Data Processing Addendum
Last updated June 16, 2025
US and Canada only
This Five9 Data Processing Addendum, including its Annexes (this “Addendum”) applies where, and to the extent, Five9 processes Personal Information as a processor under the agreement between Customer and Five9 (“MSA”) or the required Five9 pass-through terms contained or incorporated into the agreement between Customer and the Five9-authorized reseller (the MSA or such Five9 pass-through terms, as applicable, shall be referred to herein as the “Agreement”). This Addendum is incorporated into, and forms a part of, the Agreement. This Addendum may refer to Customer and Five9 each as a “Party” and collectively as the “Parties.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. This Addendum is effective as of the Effective Date of the Agreement.
1. DEFINITIONS
1.1 “Personal Information” means “personal information” and “personal data” as defined in the Privacy Laws, that is provided via the Services and processed by Five9.
1.2 “Privacy Laws” mean all applicable United States and Canadian province, state or federal statutes and regulations pertaining to privacy and data protection, including the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act (the “CCPA”); Personal Information Protection and Electronic Documents Act (“PIPEDA”); Personal Information Protection Act (Alberta) (“PIPA Alberta”); Personal Information Protection Act (British Columbia) (“PIPA BC”); An Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Privacy Act”); that are in effect or come into effect during the term of the Agreement.
1.3 The terms “business,” “collect,” “consent,” “consumer," “controller,” “process” or “processing,” “processor,” “sensitive data,” and “service provider” shall have the meanings given to those terms in the applicable Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect upon the execution of this Addendum. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
2. ROLES OF THE PARTIES
For the purposes of the Agreement and this Addendum, Customer is the sole Party that determines the purposes and means of processing Personal Information as the business, processor or controller, and appoints Five9 as a processor or service provider to processes Personal Information on behalf of Customer as set forth herein.
3. CUSTOMER INSTRUCTIONS
Customer instructs Five9 to process, and Five9 shall process, Personal Information in accordance with the Agreement, this Addendum, and Customer’s documented instructions, where such instructions are lawful and consistent with the Agreement, this Addendum or if Five9 is otherwise required to process Personal Information by applicable Privacy Laws. Five9 is not responsible for determining if Customer’s instructions are compliant with applicable Privacy Laws; however, Five9 shall promptly (without undue delay) notify Customer if, in Five9’s reasonable opinion, an instruction of Customer for the processing of Personal Information violates any Privacy Laws and, in such case, Five9 may refrain from complying with such instructions. Five9 shall not receive any monetary consideration in exchange for Personal Information.
4. DATA PROCESSING
4.1 Each Party agrees to comply with Privacy Laws applicable to such party in the performance of their respective obligations hereunder. Each Party agrees that it will promptly (without undue delay) notify the other Party upon determining that it is unable to process Personal Information in compliance with the Privacy Laws. Customer has the sole responsibility for the accuracy, quality, and legality of Personal Information, including the lawfulness of the means by which Customer acquired Personal Information that is disclosed, transferred, or otherwise made available to Five9.
4.2 Five9 reserves all rights and asserts all exceptions and exemptions to which it is entitled under applicable Privacy Laws (such as preserving Personal Information in order to protect against malicious, deceptive, fraudulent or illegal activity; or to comply with a legal obligation, etc.).
4.3 The details of the data processing under this Addendum are provided in Annex 1 hereto, including the duration, nature, and purpose of the processing, and the type(s) of Personal Information being processed. Five9 will (i) implement and maintain appropriate technical and organizational security measures in accordance with relevant industry standards designed to safeguard Personal Information as described in Annex 2 (Technical and Organizational Measures) or alternative security measures which do not materially degrade such protection of Personal Information; and (ii) provide the level of privacy protection required by applicable Privacy Laws.
4.4 Five9, its employees, and sub-processors are subject to a duty of confidentiality with respect to Personal Information. Five9 will not (i) “sell” or “share” (as each is defined under the applicable Privacy Laws) Personal Information, (ii) retain, use, or disclose Personal Information outside of Customer’s instructions set forth in Section 3 above or for any commercial purpose not specified in the Agreement, or (iii) when prohibited by applicable Privacy Laws, combine Personal Information received from Customer with Personal Information that Five9 receives from, or on behalf of, another person or persons, or collects from its own interactions with consumers.
4.5 Customer understands and agrees that (i) it may store its customers’ telephone numbers in the Five9 Virtual Contact Center (“VCC”); (ii) storage of Protected Health Information (PHI) in the VCC database (e.g., contact records or agent notes) is strictly prohibited unless Customer orders Five9 encryption Services under an applicable Service Order; and (iii) storage of Payment Card Data in text format (e.g., Payment Card Data within contact records, agent notes, email, chat, SMS transcripts, etc.) is strictly prohibited. Notwithstanding anything to the contrary, Customer may not store designated record sets (as defined by the Health Insurance Portability and Accountability Act) in the VCC.
