Watch our CX Summit Livestream Watch Now
Register to Experience The New CX Register Now
2025 Forrester TEI Highlights Five9 Impact See Results
NEW 2025 Business Leaders CX Report Download Now

Five9 Data Processing Addendum for Vendors

Last updated August 19, 2025

This Data Processing Addendum for Vendors, including its Annexes (this "Addendum"), forms part of the agreement between Five9 and vendor ("Vendor") for the provision of services (the "Services") to Five9 by Vendor (the "Agreement"). This Addendum may refer to Five9 and Vendor each as a "Party" and collectively as the "Parties." Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. This Addendum is effective as of the Effective Date of the Agreement.

1. DEFINITIONS

1.1 "Personal Information" means "personal information" and "personal data" as defined in the Privacy Laws, that is provided that is provided by Five9 to Vendor to be processed under the Agreement.

1.2 "Privacy Laws" means all applicable statutes and regulations pertaining to privacy and data protection, including: EU General Data Protection Regulation 2016/679 ("GDPR"); United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (amendments, etc.) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2020 ("UK GDPR"); Personal Information Protection and Electronic Documents Act ("PIPEDA"); Personal Information Protection Act (Alberta) ("PIPA Alberta"); Personal Information Protection Act (British Columbia) ("PIPA BC"); Act Respecting the Protection of Personal Information in the Private Sector ("Quebec Privacy Act"); guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45; and European Directive 2002/58/EC, as amended by Directive 2009/136/EC ("E-Privacy Directive"); European Directive 2002/58/EC, as amended by Directive 2009/136/EC ("E-Privacy Directive"); the Data Protection Act 2018, and the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications ("ePrivacy Regulation"); Swiss Federal Act on Data Protection of 19 June 1992; California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act ("CCPA"), as each is amended from time to time that are in effect or come into effect during the term of the Agreement.

1.3 "2021 Standard Contractual Clauses" means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses); provided that, to the extent of a conflict between the 2021 Standard Contractual Clauses and this Agreement, the 2021 Standard Contractual Clauses prevail. "Third Countries" means countries that are not recognized by the Privacy Laws as countries providing adequate protection of Personal Information.

1.4 "UK Addendum" means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner's Office of the United Kingdom.

1.5 The terms "business," "collected," "consent," "consumer," "controller," "data subject," "process" or "processing," "processor," "service provider," "supervisory authority," shall have the meanings given to those terms in the applicable Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect upon the execution of this Addendum. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.

2. ROLES OF THE PARTIES

For the purposes of the Agreement and this Addendum, Five9 is the sole Party that determines the purposes and means of processing Personal Information as the business, processor or controller, and appoints Vendor as a processor or service provider to process Personal Information on behalf of Five9 as set forth herein.

3. FIVE9 INSTRUCTIONS

Five9 instructs Vendor to process, and Vendor shall process, Personal Information in accordance with the Agreement, this Addendum, and Five9's documented instructions provided by authorized personnel of Five9, where such instructions are consistent with the terms of the Agreement.

4. DATA PROCESSING

4.1 Each Party agrees to comply with Privacy Laws applicable to such party in the performance of their respective obligations hereunder. Each Party agrees that it will promptly (without undue delay) notify the other Party upon determining that it is unable to process Personal Information in compliance with the Privacy Laws.

4.2 The details of the data processing under this Addendum are provided in Annex 1 hereto, including the duration, nature, and purpose of the processing, and the type(s) of Personal Information being processed. Vendor shall (i) implement and maintain appropriate technical and organizational security measures in accordance with relevant industry standards designed to safeguard Personal Information as described in Annex 2 (Technical and Organizational Measures); (ii) provide the level of privacy protection required by applicable Privacy Laws; and (iii) provide Five9 with reasonable assistance to enable Five9 to fulfil its own obligations under applicable Privacy Laws.

4.3 Vendor, its employees, and sub-processors are subject to a duty of confidentiality with respect to Personal Information. Vendor will not (i) "sell" or "share" (as each is defined under the applicable Privacy Laws) Personal Information, (ii) retain, use, or disclose Personal Information outside of Five9's instructions set forth in Section 3 above or for any commercial purpose not specified in the Agreement, or (iii) when prohibited by applicable Privacy Laws, combine Personal Information received from Five9 with Personal Information that Vendor receives from, or on behalf of, another person or persons, or collects from its own interactions with data subjects.

