Five9 Data Processing Addendum for Vendors
This Data Processing Addendum, including its Exhibits (this “Addendum”), forms part of the agreement between Five9 and vendor (“Vendor”) for the provision of services (the “Services”) to Five9 by Vendor (the “Vendor Agreement”). This Addendum may refer to Vendor and Five9 each as a “Party” and collectively as the “Parties.”
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Vendor Agreement.
1. Commencement
1.1 This Addendum will be effective and replace any terms previously applicable to the processing of Covered Personal Information from the Addendum Effective Date (as defined below).
2. Definitions
2.1 “Covered Personal Information” means any Personal Information provided by Five9 to Vendor to be processed under the Vendor Agreement.
2.2 "Effective Date” means the date the DPA takes effect, which may be specified in an executed amendment to the Vendor Agreement or a notice provided to you.
2.3 “Personal Information” shall be interpreted consistent with the Privacy Laws and includes at a minimum “personal information” and “personal data” as defined in the Privacy Laws.
2.4 “Portable Format” means to the extent technically feasible a structured, commonly used, machine readable, readily usable format that allows the consumer to transmit the Covered Personal Information to another entity or controller without hindrance, as further specified in the Privacy Laws.
2.5 “Privacy Laws” means applicable statutes, regulations or other laws pertaining to privacy or data protection, processing of Personal Information, and/or information security, including, but not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”); United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”); Brazil Law No. 13,709/2018 (General Law for the Protection of Personal Data or “LGPD”); Personal Information Protection and Electronic Documents Act (“PIPEDA”); California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (“VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (“CPA”), the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (“UCPA”), the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. PA 22-15 § 1 et seq. (“PDPOM”); the Personal Information Protection Law of the People’s Republic of China (“PIPL”); and any other applicable federal or state laws or regulations regarding information privacy that are in effect or will come into effect during the term of the Vendor Agreement.
2.6 “2021 Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).
2.7 “UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom.
2.8 “Third Countries” means countries that are not recognized by the Privacy Laws as countries providing adequate protection of Personal Information.
2.9 The terms “business,” “business purposes,” “consumer,” “controller,” “data subject,” “personal data,” “personal information,” “process” or “processing,” “processor,” “sell,” “sensitive data,” “sensitive personal information,” “service provider,” “share,” “subcontractor,” “sub-processor,” and “supervisory authority” shall have the meanings given to those terms in the Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
2.10 Capitalized terms not otherwise defined shall have the meaning given to them in the Vendor Agreement.
3. Terms of Data Processing
3.1 Data Processing Exhibit – The Parties acknowledge and agree that the details of the processing are provided in Exhibit A attached hereto.
3.2 The Parties acknowledge and agree that with respect to any Covered Personal Information, Five9 is a controller or business and Vendor is a processor or service provider to Five9, as such terms are defined in the applicable Privacy Laws.
3.3 Data Processing Instructions – Vendor shall process the Covered Personal Information for the duration of the Vendor Agreement (unless otherwise agreed in writing) only (a) as necessary to effect Vendor’s obligations under the Vendor Agreement; and/or (b) on documented and customary instructions from Five9, in each case unless otherwise required by applicable law. Vendor shall immediately notify Five9 if Vendor is unable to follow such instructions, including if such instructions infringe the Privacy Laws.
3.4 Compliance with Obligations – Vendor represents and warrants that Vendor, its employees, agents, subcontractors, and sub-processors (a) understand and shall comply with the Privacy Laws and this Addendum while providing the Services, (b) will provide the level of privacy protection required by the Privacy Laws, and (c) shall provide Five9 with all reasonably-requested assistance to enable Five9 to fulfill its own obligations under the Privacy Laws. Upon the reasonable request of Five9 and in accordance with the requirements of the Privacy Laws, Vendor shall make available to Five9 information in Vendor’s possession necessary to demonstrate Vendor’s compliance with the obligations set out in the Privacy Laws.