4.6 Customer, its affiliates, and agents agree that they will at all times (i) configure VCC technical security measures that include password requirements in a manner consistent with relevant industry standards, (ii) administer authentication and authorization based on relevant industry standards including least privilege and individual accountability for all users, and (iii) use only secure protocols as offered by Five9 including encryption of data in transit (e.g., sRTP, VPN, and sFTP) and encryption of call recordings at rest (e.g., Encrypted Storage)..
5. SUB-PROCESSORS
Customer authorizes Five9 to appoint and engage third-party sub-processors (with its current sub-processors listed at https://login.five9.com) in connection with the provision of the Services provided that Five9 enters into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set forth in the Agreement and this Addendum with respect to the protection of Personal Information to the extent applicable to the nature of the Services provided by such sub-processor. The use of any such sub-processor by Five9 shall not relieve Five9 of any of its obligations under this Addendum, and Five9 shall be responsible for such actions of its sub-processors to the extent performing on behalf of Five9 hereunder.
If Customer reasonably objects to Five9’s use of a new sub-processor on data protection grounds which would result in Five9’s breach of this Addendum in relation to the protection of Personal Information, Customer shall promptly notify Five9 in writing no later than within thirty (30) days of receipt of Five9’s notice. If Customer so objects to a new sub-processor, the Parties will discuss Customer’s concerns in good faith to resolve the matter and if the Parties cannot resolve the objection within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Service Order(s) with respect to those Services which cannot be provided by Five9 without the use of the objected to new sub-processor by providing written notice to Five9. Five9 will refund Customer any prepaid fees covering the remainder of the term of such Services following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
6. CONSUMER REQUESTS
Considering the nature of processing and the information available to Five9, Five9 shall assist Customer by taking appropriate technical and organizational measures, insofar as this is reasonably practicable, for the fulfillment of Customer’s obligations under Privacy Laws to respond to consumers’ requests to exercise their rights. If Customer conveys a consumer request to Five9 in writing, Customer shall: (a) verify the identity of the consumer as required by applicable Privacy Laws, (b) reasonably assist in locating the Personal Information shared with Five9; and (c) cooperate in good faith with Five9 to determine whether a request should be complied with or whether any exceptions for compliance with the request apply.
7. INCIDENT MANAGEMENT AND NOTIFICATION
Five9 shall promptly (without undue delay) notify Customer, but no later than 72 hours, upon confirmation of an unauthorized disclosure, use, or access to Personal Information transmitted, stored or otherwise processed by Five9 (a “Personal Data Breach”). Five9 shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as Five9 deems necessary and undertake remediation as reasonably feasible to rectify the adverse effects of such Personal Data Breach to the extent the remediation is within Five9’s reasonable control. In accordance with applicable Privacy Laws, Customer has the right, upon reasonable written notice to Five9, to take reasonable and appropriate steps to stop and remediate Five9’s unauthorized use of Personal Information.
8. DATA PROTECTION IMPACT ASSESSMENT
Upon Customer’s request, Five9 shall provide Customer with commercially reasonable cooperation needed to fulfil Customer’s obligation under applicable Privacy Laws to carry out a data protection impact assessment related to data processed pursuant to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is reasonably available to Five9.
9. AUDIT RIGHTS
At Customer’s written request, Five9 shall provide third party attestations demonstrating compliance with its obligations under the Privacy Laws with respect to Personal Information. To the extent such attestations do not adequately address Five9’s compliance with such Privacy Laws, Five9 shall permit and contribute to remote audits of information reasonably necessary to demonstrate Five9’s compliance with its obligations under such Privacy Laws. Customer shall make reasonable efforts to minimize disruption to Five9’s business during any such audit. Such audits shall be conducted during normal business hours and shall occur no more than once per year or in the confirmed event of non-compliance, and be limited to Personal Information. Customer shall provide Five9 written notice of any such audit at least sixty (60) days in advance with a finalized audit scope and evidence request list provided in writing no less than thirty (30) days in advance of such audit.