5. SUB-PROCESSORS

Vendor shall engage sub-processors that process Personal Information only with Five9's general written authorization. Vendor shall notify Five9 of any intended changes concerning the addition or replacement of sub-processors. Further, Vendor shall ensure that Vendor's sub-processors who collect, process, store, or transmit Personal Information on Vendor's behalf agree in writing to the same restrictions and requirements that apply to Vendor in this Addendum and the Agreement with respect to Personal Information, as well as to comply with the Privacy Laws.

Five9 may object to Vendor's appointment of a new sub-processor by notifying Vendor in writing. In the event Five9 objects, Vendor will use reasonable efforts to make available to Five9 a change in the Services or recommend a commercially reasonable change to Five9's configuration or use of the Services to avoid processing of Personal Information by the objected-to new sub-processor without unreasonably burdening Five9. If Vendor is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Five9 may terminate the applicable ordering or purchasing documents by providing written notice to Vendor. Vendor will refund Five9 any prepaid fees covering the remainder of the term of such ordering or purchasing documents following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Five9. Vendor will not, and will not allow its sub-processors to, re-identify any de-identified, anonymized, or pseudonymized data derived from Personal Information, unless instructed by Five9 in writing (email is sufficient).

6. RIGHTS OF DATA SUBJECTS AND CONSUMER REQUESTS

Vendor shall promptly notify Five9, to the extent legally permitted, of any request it has received from a data subject arising from data subject's right of access, right to rectification, restriction of processing, erasure ('right to be forgotten'), data portability, object to the processing, or its right not to be subject to an automated individual decision making, each such request being a "data subject request." Vendor shall not respond directly to a data subject, except if Five9 authorizes Vendor to redirect the data subject request as necessary to allow Five9 to respond directly. Vendor shall assist Five9 by taking appropriate technical and organizational measures for the fulfillment of Five9's obligations under Privacy Laws to respond to consumers' requests to exercise their rights.

7. SECURITY CONTROLS

Vendor shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Personal Information to protect such Personal Information from unauthorized access, destruction, use, modification, or disclosure ("Security Measures"). Such Security Measures shall meet or exceed applicable industry standards and any obligations set forth in the Agreement or applicable law. Vendor shall promptly (without undue delay) notify Five9, but no later than 48 hours, upon Vendor's having become aware of any unauthorized disclosure, use, or access to Personal Information transmitted, stored or otherwise processed by Vendor (a "Personal Data Breach"). Vendor shall identify the cause of such Personal Data Breach and undertake remediation to rectify the adverse effects of such Personal Data Breach. In accordance with applicable Privacy Laws, Five9 has the right, upon reasonable written notice to Vendor, to take reasonable and appropriate steps to stop and remediate Vendor's unauthorized use of Personal Information. Vendor shall not provide notice to any third party of such Personal Data Breach without the prior written consent of Five9 unless required by applicable law. Upon Five9's request, Vendor will provide Five9 with documentation that demonstrates its compliance with this Section.

8. DATA RETENTION, USE, AND DESTRUCTION

At the end of the provision of the Services, Vendor shall, at the choice of Five9, delete all Personal Information and certify to Five9 that it has done so, or return to Five9 all Personal Information and delete existing copies. Until the Personal Information is deleted or returned, Vendor shall continue to ensure compliance with the Privacy Laws.

9. DATA PROTECTION IMPACT ASSESSMENT

Upon Five9's request, Vendor shall provide Five9 with cooperation needed to fulfil Five9's obligation under applicable Privacy Laws to carry out a data protection impact assessment related to data processed pursuant to Five9's use of the Services.

10. CROSS-BORDER DATA TRANSFERS

10.1 Transfer Mechanism – With regard to any transfers of Personal Information from the European Economic Area or the United Kingdom to countries that do not provide adequate protection for such data (as determined by the applicable Privacy Laws), the Parties hereby enter into applicable instruments in support of such transfer as set forth below.

10.2 Transfers from the UK – For transfers of Personal Information from the United Kingdom, the UK Addendum (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when it is available and is a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the UK Addendum:

  1. Table 1 (Parties): The contents of Table 1 (Parties) shall be completed with details provided in Annex 1.
  2. Table 2 (Selected SCCs, Modules, and Selected Clauses):
    1. The Addendum EU SCCs shall be the Approved EU SCCs.
    2. Module Two (controller-to-processor) will apply.
    3. In Clause 7, the Parties do not permit docking.
    4. In Clause 9(a), the Parties select Option 2.
    5. In Clause 11, the Parties do not select the independent dispute resolution option.
  3. Table 3 (Appendix Information): The list of parties and the description of the transfers are provided in Annex 1. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Annex 2.
  4. Table 4 (Ending this Addendum when the Approved Addendum Changes): The Parties agree that Importer or Exporter may end the Addendum as set out in Section 19 of the UK Addendum.
  5. Conflicts: In the event of any conflict or inconsistency between this Addendum and the UK Addendum with respect to UK data subjects, the UK Addendum shall prevail.

