Five9 DPA Flowthrough
Please note: This document only applies to customers with the Five9 Inc product and does not apply to other contact centre products and solutions from Babble.
DATA PROTECTION AGREEMENT TERMS
Data Protection Overview:
This document (“Addendum”) supplements and amends the Required Terms (dated October 2018) applicable to the use of the Services provided by Five9, Inc. (“Five9”) and sold by Babble. Defined terms used in this Addendum shall have the same meaning as in the Required Terms, unless otherwise stated.
To the extent that this Addendum conflicts with Babble’s standard terms and conditions, or any other terms agreed by Babble and the Customer, this Addendum shall take precedence in connection with the Five9 Services only but shall not apply to any other goods and/or services provided by Babble.
For the purposes of this Addendum, the term “Data Protection Legislation” means all applicable UK and/or European Union data protection laws and regulations including the General Data Protection Regulation (EU) 2016/679 and any laws or regulations implementing or made pursuant to such regulation (the “GDPR“) and the Data Protection Act 2018. The terms “data controller“, “data processor” “data subject“, “personal data“, “processing“, and “appropriate technical and organizational measures” shall be interpreted in accordance with the GDPR. For the purposes of this Addendum, “sub-processor” shall refer to Five9.
Each party shall comply with its obligations under applicable Data Protection Legislation and pursuant to the Standard Contractual Clauses in respect of any personal data processed or collected in connection with the Services. Babble acknowledges that it serves in the capacity of the Data Processor on behalf of the Customer with respect to the processing of personal data as necessary for the Customer to access and use the Services. Babble and the Customer acknowledge and agree that Five9 acts as a subprocessor for and on behalf of Babble to the extent Customer Data is processed through the Five9 virtual call center Services and that Babble has written authorization from Five9 to extend the DPA Terms to Customer on behalf of Five9 as a subprocessor where applicable. Customer acknowledges that Customer is a data controller with respect to the processing of Customer Data as provided in this Addendum.
Processor and Sub-Processor Responsibilities:
1. Processing Authorization. Customer authorizes and instructs Babble and Five9 to process the personal data only upon the documented instructions of the Customer pursuant to this Addendum for the purpose of: (a) providing the Services and for complying with the processing requirements set out in Exhibit C; (b) complying with Customer’s rights and obligations in this Addendum; and/or (c) complying with any applicable Data Protection Legislation, or any order of any court, tribunal, regulator or government agency with competent jurisdiction to which it is subject to under this Addendum provided that Babble and its subprocessor will (to the extent permitted by law) inform the Customer in advance either directly or through a reseller of making any disclosure of the personal data and will reasonably cooperate with the Customer to limit the scope of any disclosure to that which is legally necessary. Customer acknowledges that Five9 in its role as a subprocessor under this Addendum has a right to process personal data in order to provide the Services to Customer, fulfill its obligations under any applicable agreement, and for legitimate purposes relating to the operation, support and/or use of the Five9 services such as billing, account management, technical maintenance and support, product development, and sales and marketing where applicable.
2. Data Transfer. Customer authorizes the transfer of EEA personal data to Babble in the UK and the transfer of EEA/UK personal data to Five9 outside the EEA/UK where such transfer is required under or in connection with the provision of the Services, provided that, to the extent that no decision of ‘adequacy’ is made in relation to the country of destination and no other valid legal mechanism exists for such transfer, Babble and Five9 agree that the European Commission approved controller-to-processor Standard Contractual Clauses (the “SCCs” as provided at the URL: https://ec.europa.eu/info/law/law-topic/data- protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) shall apply to such transfer and both Babble and Five9 agree to comply with the same. The information required pursuant to the Appendices of the SCCs shall be as set out in the Exhibits to this Addendum. For any onward transfers from Five9 to its relevant subprocessors, Customer consents to such onward transfers provided that Five9 will require terms no less restrictive to such subprocessors than as provided in this Addendum.
3. Confidentiality. With regard to the Five9 Services, Five9 shall ensure that only persons who are contractually bound to respect the confidentiality of Customer’s personal data or are under a statutory obligation of confidentiality will have access to the same.
4. Technical Safeguards. Customer agrees that Five9 has implemented appropriate technical and organizational measures as provided in Exhibit D to ensure a level of security appropriate to the risk, in respect of the processing of the personal data by Five9 taking into account any applicable industry standards, the costs of implementation, the nature, scope, context and purposes of the processing, and any risks for the rights and freedoms of data subjects.
5. Sub-processors. Customer authorizes Five9 to appoint and use telecommunications carriers and other sub-processors to process the personal data where doing so is necessary for the provision of the Services, subject to Five9 putting in place a written contract with each sub-processor that imposes obligations that are: (a) relevant to the services to be provided by the relevant sub-processors; and (b) materially equivalent to the obligations imposed under this Addendum.
6. Notice and Authentication. Five9 shall provide the Customer with the current listing of sub-processors by posting the Subprocessor Listing on Five9’s System Status site located at https://systemstatus.five9.com/status. This site requires authentication. The Customer may only object to such changes on reasonable and substantive grounds and within fourteen (14) days of being notified of the addition or replacement. In the event that Customer objects on reasonable grounds relating to processing of Customer Data, then the parties will discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Five9 will, at its sole discretion, either not appoint such sub- processor, or permit Customer to suspend or terminate the Services in accordance with the termination provisions of its agreement with Babble.