3.5 Audit Rights – Five9 shall have the right to take reasonable and appropriate steps to ensure that Vendor uses the Covered Personal Information in a manner consistent with Five9’s obligations under the Privacy Laws. At Five9’s request, Vendor shall permit and contribute to audits of the processing under the Vendor Agreement, at reasonable intervals or if there are indications of non-compliance. Vendor shall make available to Five9 all information necessary to demonstrate Vendor’s compliance with its obligations under the Privacy Laws with respect to Covered Personal Information.
3.6 Compliance Remediation; Termination Rights – Vendor agrees to notify Five9 if Vendor makes a determination that it can no longer meet its obligations under the Privacy Laws. Upon receiving such notice, or when it otherwise becomes aware of Vendor’s unauthorized use of Covered Personal Information, Five9 may take reasonable and appropriate steps to stop and remediate such unauthorized use.
3.7 Changes to Privacy Laws – To the extent this Addendum requires a Party to comply with the Privacy Laws, compliance will be in accordance the Privacy Laws as in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under the Privacy Laws, it shall not apply
until it is so required. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to the applicable Privacy Laws.
3.8 Obligations at Termination – After the end of the provision of the Services, Vendor shall, at the choice of Five9, delete all Covered Personal Information and certify to Five9 that it has done so, or return to Five9 all Covered Personal Information and delete existing copies. Until the Covered Personal Information is deleted or returned, Vendor shall continue to ensure compliance with the Privacy Laws.
3.9 Impact Assessments – If applicable, Vendor shall, upon the reasonable request of Five9, provide Five9 with such assistance and information as is reasonably necessary to enable Five9 to carry out privacy impact assessments, data protection impact assessments, and required consultations with supervisory authorities under applicable Privacy Laws.
4. Limitations on Processing of Covered Personal Information
4.1 Data Restrictions – Vendor will not: (a) sell or share Covered Personal Information; (b) retain, use, or disclose Covered Personal Information for any purpose other than the limited purposes specified in the Vendor Agreement and Exhibit A hereto, such as providing the Services to Five9; (c) when prohibited by applicable Privacy Laws, combine Covered Personal Information with personal information that Vendor receives from, or on behalf of, another person or persons, or collects from its own interactions with consumers; or (d) unless permitted by applicable Privacy Laws (i) retain, use, or disclose Covered Personal Information outside the direct business relationship with Five9; or (ii) retain, use, or disclose Covered Personal Information for any commercial purpose not specified in the Vendor Agreement or Exhibit A hereto.
4.2 Subcontractors; Vendors – Vendor shall engage subcontractors or sub-processors that process Covered Personal Information only with Five9’s general written authorization. Vendor shall notify Five9 of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Vendor shall ensure that Vendor’s subcontractors or sub-processors who collect, process, store, or transmit Covered Personal Information on Vendor’s behalf agree in writing to the same restrictions and requirements that apply to Vendor in this Addendum and the Vendor Agreement with respect to Covered Personal Information, as well as to comply with the Privacy Laws.
4.3 Right to Object – Five9 may object in writing to Vendor’s appointment of a new subcontractor or sub-processor by notifying Vendor in writing within thirty (30) calendar days of receipt of notice in accordance with Section 3.2. In the event Five9 objects, Vendor will use reasonable efforts to make available to Five9 a change in the Services or recommend a commercially reasonable change to Five9’s configuration or use of the Services to avoid processing of Covered Personal Information by the objected-to new subcontractor or sub-processor without unreasonably burdening Five9. If Vendor is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Five9 may terminate the applicable ordering or purchasing documents with respect only to those Services which cannot be provided by Vendor without the use of the objected-to new subcontractor or sub-processor by providing written notice to Vendor. Vendor will refund Five9 any prepaid fees covering the remainder of the term of such ordering or purchasing documents following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Five9.
4.4 Re-identification – Vendor will not, and will not allow its subcontractors or sub-processors to, re-identify any de-identified, anonymized, or pseudonymized data derived from Covered Personal Information, unless instructed by Five9 in writing (email is sufficient).