10.3 Transfers from the EEA – For all other transfers of Personal Information, including transfers of Personal Information from the European Economic Area, the 2021 Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Privacy Laws. The Parties further agree to the following provisions with respect to the 2021 Standard Contractual Clauses:

  1. Identity of the Parties: The data exporter is Five9, and the data importer is Vendor. Accordingly, Module Two (controller to processor) is the sole module applicable to transfers involving Personal Information.
  2. Conflicts: In the event of any conflict or inconsistency between this Addendum and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
  3. Appendices: Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in Annexes 1 and 2 attached hereto.
  4. Transfer Impact Assessments: Upon Five9's reasonable request, Vendor will make available to Five9 its documented assessment of its processing of Personal Information hereunder for the purpose of Clause 14.
  5. Specific Provisions: The following specific provisions apply to the 2021 Standard Contractual Clauses:
    1. In Clause 7, the Parties do not permit docking.
    2. In Clause 9, the Parties select Option 2 and a time period of 30 days.
    3. In Clause 11, the Parties do not select the independent dispute resolution option.
    4. In Clauses 17 (Option 2) and 18(b), the Parties agree that the jurisdiction is the member state in which controller is established, or if the controller is not established in a member state, the Republic of Ireland.

11. AUDIT RIGHTS

Five9 shall have the right to take reasonable and appropriate steps to ensure that Vendor uses the Personal Information in a manner consistent with Five9's obligations under the Privacy Laws. At Five9's request, Vendor shall permit and contribute to audits of the processing under the Agreement, at reasonable intervals or if there are indications of non-compliance. Vendor shall make available to Five9 all information necessary to demonstrate Vendor's compliance with its obligations under the Privacy Laws with respect to Personal Information.

12. CHANGES TO PRIVACY LAWS

To the extent this Addendum requires a Party to comply with the Privacy Laws, compliance will be in accordance the Privacy Laws as in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under the Privacy Laws, it shall not apply until it is so required. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to the applicable Privacy Laws.

 

ANNEX 1: DESCRIPTION OF DATA PROCESSING/TRANSFER

A. LIST OF PARTIES

Role of Five9As set forth in Section 2 (Roles of the Parties) of the Addendum. For purposes of the Agreement and this Addendum, Five9 is the sole Party that determines the purposes and means of processing Personal Information as the "controller" or "business." To the extent of any cross-border data transfers under the Agreement, Five9 is the data exporter.
Address3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA.
Name and Contact DetailsFive9 and Five9's authorized affiliates, as set forth in the Agreement.
privacy@five9.com
Signature and DateEffective date is: (i) the date of the Five9 signature; or (ii) should the Addendum be included in the Agreement, the Effective Date of the Agreement.
Activities relevant to the data processed/transferredAs set forth in Section 3 (Five9 Instructions) of the Addendum.
Role of VendorAs set forth in Section 2 (Roles of the Parties) of the Addendum.
AddressVendor address as set forth in the Agreement.
Contact DetailsVendor and Vendor's authorized affiliates, as set forth in the Agreement.
Signature and DateEffective date is: (i) the date of the Five9 signature; or (ii) should the Addendum be included in the Agreement, the Effective Date of the Agreement.
Activities relevant to the data processed/transferredAs set forth in Section 3 (Five9 Instructions) of the Addendum.

B. DESCRIPTION OF PROCESSING/CROSS-BORDER TRANSFER (IF APPLICABLE)

Subject matter and duration of processingThe subject matter and duration of the processing shall be according to the Agreement and this Addendum in connection with the Agreement or as required for compliance with applicable law.
Purpose of the processingPersonal Data will be processed for the purpose as set forth in the Agreement.
Nature of the processingProcessing to enable Vendor to comply with its obligations and exercise its rights under the Agreement, or as required by applicable law, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities.
Categories of data subjectsThe data subjects include customers, end users, employees, agents, contractors, suppliers, representatives, and other individuals whose personal data is processed via the Services.
Types of Personal Information processedFive9 contact information (which may include name, e-mail address, work extension number and log-in details); Personal Information contained in any content that is hosted or managed on behalf of the Five9; and as set out in the Agreement, and this Addendum, as evidenced in the communications between the Parties.
Types of sensitive data processed (if applicable)Based on the applicable Services, end users may disclose sensitive data that is not currently contemplated and may be incidentally contained in content.