7. Data Requests. To the extent the Customer does not itself hold, or otherwise have access to the personal data but Five9 is able to reasonably access such personal data, Five9 shall use reasonable efforts to assist the Customer to fulfill the Customer’s obligation to respond to requests from data subjects to exercise their rights under Data Protection Legislation (including without limitation, their right of access, correction, rectification and restriction); and respond to any other requests and/or notifications from third parties (including without limitation from regulatory or supervisory authorities).
8. Notifications. Unless prohibited by applicable law, Five9 shall, as soon as reasonably practicable, forward to Babble all requests and/or notifications received from any person in respect of the personal data and Babble shall forward the same to the Customer. The parties shall follow the Customer’s reasonable and lawful instructions in respect of the handling of such requests and/or notifications. Neither Babble nor Five9 shall respond to any request or notification unless instructed to do so in writing by the Customer or otherwise required to do so by applicable law.
Babble and Five9 reserve the right to charge the Customer for any reasonable costs and expenses incurred in providing assistance under this paragraph if such costs and expenses exceed a nominal amount.
9. Data Breach. Where a personal data breach is caused by Five9’s failure to comply with its obligations under this Addendum, Babble, either directly or through its subprocessor shall notify the Customer without undue delay, after becoming aware of the personal data breach. Five9 shall reasonably cooperate and assist the Customer with any investigation into, and/or remediation of, a personal data breach. Except where a personal data breach is caused by Five9’s failure to comply with its obligations under this Addendum, the Customer shall pay all reasonable costs and expenses (including without limitation any charges for the time engaged by external counsel and professional advisers) incurred by Five9 in complying with this paragraph.
10. Return and Destruction of Data. The parties agree that return/deletion of personal data and audit provisions shall be governed by clause 12 of the SCCs.
11. Anonymous Data. The Customer permits Five9 to use aggregated and anonymous Customer Data for internal business purposes, solely to test, analyze and improve the Service both during and after the Term. Five9 will not resell or share any Customer Data with a third party without the Customer’s express written authorization.
12. Data Retention. To maximize system performance, Five9 retains the right to and the Customer acknowledges and permits Five9 to periodically purge Customer Data from Five9 servers. Data retention practices are set forth at https://www.five9.com/dataretention (as may be amended by Five9 from time to time).
13. Professional Cooperation. Babble shall, with Five9’s assistance where applicable, reasonably cooperate with and assist the Customer (to the extent applicable in relation to any processing of the personal data and within the scope of the agreed services), with any data protection impact assessment which the Customer is required (by applicable Data Protection Legislation) to carry out in relation to the processing of personal data to be undertaken by Babble and/or Five9. To the extent such cooperation and assistance involves a cost that is more than nominal, Babble and Five9 reserve the right to charge the Customer a reasonable fee for the provision of such cooperation and assistance.
1. Data Controller. Customer acknowledges and agrees that it serves in the capacity of a Data Controller with respect to the controlling, inputting and administration of Customer Data as necessary for the operation of the Services which includes but is not limited to call data records, other traffic data, and any personal data. For the purposes of this Addendum, “Controlling” means taking responsibility for and instructing the processor of the purpose and means by which the Data will be processed and what personal data or sensitive information is necessary for filling that purpose. Customer also agrees to take all necessary steps to inform its personnel, and any other person acting under its supervision, of the responsibilities of any Data Protection Legislation attributable to being a Data Controller or the requirements of Data Controlling
2. Instructions. The Customer shall ensure its instructions to Babble and Five9 comply with applicable Data Protection Legislation and neither Babble nor Five9 shall be responsible for determining if the instructions are lawfully compliant. However, if Babble or Five9 is of the opinion that an instruction infringes Data Protection Legislation, either party shall notify the Customer as soon as reasonably practicable and neither party shall be required to comply with such infringing instruction unless and until the matter has been resolved by agreement of the parties or a competent authority determines that instruction to be lawful.
3. Authorized Use. Customer acknowledges and agrees that, in its use of the Five9 services, it shall use the features provided by Five9 and as required to comply with all applicable Data Protection Legislation. In accordance with the foregoing, Customer shall be responsible for: (a) all authorized and unauthorized access, activities, and charges associated with Customer’s, its Affiliates’ and Clients’ account and/or password(s) with the Five9 domain to the extent that such access, activities and charges are attributable to Customer’s subscription to the Five9 Services; and (b) obtaining and maintaining the Internet connectivity necessary to utilize the Five9 Services.
4. Consent. Customer shall ensure that it has provided notice and obtained all necessary consents under Data Protection Legislation for Babble and Five9 to lawfully process Customer Data for the Services and as described herein, and Customer agrees to provide full cooperation and assistance to Babble and its subprocessors in ensuring that the rights under Data Protection Legislation of the individuals of whom Customer Personal Data are input into the Services relates are appropriately addressed.
