Five9 Data Processing Addendum for Vendors
Last updated Nov 3, 2023
This Data Processing Addendum, including its Annexes (this “Addendum”), forms part of the agreement between Five9 and vendor (“Vendor”) for the provision of services (the “Services”) to Five9 by Vendor (the “Vendor Agreement”). This Addendum may refer to Vendor and Five9 each as a “Party” and collectively as the “Parties.”
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Vendor Agreement. This Addendum is effective as of the Effective Date of the Vendor Agreement.
1. DEFINITIONS
1.1 “Personal Information” means “personal information” and “personal data” as defined in the Privacy Laws, that is provided by Five9 to Vendor to be processed under the Vendor Agreement.
1.2 “Privacy Laws” means all applicable statutes and regulations pertaining to privacy and information security, including but not limited to: EU General Data Protection Regulation 2016/679 (“GDPR”); United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (amendments, etc.) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments, etc).) (EU Exit) Regulations 2020 (“UK GDPR”); Personal Information Protection and Electronic Documents Act (“PIPEDA”); Personal Information Protection Act (Alberta) (“PIPA Alberta”); Personal Information Protection Act (British Columbia) (“PIPA BC”); Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Privacy Act”); guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45; European Directive 2002/58/EC, as amended by Directive 2009/136/EC (“ePrivacy Directive”) (as the same may be superseded by the Regulation on Privacy and Electronic Communications (“ePrivacy Regulation”)); Swiss Federal Act on Data Protection of 19 June 1992, as amended from time to time, and any successor legislation; and any other applicable laws or regulations regarding privacy and information security that are in effect or come into effect during the term of the Vendor Agreement. Privacy Laws includes the US Privacy Laws.
1.3 “US Privacy Laws” means all applicable United States state or federal statutes and regulations pertaining to privacy and information security, including but not limited to: the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act (the “CCPA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (the “VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (the “CPA”); the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (the “UCPA”); the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. Gen. Stat. 42-515 et seq. (the “PDPOM”); the Indiana Consumer Data Protection Act, S.B. 5 (the “INCDPA”); Iowa Consumer Data Protection Act, S.J. 708, (the “ICDPA”); the Montana Consumer Data Privacy Act, S.B. 384 (the “MCDPA”); the Tennessee Information Protection Act, H.B. 1181 (the “TIPA”); or any US regulations or guidance issued pursuant thereto, and any other applicable US laws or regulations regarding privacy and information security that are in effect or come into effect during the term of the Vendor Agreement.
1.4 “2021 Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).
1.5 “UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom.
1.6 “Third Countries” means countries that are not recognized by the Privacy Laws as countries providing adequate protection of Personal Information.
1.7 The terms “business,” “collected,” “consumer,” “controller,” “data subject,” “personal data,” “personal information,” “process” or “processing,” “processor,” “service provider,” and “supervisory authority” shall have the meanings given to those terms in the Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
1.8 Capitalized terms not otherwise defined shall have the meaning given to them in the Vendor Agreement.
2. ROLES OF THE PARTIES
For the purposes of the Vendor Agreement and this Addendum, Five9 is the sole Party that determines the purposes and means of processing Personal Information as the “business” or “controller,” and Vendor processes Personal Information on behalf of Five9 as the “service provider” or “processor” as such terms are defined in the applicable Privacy Laws per Section 1.7 above. The details of the processing are provided in Annex 1 of this Addendum, including the duration, nature, and purpose of the processing, and the type(s) of Personal Information subject to the processing.
3. FIVE9 INSTRUCTIONS
Five9 instructs Vendor to process, and Vendor shall process, Personal Information in accordance with the Vendor Agreement, any Addendum thereto, any applicable Statement of Work or Service Order, and in compliance with other documented reasonable written instructions provided by authorized personnel of Five9, where such instructions are consistent with the terms of the Vendor Agreement.
