporter; Personal Information contained in any content that is hosted or managed on behalf of the Data Exporter (e.g., voice recordings, Data Exporter's reseller database); and as set out in the Agreement, and the Addendum, as evidenced in the communications between the Parties. |
| Types of sensitive (or special) categories of personal data that will be processed/transferred and applicable restrictions or safeguards | Special categories of personal data that may be incidentally contained in telephone call recordings or transcripts. |
| Frequency of the transfer | Continuous |
| Nature of the processing | Such processing as described in the Agreement, the Addendum, and to enable the Five9 to comply with its obligations and exercise its rights under the Agreement, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities. |
| Duration of the processing | Five9 agrees to process Personal Information solely as instructed in the Agreement and the Addendum for the duration of the provision of the Services, and the longer of such additional period as: (i) is specified in any provisions of the Agreement regarding data retention; and (ii) is required for compliance with law. |
| Purpose of the processing/data transfer and further processing | In connection with the provision of the Services as set forth in the Agreement, including, but not limited to, the following: Processing: Five9 provides cloud contact centre services (including but not limited to automatic call distribution, automated voice recordings and computer integration telephony technology) to Reseller. Remote access: Data is transferred to Five9 because as a global carrier and service provider, technical expertise of Five9 is located outside the EU. |
| Time period personal data will be retained | In accordance with https://www.five9.com/legal/dataretention, as required for compliance with law, and as set forth in clause 8.5 of the Standard Contractual Clauses. |
| Sub-processor transfers | Transfers to sub-processors will occur where necessary in connection with the provision of the Services in accordance with the Agreement and the Addendum solely for the term of the Agreement or as required for compliance with law. |
C. COMPETENT SUPERVISORY AUTHORITY. EEA data subjects: Republic of Ireland. UK data subjects: United Kingdom.
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
1. Access control to premises and facilities. Five9 will take measures designed to prevent unauthorized physical access to premises and facilities holding personal data, which shall include access control system; ID reader, chip card; issue of keys; door locking (electric door openers, etc.); video/CCTV monitor; and logging of facility exits/entries. | 5. Change management controls. Five9 will take measures designed to ensure all changes to production systems are logged, tested, and approved. These must include change request and approval required prior to implementation into production; critical application changes tested and approved prior to implementation into production; access to migrate changes into production restricted to appropriate individuals; and critical changes reviewed monthly basis to confirm appropriateness and authorization. |
2. Access controls to systems. Five9 will take measures designed to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication: anti-virus protection; stateful inspection firewalls; internal and external vulnerability scans; intrusion detection and prevention systems; least-privilege access to IT systems based on job role and segregation of duties; password procedures (including alpha and numeric characters, minimum length, periodic changes); no access for guest users or anonymous accounts; and two-factor authentication for privileged IT administrators who access production. | 6. Data processing controls. Five9 will take measures designed to ensure that data is processed strictly in compliance with Reseller’s instructions. These must include unambiguous wording of contractual instructions; monitoring of contract performance; and monitoring of service level agreements. |
3. Access controls to data. Five9 will take measures designed to prevent authorized users from accessing data beyond their authorized access rights. These measures shall include: least-privilege access rights based on job role and segregation of duties; management approval required for new or modified access prior to provisioning or change; terminated user access disabled within 72 hours of notification from human resources; quarterly logical and physical access review for workforce members with access to production; quarterly administrator access revalidated by management; physical access to the data centres restricted to appropriate individuals; and two-factor authentication for privileged IT administrators who access production. | 7. Availability controls. Five9 will take measures designed to ensure that data are protected against accidental destruction or loss. These must include data backup procedures; uninterruptible power supply (UPS); business continuity procedures; 24x7 Network Operations Centre (NOC) monitoring; critical jobs monitored for successful completion and error resolution; problem and incident management and response procedures; security incident management and response procedures; and root cause analysis required for problems and incidents affecting production. |
4. Disclosure controls. Five9 will take measures designed to prevent the unauthorized access, alteration, or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include: encryption using a VPN for remote access; secure File Transfer Protocol (SFTP) for transport and communication of data, if ordered; and media sanitization and destruction procedures. | 8. Segregation controls. Five9 will take measures designed to allow data collected for different purposes to be processed separately. These must include restriction of access to data according to job role and segregation of duties; segregation of business IT systems; and segregation of IT testing and production environment. |