5. Consumer and Data Subject Requests
Vendor shall, to the extent legally permitted, promptly notify Five9 of any complaint, dispute or request it has received from a data subject or consumer (for purposes of this section 4, both referred to as a “data subject”) arising from a data subject’s rights of access, deletion, correction, or portability, each such request being a “Data Subject Request.” Vendor shall not respond to a Data Subject Request itself, except that Five9 authorizes Vendor to redirect the Data Subject Request as necessary to allow Five9 to respond directly. Taking into account the nature of the processing, Vendor shall assist Five9 by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Five9’s obligation to respond to a Data Subject Request under the Privacy Laws. In addition, to the extent Five9, in its use of the Services, does not have the ability to address a Data Subject Request, Vendor shall upon Five9’s request, provide commercially reasonable efforts to assist Five9 in responding to such Data Subject Request, to the extent Vendor is legally permitted to do so and the response to such Data Subject Request is required under the Privacy Laws. To the extent legally permitted, Five9 shall be responsible for any costs arising from Vendor’s provision of such assistance.
6. Security Controls
6.1 Duty of Confidentiality – Vendor, its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to the Covered Personal Information.
6.2 Security Measures – Vendor shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Covered Personal Information to protect such Covered Personal Information from unauthorized access, destruction, use, modification, or disclosure (“Security Measures”). Such Security Measures shall meet or exceed applicable industry standards and any obligations set forth in the Vendor Agreement or applicable law.
6.3 Security. At all times during the term of the Agreement, Vendor shall implement and maintain, and require that all of its Vendors implement and maintain, appropriate technical and organizational measures based upon an accepted standard governing the information security within Vendor’s industry (e.g., NIST, HITRUST, SSAE 16, ISO, etc.) ("Security Measures"). Such Security Measures shall: (i) utilize a standard set of controls, and shall be meant to include, but not be limited to, commercially available and widespread use of precautionary measures to protect Customer Data from personal data breaches and from unauthorized processing or accidental loss or damage; (ii) take into account the ongoing state of technological development, the costs of implementation and the nature, scope, context and purposes of the processing of the Customer Data, as well as the likelihood and severity of risk to individuals and to Five9 and its Customers; (iii) at minimum, include the measures described under Exhibit B, Part B to this DPA; (iv) be reviewed not less than annually and whenever there is a material change in practices or applicable Data Protection Laws; (v) include a written facility security plan which documents such Security Measures. Vendor shall maintain appropriate records of maintenance performed on its and its Vendors’ networks, systems, hosting environments, computing devices, software or hardware used to Process the Customer Data. Vendor shall not change the location of a Vendor facility where Customer Data is stored without Customer’s prior written consent. Vendor shall implement and require that its Vendors implement as part of the Security Measures physical entry controls for all areas where Customer Data is stored, accessed, or processed; anyone accessing these areas must employ one or more unique, individually identifiable entry controls (such as card keys) that provide an audit trail of each entry and existing, including through the use of appropriate measures such as cameras, guards, and entry logs. Vendor may modify or update the Security Measures as necessary to comply with Data Protection Laws or applicable security standards, provided that such modification or update does not result in a material degradation in the Security Measures. Although the security and confidentiality requirements specified herein are minimum standards intended to facilitate the protection of Customer Data, it remains Vendor’s responsibility to take appropriate additional measures and precautions necessary to ensure the confidentiality, availability, and integrity of Customer Data.
6.4 Security Incident – Vendor will inform Five9 without undue delay upon Vendor’s having become aware of any unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident”) of any Covered Personal Information (to include, without limitation, any personal data breach as defined by the Privacy Laws). Vendor will provide Five9 with any information and cooperation reasonably requested by Five9 regarding such Security Incident. Vendor shall not provide notice of such Security Incident without the prior written consent of Five9 unless required by applicable law.
6.5 Encryption – Vendor will ensure that Covered Personal Information in Vendor’s control is sufficiently protected against unauthorized access and use, including by appropriate encryption, tokenization, or other substantially similar safeguards.