4. PARTIES’ RESPONSIBILITIES
4.1 Each Party is responsible (i) for its own compliance with the Privacy Laws, where applicable; and (ii) with respect to the processing of Personal Information hereunder, for ensuring its employees, agents, and subprocessors understand and shall comply with the Privacy Laws and applicable terms of this Addendum. Each Party agrees that it will notify the other Party upon determining that it is unable to process Personal Information in compliance with the Privacy Laws.
4.2 Five9 shall ensure any processing of Personal Information is in accordance with the requirements of the applicable Privacy Laws. Five9 has the sole responsibility for the accuracy of Personal Information and the means by which Five9 acquired Personal Information.
4.3 Vendor will (i) implement and maintain the reasonable technical and organizational security measures to safeguard Personal Information as described in Annex 2 (Technical and Organizational Measures Including Technical and Organizational Measures to Secure Data); (ii) provide the level of privacy protection required by applicable Privacy Laws; and (iii) shall provide Five9 with reasonable assistance to enable Five9 to fulfill its own obligations under applicable Privacy Laws.
4.4 Vendor, its employees, agents, and sub-processors are subject to a duty of confidentiality with respect to Personal Information. Vendor will not (i) “sell” or “share” (as each are defined under the applicable US Privacy Laws) Personal Information, (ii) retain, use, or disclose Personal Information outside of Five9’s instructions set forth In Section 3 above or for any commercial purpose not specified in the Vendor Agreement, or (iii) when prohibited by applicable Privacy Laws, combine Personal Information received from Five9 with Personal Information that Vendor receives from, or on behalf of, another person or persons, or collects from its own interactions with consumers.
4.5 Vendor agrees to notify Five9 if Vendor makes a determination that it can no longer meet its obligations under the Privacy Laws. Upon receiving such notice, or when it otherwise becomes aware of Vendor’s unauthorized use of Personal Information, Five9 may take reasonable and appropriate steps to stop and remediate such unauthorized use.
5. SUB-PROCESSORS
5.1 Appointment. Vendor shall engage sub-processors that process Personal Information only with Five9’s general written authorization. Vendor shall notify Five9 of any intended changes concerning the addition or replacement of sub-processors. Further, Vendor shall ensure that Vendor’s sub-processors who collect, process, store, or transmit Personal Information on Vendor’s behalf agree in writing to the same restrictions and requirements that apply to Vendor in this Addendum and the Vendor Agreement with respect to Personal Information, as well as to comply with the Privacy Laws.
5.2 Right to Object. Five9 may object in writing to Vendor’s appointment of a new sub-processor by notifying Vendor in writing within thirty (30) calendar days of receipt of notice. In the event Five9 objects, Vendor will use reasonable efforts to make available to Five9 a change in the Services or recommend a commercially reasonable change to Five9’s configuration or use of the Services to avoid processing of Personal Information by the objected-to new sub-processor without unreasonably burdening Five9. If Vendor is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Five9 may terminate the applicable ordering or purchasing documents with respect only to those Services which cannot be provided by Vendor without the use of the objected-to new sub-processor by providing written notice to Vendor. Vendor will refund Five9 any prepaid fees covering the remainder of the term of such ordering or purchasing documents following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Five9.
5.3 Re-identification. Vendor will not, and will not allow its sub-processors to, re-identify any de-identified, anonymized, or pseudonymized data derived from Personal Information, unless instructed by Five9 in writing (email is sufficient).
6. CONSUMER AND DATA SUBJECT REQUESTS
Vendor shall, to the extent legally permitted, promptly notify Five9 of any request it has received from a data subject or consumer (for purposes of this section, both referred to as a “data subject”) arising from a data subject’s rights of access, deletion, correction, or portability, each such request being a “Data Subject Request.” Vendor shall not respond to a Data Subject Request itself, except that Five9 authorizes Vendor to redirect the Data Subject Request as necessary to allow Five9 to respond directly. Taking into account the nature of the processing, Vendor shall assist Five9 by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Five9’s obligation to respond to a Data Subject Request under the Privacy Laws. In addition, to the extent Five9, in its use of the Services, does not have the ability to address a Data Subject Request, Vendor shall upon Five9’s request, provide commercially reasonable efforts to assist Five9 in responding to such Data Subject Request, to the extent Vendor is legally permitted to do so and the response to such Data Subject Request is required under the Privacy Laws.