C. COMPETENT SUPERVISORY AUTHORITY. EEA data subjects: Republic of Ireland. UK data subjects: United Kingdom.
 

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

1. INFORMATION SECURITY PROGRAM

Vendor has implemented and will maintain during the Term an information security program based on ISO/IEC 27001 standards that are applicable to Vendor as a service provider and designed to (i) implement secure methods for processing, transmitting and storing data provided by Five9 ("Customer Data"), (ii) secure Customer Data against unauthorized access, acquisition, use, or disclosure, and (iii) minimize physical and logical security risks to the Vendor network, including through regular risk assessment and testing (collectively, the "Security Program"). Vendor designates one or more employees to coordinate and be accountable for the Security Program. Vendor conducts periodic reviews of the Security Program, which Vendor may update or modify as necessary.

2. FIVE9 CERTIFICATION AND SECURITY STANDARDS

  1. During the Term, Vendor will maintain an ISO/IEC 27001 certification and SOC 2 Type 2 report ("SOC 2 Report").
  2. Upon reasonable written request, Vendor will provide Five9 such SOC 2 Report in accordance with the AICPA Trust Services Criteria for Security and Availability and any other of its currently available certifications. In addition, Vendor will provide its security assessment upon Five9's reasonable written request.
  3. As a certified Level 1 Payment Card Industry (PCI) Data Security Standard (DSS) Service Provider, Vendor engages an independent Qualified Security Assessor (QSA) to perform an annual assessment of Vendor's control environment covering all 12 PCI DSS requirements. Upon reasonable written request, Vendor will provide its current PCI attestation letter.

3. ACCESS CONTROLS TO SYSTEMS

Vendor has implemented and will maintain commercially reasonable measures designed to prevent unauthorized access to Vendor's network. These may include the following technical and organizational measures for user identification and authentication: anti-virus protection; stateful inspection firewalls; internal and external vulnerability scans; intrusion detection and prevention systems; least-privilege access to IT systems based on job role and segregation of duties; strong password procedures; no access for guest users or anonymous accounts; and two-factor authentication for privileged IT administrators.

  1. Penetration Testing. Vendor will perform application penetration tests of its proprietary applications using relevant industry standard practices to detect vulnerabilities in the applications and to measure the effectiveness of the applications' security controls. Vulnerabilities identified will be tracked and remediated in accordance with Vendor's internal policies.
  2. Vulnerability Management. Vendor will implement and review no less than annually a comprehensive vulnerability management program for the regular identification, categorization, and timely remediation of technical and process vulnerabilities at the infrastructure and application layers of the application.

  3. Logging. Vendor has and will maintain a log management program based on the NIST 800-92 and provides logging capabilities in accordance with the following:

    1. the scope of logging and the retention policy utilize a risk-based approach;
    2. logs will be sufficient to permit forensic analysis on Personal Data Breaches;
    3. logs will record administrative changes to the Services;
    4. log records will be kept physically and virtually secured to prevent tampering; and
    5. passwords will not be logged.

     

  4. Firewalls. Vendor has and shall maintain intrusion prevention systems. At a minimum, such intrusion prevention systems will include firewalls, which will:

    1. be configured to deny access, except for what is explicitly allowed;
    2. restrict publicly accessible systems and wireless access from any internal system that contains data; and
    3. block all protocols and services that are not required under the Agreement or for other general business purposes.

     

4. RESTRICTED ACCESS CONTROLS TO DATA

Vendor will take measures designed to prevent unauthorized access to data beyond permitted access rights. These measures may include:

  1. least-privilege access rights based on job role and segregation of duties;
  2. management approval required for new or modified access prior to provisioning or change;
  3. terminated user access promptly disabled from human resources;
  4. quarterly logical and physical access review for workforce members with access to production;
  5. quarterly administrator access revalidated by management;
  6. physical access to the data centers restricted to appropriate individuals; and
  7. two-factor authentication for privileged IT administrators.

5. CHANGE MANAGEMENT CONTROLS

Vendor will take measures designed to ensure all changes to production systems are logged, tested, and approved. These must include change request and approval required prior to implementation into production; critical application changes tested and approved prior to implementation into production; access to migrate changes into production restricted to appropriate individuals; and critical changes routinely reviewed to confirm appropriateness and authorization.