6.6 Security Program – Vendor shall implement a comprehensive written security program that includes industry-standard administrative, technical, and physical safeguards designed to ensure the confidentiality, security, and integrity of Covered Personal Information (“Security Program”). Upon Five9’s reasonable request, Vendor will provide Five9 with documentation that demonstrates its compliance with this Section 5.
7. Inquiries
7.1 Notification of Regulatory Inquiry – In the event that Vendor receives any regulatory inquiry or correspondence regarding Covered Personal Information in which Vendor or Five9 is named (an “Inquiry”), Vendor shall, to the extent not prohibited by applicable law or any regulatory authority, (a) promptly notify Five9 of such Inquiry; (b) in such notice, include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; and (c) not disclose any confidential information of Five9 or any affiliated party to the applicable authority without Five9’s prior written consent.
7.2 Response to Inquiry – Vendor shall take all other measures necessary to respond to or otherwise address the Inquiry adequately and in a timely manner.
8. Cross-Border Data Transfers
8.1 Transfer Mechanism – With regard to any transfers of Covered Personal Information to countries that do not provide adequate protection for such data (as determined by the applicable Privacy Laws), the Parties hereby enter into applicable instruments in support of such transfer.
8.2 Transfers from the UK – For transfers of Covered Personal Information from the United Kingdom, the UK Addendum (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when it is available and is a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the UK Addendum:
(a) Table 1 (Parties): The contents of Table 1 (Parties) shall be completed with details provided in Exhibit A, Part A.
(b) Table 2 (Selected SCCs, Modules, and Selected Clauses):
(i) The Addendum EU SCCs shall be the Approved EU SCCs.
(ii) Module Two will apply.
(iii) In Clause 7, the Parties do not permit docking.
(iv) In Clause 9(a), the Parties select Option 2 and a time period of 30 days.
(v) In Clause 11, the Parties do not select the independent dispute resolution option.
(c) Table 3 (Appendix Information): The list of parties and the description of the transfers are provided in Exhibit A, Part A and Exhibit B, Part A. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Exhibit B, Part B.
(d) Table 4 (Ending this Addendum when the Approved Addendum Changes): The Parties agree that neither Party may end the Addendum as set out in Section 19 of the UK Addendum.
(e) Conflicts: In the event of any conflict or inconsistency between this Addendum and the UK Addendum with respect to UK data subjects, the UK Addendum shall prevail.
8.3 Transfers from the EEA – For all other transfers of Covered Personal Information, including transfers of Covered Personal Information from the European Economic Area, the 2021 Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the 2021 Standard Contractual Clauses:
Identity of the Parties: The data exporter is Five9, and the data importer is Vendor. Accordingly, Module Two (controller to processor) is the sole module applicable to transfers involving Covered Personal Information.
Conflicts: In the event of any conflict or inconsistency between this Addendum and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
Appendices: Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in Exhibit A, Part A and Exhibit B, attached hereto.
Transfer Impact Assessments: Upon Five9’s reasonable request, Vendor will make available to Five9 its documented assessment of its processing of Covered Personal Information hereunder for the purpose of Clause 14.
Specific Provisions: The following specific provisions apply to the 2021 Standard Contractual Clauses:
- In Clause 7, the Parties do not permit docking.
- In Clause 9(a), the Parties select Option 2 and a time period of 30 days.
- In Clause 11, the Parties do not select the independent dispute resolution option.
- In Clause 17 (Option 2), the Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, or if the date exporter is not established in an EU Member State, they shall be governed by the laws of the Republic of Ireland.
- In Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland.
9. Miscellaneous
9.1 Severability – If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
9.2 Survival – All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
9.3 General – Except as expressly set forth herein, the terms of the Vendor Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Vendor Agreement and the terms of this Addendum, the terms of this Addendum shall control. Headers are for convenience and do not affect the interpretation of the terms of this Addendum.