ANNEX 1: DETAILS OF THE PROCESSING
| Subject matter and duration of processing | The subject matter and duration of the processing shall be according to the Agreement and this Addendum in connection with the Services or as required for compliance with applicable law. |
| Purpose of the processing | Customer Personal Data will be processed for the purpose of providing the Services on behalf of Customer as set forth in the Agreement. |
| Nature of the processing | Processing to enable Five9 to comply with its obligations and exercise its rights under the Agreement, or as required by applicable law, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities. |
| Categories of data subjects | The data subjects are Customer’s end users, employees, agents, contractors, suppliers, representatives, and other individuals whose personal data is processed via the Services. |
| Types of Personal Information processed | Customer contact information (which may include name, e-mail address, work extension number and log-in details); Personal Information contained in any content that is hosted or managed on behalf of the Customer (e.g., voice recordings, Customer’s customer database); and as set out in the Agreement, and this Addendum, as evidenced in the communications between the Parties. |
| Types of sensitive data processed (if applicable) | Based on the applicable Services, Customer’s end users may disclose sensitive data that is not currently contemplated and may be incidentally contained in telephone call recordings or transcripts. |
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES
- INFORMATION SECURITY PROGRAM
Five9 has implemented and will maintain during the Term an information security program based on ISO/IEC 27001 standards that are applicable to Five9 as a service provider and designed to (i) implement secure methods for processing, transmitting and storing Customer Data, (ii) secure Customer Data against unauthorized access, acquisition, use, or disclosure, and (iii) minimize physical and logical security risks to the Five9 network, including through regular risk assessment and testing (collectively, the “Security Program”). Five9 designates one or more employees to coordinate and be accountable for the Security Program. Five9 conducts periodic reviews of the Security Program, which Five9 may update or modify as it deems necessary.
2. FIVE9 CERTIFICATION AND SECURITY STANDARDS
a. During the Term, Five9 will maintain an ISO/IEC 27001 certification and SOC 2 Type 2 report (“SOC 2 Report”).
b. Upon reasonable written request, Five9 will provide Customer such SOC 2 Report and any other of its currently available certifications. In addition, Five9 will provide its security assessment upon Customer’s reasonable written request.
c. As a certified Level 1 Payment Card Industry (PCI) Data Security Standard (DSS) Service Provider, Five9 engages an independent Qualified Security Assessor (QSA) to perform an annual assessment of Five9’s control environment covering all 12 PCI DSS requirements. Upon reasonable written request, Five9 will provide its current PCI attestation letter.
3. ACCESS CONTROLS TO SYSTEMS
Five9 has implemented and will maintain commercially reasonable measures designed to prevent unauthorized access to Five9’s network. These may include the following technical and organizational measures for user identification and authentication: anti-virus protection; stateful inspection firewalls; internal and external vulnerability scans; intrusion detection and prevention systems; least-privilege access to IT systems based on job role and segregation of duties; strong password procedures; no access for guest users or anonymous accounts; and two-factor authentication for privileged IT administrators.
a. Penetration Testing. Five9 will perform application penetration tests of its proprietary applications using relevant industry standard practices to detect vulnerabilities in the applications and to measure the effectiveness of the applications’ security controls. Vulnerabilities identified will be tracked and remediated in accordance with Five9’s internal policies to the extent such remediation is reasonably feasible and within Five9’s reasonable control.
b. Vulnerability Management. Five9 will implement and review no less than annually a comprehensive vulnerability management program for the regular identification, categorization, and timely remediation of technical and process vulnerabilities at the infrastructure and application layers of the application to the extent remediation is feasible and within Five9’s reasonable control.
c. Logging. Five9 has and will maintain a log management program based on the NIST 800-92 and provides logging capabilities in accordance with the following: (i) the scope of logging and the retention policy utilize a risk-based approach; (ii) logs will be sufficient to permit forensic analysis on Personal Data Breaches; (iii) logs will record administrative changes to the Services; (iv) log records will be kept physically and virtually secured to prevent tampering; and (v) passwords will not be logged.
d. Firewalls. Five9 has and shall maintain intrusion prevention systems. At a minimum, such intrusion prevention systems will include firewalls, which will: (i) be configured to deny access, except for what is explicitly allowed; (ii) restrict publicly accessible systems and wireless access from any internal system that contains Customer Data; and (iii) block all protocols and services that are not required under the Agreement or for other general business purposes.
4. RESTRICTED ACCESS CONTROLS TO DATA
Five9 will take measures designed to prevent unauthorized access to Customer Data beyond permitted access rights. These measures may include:
a. least-privilege access rights based on job role and segregation of duties;
b. management approval required for new or modified access prior to provisioning or change;
c. terminated user access promptly disabled from human resources;
d. quarterly logical and physical access review for workforce members with access to production;
e. quarterly administrator access revalidated by management;
f. physical access to the data centers restricted to appropriate individuals; and
g. two-factor authentication for privileged IT administrators.
5. CHANGE MANAGEMENT CONTROLS
Five9 will take measures designed to ensure all changes to production systems are logged, tested, and approved. These must include change request and approval required prior to implementation into production; critical application changes tested and approved prior to implementation into production; access to migrate changes into production restricted to appropriate individuals; and critical changes routinely reviewed to confirm appropriateness and authorization.