7. SECURITY CONTROLS
7.1 Security Measures. Vendor shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Personal Information to protect such Personal Information from unauthorized access, destruction, use, modification, or disclosure (“Security Measures”). Such Security Measures shall meet or exceed applicable industry standards and any obligations set forth in the Vendor Agreement or applicable law.
7.2 Security Incident. Vendor will inform Five9 without undue delay upon Vendor’s having become aware of any unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident”) of any Personal Information (to include, without limitation, any personal data breach as defined by the Privacy Laws). Vendor will provide Five9 with any information and cooperation reasonably requested by Five9 regarding such Security Incident. Vendor shall not provide notice to any third party of such Security Incident without the prior written consent of Five9 unless required by applicable law.
7.3 Security Program. Vendor shall implement a comprehensive written security program that includes industry-standard administrative, technical, and physical safeguards designed to ensure the confidentiality, security, and integrity of Personal Information. Upon Five9’s reasonable request, Vendor will provide Five9 with documentation that demonstrates its compliance with this Section.
8. DATA RETENTION, USE, AND DESTRUCTION
At the end of the provision of the Services, Vendor shall, at the choice of Five9, delete all Personal Information and certify to Five9 that it has done so, or return to Five9 all Personal Information and delete existing copies. Until the Personal Information is deleted or returned, Vendor shall continue to ensure compliance with the Privacy Laws.
9. DATA PROTECTION IMPACT ASSESSMENT
If applicable, Vendor shall, upon the reasonable request of Five9, provide Five9 with such assistance and information as is reasonably necessary to enable Five9 to carry out privacy impact assessments, data protection impact assessments, and required consultations with supervisory authorities under applicable Privacy Laws.
10. CROSS-BORDER DATA TRANSFERS
10.1 Transfer Mechanism. With regard to any transfers of Personal Information from the European Economic Area or the United Kingdom to countries that do not provide adequate protection for such data (as determined by the applicable Privacy Laws), the Parties hereby enter into applicable instruments in support of such transfer as set forth below.
10.2 Transfers from the UK. For transfers of Personal Information from the United Kingdom, the UK Addendum (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when it is available and is a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the UK Addendum:
a. Table 1 (Parties): The contents of Table 1 (Parties) shall be completed with details provided in Annex 1.
b. Table 2 (Selected SCCs, Modules, and Selected Clauses):
(i) The Addendum EU SCCs shall be the Approved EU SCCs.
(ii) Module Two (controller-to-processor) will apply.
(iii) In Clause 7, the Parties do not permit docking.
(iv) In Clause 9(a), the Parties select Option 2.
(v) In Clause 11, the Parties do not select the independent dispute resolution option.
c. Table 3 (Appendix Information): The list of parties and the description of the transfers are provided in Annex 1. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Annex 2.
d. Table 4 (Ending this Addendum when the Approved Addendum Changes): The Parties agree that Importer or Exporter may end the Addendum as set out in Section 19 of the UK Addendum.
e. Conflicts: In the event of any conflict or inconsistency between this Addendum and the UK Addendum with respect to UK data subjects, the UK Addendum shall prevail.
10.3 Transfers from the EEA. For all other transfers of Personal Information, including transfers of Personal Information from the European Economic Area, the 2021 Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the 2021 Standard Contractual Clauses:
a. Identity of the Parties: The data exporter is Five9, and the data importer is Vendor. Accordingly, Module Two (controller to processor) is the sole module applicable to transfers involving Personal Information.
b. Conflicts: In the event of any conflict or inconsistency between this Addendum and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
c. Appendices: Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in Annexes 1 and 2 attached hereto.
d. Transfer Impact Assessments: Upon Five9’s reasonable request, Vendor will make available to Five9 its documented assessment of its processing of Personal Information hereunder for the purpose of Clause 14.
e. Specific Provisions: The following specific provisions apply to the 2021 Standard Contractual Clauses:
(i) In Clause 7, the Parties do not permit docking.
