The following is an overview of the measures that Five9 takes to protect our customers’ confidential data and of our corporate data from cyber-security threats.
Executive management has established tone from the top with respect to maintaining appropriate business and IT controls to mitigate the risk of intrusions and data breaches. Executive management also plays a key role in continuously assessing and monitoring cyber-security risks to Five9’s operating environment.
Five9 has designed and implemented administrative, physical, and technical safeguards in accordance with a number of data protection laws, regulations, and standards including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), the California Privacy Regulations (CCPA/CRPA), Canada’s Privacy regulations (PIPEDA), the General Data Protection Regulation (GDPR), and the UK Data Protection Act 1998.
Our administrative safeguards include an information security management process developed to align with ISO 27001/27002; full-time security personnel; and processes for information access management, workforce training and awareness, and ongoing evaluation of the control environment
Our physical safeguards include facility access controls and workstation/device security measures
Our technical safeguards include controls for role-based access, audit logs, data integrity, and data transmission security
Five9 has implemented stateful inspection firewalls, de-militarized zones (DMZs), intrusion prevention and detection systems (IPS/IDS), vulnerability scanning, annual penetration testing, file integrity monitoring (FIM), anti-virus/anti-malware protection, two-factor authentication, and virtual private networking (VPN) to defend against cyber exposures.
This defense-in-depth strategy provides layers of security from the edge of the Five9 network to its core to mitigate the risk of unauthorized access or use of systems that contain confidential customer or corporate data. Five9 has also implemented “least privilege, minimum necessary” role-based access controls to grant access privileges to systems containing confidential customer or corporate data only to those employees whose roles require it.
Five9 Information Security is accountable for monitoring intrusion prevention and detection systems, regularly performing information security assessments and vulnerability scans, taking appropriate actions to patch system vulnerabilities, monitoring of the Security Information and Event Management (SIEM) system by our 7x24 Security Operations Center, and promptly investigating and reporting security alerts and assessment findings to executive management. The work that this team performs is essential to the health and security of the Five9 environment and ensures Five9 executive management has timely visibility into security and privacy risks, issues, and incidents.
Five9 also provides ongoing information security and privacy training to all workforce members to ensure a common understanding of applicable data protection laws and regulations, as well as how to watch for and report security risks and issues to executive management. This effort is designed to promote a culture of compliance and reinforces the concepts of “Know it. Own it. Control it.” with respect to data protection accountability at all levels of the company.
Five9 continues to maintain an annual SOC 2 Type 2 attestation (performed under AICPA standard AT 101) performed by a certified audit firm covering the Trust Services Security and Availability Principles.