6. ACCESS CONTROLS TO PREMISES AND FACILITIES
Five9 will take measures designed to prevent unauthorized physical access to premises and facilities holding personal data, which include:
a. appropriate physical environmental safeguards;
b.on-site backup; and
c. appropriate controls designed to ensure that only authorized Five9 personnel are allowed physical access to such facilities which may include access control system; ID reader, chip card; issue of keys; door locking (electric door openers, etc.); video/CCTV monitor; and logging of facility exits/entries.
7. DATA RETENTION
Five9 will:
a. maintain Customer Data and store it in a location and format available for retrieval in accordance with Five9’s data retention policy as set forth at https://www.five9.com/legal/dataretention or successor URL;
b. have specific procedures in place governing access to copies of Customer Data in connection with a legal action or regulatory requirement to disclose; and
c. review and test data recovery procedures on a routine basis or when a material change occurs.
8. AVAILABILITY CONTROLS AND BUSINESS CONTINUITY
a. Five9 will take measures designed to ensure that data are protected against accidental destruction or loss. These include data backup procedures; uninterruptible power supply (UPS); 24x7 Network Operations Centre (NOC) monitoring; critical jobs monitored for successful completion and error resolution; problem and incident management and response procedures; security incident management and response procedures; and root cause analysis required for problems and incidents affecting production.
b. Five9 has and will maintain an appropriate disaster recovery, business continuity and contingency plan and related policies and procedures (collectively, the “Business Continuity Plan”). The Business Continuity Plan will be reviewed by Five9 no less than annually and is designed to provide for continued operation in the event of a catastrophic event affecting Five9’s business operations.
c. Five9 will routinely test features of its Business Continuity Plan and will provide a summary report of the results of such tests to Customer upon written request.
9. MALICIOUS SOFTWARE
a. Five9 will install and maintain a relevant industry standard anti-malware software and, to the extent feasible, use real-time protection features designed to prevent the Services from being infected or affected by the presence of malicious code.
b. Five9 will promptly remove malicious code discovered in Five9’s applications or the Services.
c. Five9 will perform real-time scanning on files and other data uploaded into the Services to identify and eliminate any files or other data containing malicious code to the extent feasible.
d. Five9 will use commercially reasonable efforts to prevent the transmission or the introduction of any malicious code into its applications.
10. DISCLOSURE CONTROLS AND DATA ENCRYPTION
a. Five9 will take measures designed to prevent the unauthorized access, alteration, or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures include secure File Transfer Protocol (sFTP) for transport and communication of data, if ordered; and media sanitization and destruction procedures. Customer agrees to order encryption of voice in transit (sRTP or a VPN) if voice data traverses a public network to reach a Customer agent.
b. Five9 will implement and utilize encryption based on NIST Special Publication 800-52 encryption guidelines to protect Customer Data in-transit and at rest. Customer acknowledges and agrees that in the event of requiring voice data traversing a public network to reach a Customer agent as part of the Services, Customer shall promptly order Secure Real-time Transport Protocol (sRTP) or a Virtual Private Network (VPN) from Five9.
c. Five9 maintains and will maintain a formal process for managing and protecting encryption keys which follow relevant industry standards.
11. DATA PROCESSING CONTROLS
Five9 will take measures designed to ensure that data is processed strictly in compliance with the data exporter's instructions. These must include unambiguous wording of contractual instructions; monitoring of contract performance; and monitoring of service level agreements.
12. SEGREGATION CONTROLS
Five9 will take measures designed to allow data collected for different purposes to be processed separately. These include restriction of access to data according to job role and segregation of duties; segregation of business IT systems; and segregation of IT testing and production environment.
13. MEDIA HANDLING
Five9 will ensure that relevant industry standard media handling procedures are implemented and maintained. The media will be encrypted, transported in a secure manner, and stored in a location that is physically secure. Devices must be purged, degaussed, or physically destroyed, so that data cannot be reconstructed based on disposition protocols defined within NIST 800-88 Media Sanitation Standard. Five9 shall ensure proper documentation or certificate of destruction of the disposal of any hardware or media (such as, but not limited to tape drives, thumb drives, diskettes, CD’s, DVD’s, laptop drives, workstation drives or server drives) that stores Customer Data.
14. HUMAN RESOURCES SECURITY
Five9 provides information security, regulatory compliance, and privacy training to all of its employees that handle Customer Data to support a common understanding of applicable data protection laws and regulations, as well as how to detect and report security issues. Such training shall:
a. include secure handling protocols when handling Customer Data;
b. be provided at the time of hire and annually thereafter; and
c. be documented with the names of the employees who completed the training and the dates the training was completed.
Furthermore, Five9 personnel with access to Customer Data will also be subject to confidentiality obligations.