(ii) In Clause 9(a), the Parties select Option 2 and a time period of 30 days.
(iii) In Clause 11, the Parties do not select the independent dispute resolution option.
(iv) In Clause 17 (Option 2) and 18(b), the Parties agree that the jurisdiction is the member state in which controller is established, or if the controller is not established in a member state, the Republic of Ireland.
11. AUDIT RIGHTS
Five9 shall have the right to take reasonable and appropriate steps to ensure that Vendor uses the Personal Information in a manner consistent with Five9’s obligations under the Privacy Laws. At Five9’s request, Vendor shall permit and contribute to audits of the processing under the Vendor Agreement, at reasonable intervals or if there are indications of non-compliance. Vendor shall make available to Five9 all information necessary to demonstrate Vendor’s compliance with its obligations under the Privacy Laws with respect to Personal Information.
12. MISCELLANEOUS
12.1 Severability. If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
12.2 Survival. All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
12.3 General. The terms and conditions of the Vendor Agreement are incorporated by reference into this Addendum with full force and effect. Except as expressly set forth herein, the terms of the Vendor Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Vendor Agreement and the terms of this Addendum, the terms of this Addendum shall control. Headers are for convenience and do not affect the interpretation of the terms of this Addendum.
12.4 Changes to Privacy Laws. To the extent this Addendum requires a Party to comply with the Privacy Laws, compliance will be in accordance the Privacy Laws as in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under the Privacy Laws, it shall not apply until it is so required. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to the applicable Privacy Laws.
ANNEX 1: DESCRIPTION OF DATA PROCESSING/TRANSFER
A. List of Parties
| Role of Five9 | As set forth in Section 2 (Roles of the Parties) of the Addendum. For purposes of the Vendor Agreement and this Addendum, Five9 is the sole Party that determines the purposes and means of processing Personal Information as the “controller” or “business.” To the extent of any cross-border data transfers under the Vendor Agreement, Five9 is the data exporter. |
| Address | 3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA. |
| Name and Contact Details | Five9 and Five9’s authorized affiliates, as set forth in the Vendor Agreement. privacy@five9.com |
| Signature and Date | Effective date is: (i) the date of Five9 signature; or (ii) should the Addendum be included in the Vendor Agreement, the Effective Date of the Vendor Agreement. |
| Activities relevant to the data processed/transferred | As set forth in Section 3 (Five9 Instructions) of the Addendum. |
| Role of Vendor | As set forth in Section 2 (Roles of the Parties) of the Addendum. |
| Address | Vendor address as set forth in the Vendor Agreement. |
| Contact Details | Vendor and Vendor’s authorized affiliates, as set forth in the Vendor Agreement. |
| Signature and Date | Effective date is: (i) the date of Five9 signature; or (ii) should the Addendum be included in the Vendor Agreement, the Effective Date of the Vendor Agreement. |
| Activities relevant to the data processed/transferred | As set forth in Section 3 (Five9 Instructions) of the Addendum. |
B. Description of PROCESSING/CROSS-BORDER Transfer (IF APPLICABLE)
| Categories of data subjects whose personal information is processed/transferred | Five9 may submit Personal Information to the Services, or otherwise provide Personal Information to Vendor, the extent of which is determined and controlled by Five9 in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of data subjects:
|
| Categories of personal information processed/transferred | Five9 may submit Personal Information to the Services, or otherwise provide Personal Information to Vendor, the extent of which is determined and controlled by Five9 in its sole discretion, and which may include, but is not limited to the following categories of Personal Information:
Vendor shall notify Five9 in writing to the extent Vendor must collect additional categories of Personal Information beyond those listed above in order to provide the Services.