5. Prohibited Use. For the duration of the term of the Services, Customer, its affiliates and agents agree that they will not use Five9’s Virtual Contact Center (“VCC”) for any purpose except for call center purposes, will not store or process any personal information or sensitive information pursuant to Data Protection Legislation other than telephone numbers in Five9’s VCC database, or use the VCC to store or process designated record sets or serve as a database of record.
6. Security. Customer, its affiliates and agents agree that they will at all times configure VCC technical security measures which include password requirements in a manner consistent with industry best practices; administer authentication and authorization based on industry best practice and principles including least privilege and individual accountability for all users; and use of only secure protocols as offered by Five9 including encryption of data in transit (e.g. sRTP, VPN, and sFTP) and encryption of call recordings at rest (e.g. Encrypted Storage).
This Addendum will be governed by and construed in accordance with the laws of England and Wales without regard to conflict of laws principles with venue in London, England. EXHIBIT C
DESCRIPTION OF TRANSFER
The personal data transferred to Five9 in connection with the Services concern the following categories of data subjects:
– Customers of the Data Exporter.
– Employees of the Data Exporter.
– Any other data subject whose data is processed as part of the Service being: (1) someone who is a party to a communication; or (2) someone whose personal data are included in content hosted or transferred on behalf of the Data Exporter.
Purposes of the transfer(s)
The transfer is made for the following purposes:
– Processing: The Data Importer provides cloud contact centre services (including but not limited to automatic call distribution, automated voice recordings and computer integration telephony technology) to the Data Exporter.
– Remote access: Data is transferred to the Data Importer because as a global carrier and service provider, technical expertise of the Data Importer is located in the US, Russian Federation and the Philippines.
Categories of data
The personal data transferred concern the following categories of data:
– Contact information (incl. [name], [e-mail address], [work extension number] and [log-in details]) of employees of the Data Exporter.
– Personal data contained in any content that is hosted or managed on behalf of the Data Exporter (e.g. voice recordings, Data Exporter’s customer database).
Special categories of data (if appropriate)
The personal data transferred may concern the following categories of sensitive data:
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
– Employees of the Data Importer.
– Affiliates and subcontractors of the Data Importer [, including telecommunication carriers].
– Third-party service providers acting for the Data Importer.
– The Data Exporter whose staff are the subject of transferred data.
– Customers of the Data Exporter, whose employees and customers are the subject of transferred data.
– Regulators of the above.
EXHIBIT D SECURITY MEASURES
Description of the technical and organisational security measures implemented by the Data Importer (Five9) in accordance with Clauses 4(d) and 5(c) of the Standard Contractual Clauses
1. Access control to premises and facilities
Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:
– Access control system.
– ID reader, chip card.
– Issue of keys.
– Door locking (electric door openers, etc.).
– Video/CCTV monitor.
– Logging of facility exits/entries.
2. Access controls to systems
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
– Anti-virus protection.
– Stateful inspection firewalls.
– Internal and external vulnerability scans.
– Intrusion detection and prevention systems.
– Least-privilege access to IT systems based on job role and segregation of duties.
– Password procedures (incl. special characters, minimum length, periodic changes).
– No access for guest users or anonymous accounts.
– Two-factor authentication for privileged IT administrators who access production.
3. Access controls to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights. These measures shall include:
– Least-privilege access rights based on job role and segregation of duties.
– Management approval required for new or modified access prior to provisioning or change.
– Terminated user access disabled within 72 hours of notification from human resources.
– Monthly logical and physical access review for workforce members with access to production.
– Quarterly administrator access revalidated by management.
– Physical access to the data centres restricted to appropriate individuals.
– Two-factor authentication for privileged IT administrators who access production.
4. Disclosure controls
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
– Encryption using a VPN for remote access.
– Secure File Transfer Protocol (SFTP) for transport and communication of data.
– Prohibition of portable media.
– Media sanitization and destruction procedures.
5. Change management controls
Measures must be put in place to ensure all changes to production systems are logged, tested and approved. Measures must include:
– Change request and approval required prior to implementation into production.
– Critical application changes tested and approved prior to implementation into production.
– Access to migrate changes into production restricted to appropriate individuals.
– Critical changes reviewed monthly basis to confirm appropriateness and authorization.
6. Data processing controls
Measures must be put in place to ensure that data is processed strictly in compliance with the Data Exporter’s instructions. These measures must include:
– Unambiguous wording of contractual instructions.
– Monitoring of contract performance.
– Monitoring of service level agreements.
7. Availability controls
Measures must be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:
– Data backup procedures.
– Uninterruptible power supply (UPS).
– Business continuity procedures.
– 24×7 Network Operations Centre (NOC) monitoring.
– Critical jobs monitored for successful completion and error resolution.
– Problem and incident management and response procedures.
– Security incident management and response procedures.
– Root cause analysis required for problems and incidents affecting production.
8. Segregation controls
Measures must be put in place to allow data collected for different purposes to be processed separately. These must include:
– Restriction of access to data according to job role and segregation of duties.
– Segregation of business IT systems.
– Segregation of IT testing and production environment