EXHIBIT A
DETAILS OF DATA PROCESSING
A. PARTIES
Role of Five9
| For purposes of the Vendor Agreement and this Addendum, Five9 is the controller or business. To the extent of any cross-border data transfers described in Exhibit B, Five9 is the data exporter. |
| Address | 3001 Bishop Drive, Suite 350, San Ramon, CA 94583 |
| Name of Vendor | Vendor identified in the Vendor Agreement
|
| Role of Vendor | For purposes of the Vendor Agreement and this Addendum, Vendor is the processor or service provider to Five9. To the extent of any cross-border data transfers described in Exhibit B, Vendor is the data importer. |
B. PROCESSING TERMS
| Duration of the processing | Vendor agrees to process Covered Personal Information solely as instructed in the Vendor Agreement and this Addendum for the duration of the provision of the Vendor to Five9, and the longer of such additional period as: (i) is specified in any provisions of the Vendor Agreement regarding data retention; and (ii) is required for compliance with law. |
| Nature of the processing | Such processing as is necessary to enable the Vendor to comply with its obligations and exercise its rights under the Vendor Agreement, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities. |
| Purpose of the processing | Vendor agrees to process Covered Personal Information for limited and specified purposes described in the Vendor Agreement, this Addendum, or as otherwise directed by authorized personnel of Five9 in writing (email acceptable). CPRA Mandatory Disclosure: The specific business purposes are (select): |
| Type of personal data processed | Five9 may submit Covered Personal Information to the Services, or otherwise provide Covered Personal Information to Vendor, the extent of which is determined and controlled by Five9 in its sole discretion, and which may include, but is not limited to the following categories of Covered Personal Information:
Vendor shall notify Five9 in writing to the extent Vendor must collect additional categories of Covered Personal Information beyond those listed above in order to provide the Services. |
| Types of sensitive data processed (if applicable) | Five9 may submit sensitive personal information or sensitive data to the Services, as each is defined by the Privacy Laws. |
| Categories of consumers | Five9 may submit Covered Personal Information to the Services, or otherwise provide Covered Personal Information to Vendor, the extent of which is determined and controlled by Five9 in its sole discretion, and which may include, but is not limited to Covered Personal Information relating to the following categories of consumers:
|
| Obligations and rights of the Parties | As set out in the Vendor Agreement. |
EXHIBIT B
CROSS BORDER DATA TRANSFERS
A. DESCRIPTION OF CROSS-BORDER DATA TRANSFERS (IF APPLICABLE)
| Description of activities relevant to the personal data transferred under the Standard Contractual Clauses | The provision of the Services by Vendor to Five9.
|
| Categories of data subjects whose personal data is transferred | Five9 may submit Covered Personal Information to the Services, or otherwise provide Covered Personal Information to Vendor, the extent of which is determined and controlled by Five9 in its sole discretion, and which may include, but is not limited to Covered Personal Information relating to the following categories of data subjects:
|
| Categories of personal data transferred | Five9 may submit Covered Personal Information to the Services, or otherwise provide Covered Personal Information to Vendor, the extent of which is determined and controlled by Five9 in its sole discretion, and which may include, but is not limited to the following categories of Covered Personal Information:
Vendor shall notify Five9 in writing to the extent Vendor must collect additional categories of Covered Personal Information beyond those listed above in order to provide the Services. |
| Types of sensitive data transferred (if applicable) and applicable restrictions or safeguards | Data exporter may submit special categories of data to the Services, and which is for the sake of clarity data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The applicable security measures are described in the Vendor Agreement. |
| Frequency of the transfer | Continuous based on the use of the Services by Five9. |
| Purpose of the data transfer and further processing | Provision of the Services as set forth in the Vendor Agreement. |
| Vendor transfers | Transfers to sub-processors will occur where necessary for the provision of the Services in accordance with the Vendor Agreement and this Addendum solely for the term of the Vendor Agreement. |
| Competent Supervisory Authority | EEA data subjects: Republic of Ireland UK data subjects: United Kingdom |
B. TECHNICAL & ORGANIZATIONAL MEASURES
Vendor will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Covered Personal Information, as described in the Vendor Agreement. Vendor will not materially decrease the overall security of the Services during the term of the Vendor Agreement. Vendor shall provide cooperation and assistance to Five9 to enable Five9 to comply with its own obligations regarding Processing of Covered Personal Information as required under the Privacy Laws.