|
| Types of sensitive (or special) categories of personal data that will be processed/transferred and applicable restrictions or safeguards | Five9 may submit special categories of data to the Services, and which is for the sake of clarity data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The applicable security measures are described in the Vendor Agreement. |
| Frequency of the transfer | Continuous based on the use of the Services by Five9. |
| Nature of the processing | Such processing as is necessary to enable the Vendor to comply with its obligations and exercise its rights under the Vendor Agreement, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities. |
| Duration of the processing | Vendor agrees to process Personal Information solely as instructed in the Vendor Agreement and this Addendum for the duration of the provision of the Vendor to Five9, and the longer of such additional period as: (i) is specified in any provisions of the Vendor Agreement regarding data retention; and (ii) is required for compliance with law. |
| Purpose of the processing/data transfer and further processing | Vendor agrees to process Personal Information for limited and specified purposes described in the Vendor Agreement, this Addendum, or as otherwise directed by authorized personnel of Five9 in writing (email acceptable). |
| Sub-processor transfers | Transfers to sub-processors will occur where necessary for the provision of the Services in accordance with the Vendor Agreement and this Addendum solely for the term of the Vendor Agreement. |
C. COMPETENT SUPERVISORY AUTHORITY. EEA data subjects: Republic of Ireland. UK data subjects: United Kingdom.
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
1. Access control to premises and facilities. Vendor will take measures designed to prevent unauthorized physical access to premises and facilities holding personal data, which shall include access control system; ID reader, chip card; issue of keys; door locking (electric door openers, etc.); video/CCTV monitor; and logging of facility exits/entries. | 5. Change management controls. Vendor will take measures designed to ensure all changes to production systems are logged, tested, and approved. These must include change request and approval required prior to implementation into production; critical application changes tested and approved prior to implementation into production; access to migrate changes into production restricted to appropriate individuals; and critical changes reviewed monthly basis to confirm appropriateness and authorization. |
2. Access controls to systems. Vendor will take measures designed to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication: anti-virus protection; stateful inspection firewalls; internal and external vulnerability scans; intrusion detection and prevention systems; least-privilege access to IT systems based on job role and segregation of duties; password procedures (including alpha and numeric characters, minimum length, periodic changes); no access for guest users or anonymous accounts; and two-factor authentication for privileged IT administrators who access production. | 6. Data processing controls. Vendor will take measures designed to ensure that data is processed strictly in compliance with Five9’s instructions. These must include unambiguous wording of contractual instructions; monitoring of contract performance; and monitoring of service level agreements. |
3. Access controls to data. Vendor will take measures designed to prevent authorized users from accessing data beyond their authorized access rights. These measures shall include: least-privilege access rights based on job role and segregation of duties; management approval required for new or modified access prior to provisioning or change; terminated user access disabled within 72 hours of notification from human resources; quarterly logical and physical access review for workforce members with access to production; quarterly administrator access revalidated by management; physical access to the data centres restricted to appropriate individuals; and two-factor authentication for privileged IT administrators who access production. | 7. Availability controls. Vendor will take measures designed to ensure that data are protected against accidental destruction or loss. These must include data backup procedures; uninterruptible power supply (UPS); business continuity procedures; 24x7 Network Operations Centre (NOC) monitoring; critical jobs monitored for successful completion and error resolution; problem and incident management and response procedures; security incident management and response procedures; and root cause analysis required for problems and incidents affecting production. |
4. Disclosure controls. Vendor will take measures designed to prevent the unauthorized access, alteration, or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include: encryption using a VPN for remote access; secure File Transfer Protocol (SFTP) for transport and communication of data, if ordered; and media sanitization and destruction procedures. | 8. Segregation controls. Vendor will take measures designed to allow data collected for different purposes to be processed separately. These must include restriction of access to data according to job role and segregation of duties; segregation of business IT systems; and segregation of IT testing and production environment. |