6. ACCESS CONTROLS TO PREMISES AND FACILITIES

Vendor will take measures designed to prevent unauthorized physical access to premises and facilities holding personal data, which include:

  1. appropriate physical environmental safeguards;
  2. on-site backup; and
  3. appropriate controls designed to ensure that only authorized Vendor personnel are allowed physical access to such facilities which may include access control system; ID reader, chip card; issue of keys; door locking (electric door openers, etc.); video/CCTV monitor; and logging of facility exits/entries.

7. DATA RETENTION

Vendor will:

  1. maintain Customer Data and store it in a location and format available for retrieval in accordance with Five9's data retention policy as set forth at https://www.five9.com/legal/dataretention or successor URL;
  2. have specific procedures in place governing access to copies of Customer Data in connection with a legal action or regulatory requirement to disclose; and
  3. review and test data recovery procedures on a routine basis or when a material change occurs.

8. AVAILABILITY CONTROLS AND BUSINESS CONTINUITY

  1. Vendor will take measures designed to ensure that data are protected against accidental destruction or loss. These include data backup procedures; uninterruptible power supply (UPS); 24x7 Network Operations Centre (NOC) monitoring; critical jobs monitored for successful completion and error resolution; problem and incident management and response procedures; security incident management and response procedures; and root cause analysis required for problems and incidents affecting production.
  2. Vendor has and will maintain an appropriate disaster recovery, business continuity and contingency plan and related policies and procedures (collectively, the "Business Continuity Plan"). The Business Continuity Plan will be reviewed by Vendor no less than annually and is designed to provide for continued operation in the event of a catastrophic event affecting Vendor's business operations.
  3. Vendor will routinely test features of its Business Continuity Plan and will provide a summary report of the results of such tests to Five9 upon written request.

9. MALICIOUS SOFTWARE

  1. Vendor will install and maintain a relevant industry standard anti-malware software and, to the extent feasible, use real-time protection features designed to prevent the Services from being infected or affected by the presence of malicious code.
  2. Vendor will promptly remove malicious code discovered in Vendor's applications or the Services.
  3. Vendor will perform real-time scanning on files and other data uploaded into the Services to identify and eliminate any files or other data containing malicious code to the extent feasible.
  4. Vendor will use commercially reasonable efforts to prevent the transmission or the introduction of any malicious code into its applications.

10. DISCLOSURE CONTROLS AND DATA ENCRYPTION

  1. Vendor will take measures designed to prevent the unauthorized access, alteration, or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures include secure File Transfer Protocol (sFTP) for transport and communication of data, if ordered; and media sanitization and destruction procedures.
  2. Vendor will implement and utilize encryption based on NIST Special Publication 800-52 encryption guidelines to protect Customer Data in-transit and at rest.
  3. Vendor maintains and will maintain a formal process for managing and protecting encryption keys which follow relevant industry standards.

11. DATA PROCESSING CONTROLS

Vendor will take measures designed to ensure that data is processed strictly in compliance with the data exporter's instructions. These must include unambiguous wording of contractual instructions; monitoring of contract performance; and monitoring of service level agreements.

12. SEGREGATION CONTROLS

Vendor will take measures designed to allow data collected for different purposes to be processed separately. These include restriction of access to data according to job role and segregation of duties; segregation of business IT systems; and segregation of IT testing and production environment.

13. MEDIA HANDLING

Vendor will ensure that relevant industry standard media handling procedures are implemented and maintained. The media will be encrypted, transported in a secure manner, and stored in a location that is physically secure. Devices must be purged, degaussed, or physically destroyed, so that data cannot be reconstructed based on disposition protocols defined within NIST 800-88 Media Sanitation Standard. Vendor shall ensure proper documentation or certificate of destruction of the disposal of any hardware or media (such as, but not limited to tape drives, thumb drives, diskettes, CD's, DVD's, laptop drives, workstation drives or server drives) that stores Customer Data.

14. HUMAN RESOURCES SECURITY

Vendor provides information security, regulatory compliance, and privacy training to all of its employees that handle Customer Data to support a common understanding of applicable data protection laws and regulations, as well as how to detect and report security issues. Such training shall:

  1. include secure handling protocols when handling Customer Data;
  2. be provided at the time of hire and annually thereafter; and
  3. be documented with the names of the employees who completed the training and the dates the training was completed.

Furthermore, Vendor personnel with access to Customer Data will also be subject to confidentiality obligations.

View Demo Icon

View Demo
Get a Quote Icon

Get a Quote
Chat Icon

Chat