Five9 Data Protection Agreement

    Data Protection Overview:

    For the purposes of these DPA Terms, the term "Data Protection Legislation" means all applicable European Union data protection laws and regulations including the General Data Protection Regulation (EU) 2016/679 and any laws or regulations implementing or made pursuant to such regulation (the "GDPR"). The terms "data controller", "data processor" "data subject", "personal data", "processing", and "appropriate technical and organizational measures" shall be interpreted in accordance with the GDPR. For the purposes of this Addendum, “sub-processor” shall include Five9.

     

    Each party shall comply with its obligations under applicable Data Protection Legislation and pursuant to the Standard Contractual Clauses in respect of any personal data processed or collected under the agreement(s) between Net2Phone and Customer. Net2Phone acknowledges that it serves in the capacity of the data processor on behalf of the Customer with respect to the processing of personal data only as necessary for the Customer to access and use the Five9 Services. Net2Phone further acknowledges that Five9 is a subprocessor to Customer’s personal data to the extent Customer’s personal data is processed through the Five9 virtual call center, and that it has written authorization from Five9 to extend these DPA Terms to Customer on behalf of Five9 as a subprocessor where applicable. Customer acknowledges that Customer is a data controller with respect to the processing of Customer’s personal data as provided in these DPA Terms.

     

    Processor and Sub-Processor Responsibilities:

     

    1. Processing Authorization. Customer authorizes and instructs Net2Phone and its subprocessors to process the personal data for the purpose of: (a) providing the Five9 Services and for complying with the processing requirements set out in Exhibit C; (b) complying with Customer’s rights and obligations in these DPA Terms; and/or (c) complying with any applicable Data Protection Legislation, or any order of any court, tribunal, regulator or government agency with competent jurisdiction to which it is subject to under these DPA Terms provided that Net2Phone and its subprocessor will (to the extent permitted by law) inform the Customer in advance of making any disclosure of the personal data and will reasonably cooperate with the Customer to limit the scope of any disclosure to that which is legally necessary. Customer acknowledges that Five9 in its role as a subprocessor under these DPA Terms has a right to process personal data in order to provide the Five9 Services to Customer, fulfill its obligations under any applicable agreement, and for legitimate purposes relating to the operation, support and/or use of the Five9 Services such as billing, account management, technical maintenance and support, product development, and sales and marketing where applicable subject to such processing by Five9 being undertaken in accordance with the provisions of these DPA Terms.

     

    1. Data Transfer. Customer authorizes the transfer of the personal data to Net2Phone and sub-processors that are located outside the EEA where such transfer is required under or in connection with the provision of the Five9 Services and/or is necessary in the normal course of business provided that the Customer and, as required, Net2Phone, shall enter into European Commission approved controller-to-processor Standard Contractual Clauses (the "SCCs" as provided at the URL: https://ec.europa.eu/info/law/law-topic/data- protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. For onward transfers from Net2Phone’s subprocessor to its relevant subprocessors, Customer consents to such onward transfers provided that Net2Phone will require terms no less restrictive to such subprocessors than as provided in these DPA Terms.

     

    1. Confidentiality. Net2Phone shall ensure that only persons who are contractually bound to respect the confidentiality of Customer's personal data or are under a statutory obligation of confidentiality will have access to the

     

    1. Technical Safeguards. Net2Phone agrees that Five9 has implemented appropriate technical and organizational measures as provided in Exhibit D to ensure a level of security appropriate to the risk, in respect of the processing of the personal data by Five9 taking into account any applicable industry standards, the costs of implementation, the nature, scope, context and purposes of the processing, and any risks for the rights and freedoms of data

     

    1. Sub-processors. Customer authorizes Net2Phone and its subprocessors to appoint and use telecommunications carriers and other sub-processors to process the personal data where doing so is necessary for the provision of the Five9 Services subject to Net2Phone (or its subprocessor, as appropriate) putting in place appropriate protections with such telecommunications carriers and other sub-processors.

     

    1. Notice and Authentication. The Customer acknowledges that Five9 use sub-processors in relation to the services it provides. Five9 shall provide the Customer with the current listing of sub-processors used by Five9 by posting the Subprocessor Listing on Five9’s System Status site located at https://systemstatus.five9.com/status. This site requires authentication. The Customer may only object to changes made to the Five9 Subprocessor Listing on reasonable and substantive grounds and within fourteen (14) days of being notified of the addition or replacement. In the event that Customer objects on reasonable grounds relating to processing of Customer Data, then the parties will discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Five9 will, at its sole discretion, either not appoint such sub-processor, or the Customer shall have the right to suspend or terminate the Five9 Services in accordance with the termination provisions in its agreement with

     

    1. Data Requests. To the extent the Customer does not itself hold, or otherwise have access to the personal data but Net2Phone through its subprocessors is able to reasonably access such personal data, Net2Phone and its subprocessors shall use reasonable efforts to assist the Customer to fulfill the Customer’s obligation to respond to requests from data subjects to exercise their rights under Data Protection Legislation (including without limitation, their right of access, correction, rectification and restriction); and respond to any other requests and/or notifications from third parties (including without limitation from regulatory or supervisory authorities).

     

    1. Notifications. Unless prohibited by applicable law, Net2Phone shall, as soon as reasonably practicable, forward to the Customer all requests and/or notifications received from any person in respect of the personal data and shall follow the Customer’s reasonable and lawful instructions in respect of the handling of such requests and/or notifications. Net2Phone shall not respond to any request or notification unless instructed to do so in writing by the Customer or otherwise required to do so by applicable Net2Phone and its subprocessors reserve the right to charge the Customer for any reasonable costs and expenses incurred in providing assistance under this paragraph if such costs and expenses exceed a nominal amount.

     

    1. Data Breach. Where a personal data breach is caused by Net2Phone’s or its sub-processor’s failure to comply with its obligations under these DPA Terms, Net2Phone, either directly or through its subprocessor shall notify the Customer without undue delay, after becoming aware of the personal data breach. Net2Phone shall, and shall ensure that its sub-processors shall, reasonably cooperate and assist the Customer with any investigation into, and/or remediation of, a personal data breach.

     

    1. Return and Destruction of Data. The parties agree that return/deletion of personal data and audit provisions shall be governed by clause 12 of the

     

    1. Anonymous Data. To the extent that Five9 is appointed as a sub-processor, the Customer permits Five9 to use aggregated and anonymous Customer Data for internal business purposes, solely to test, analyze and improve the Five9 Service both during and after the term of the Five9 Services. Five9 will not resell or share any Customer Data with a third party without the Customer’s express written

     

    1. Data Retention. To the extent that Five9 is appointed as a sub-processor and to maximize system performance, Five9 retains the right to and the Customer acknowledges and permits Five9 to periodically purge Customer Data from Five9 servers. Data retention practices are set forth at https://www.five9.com/dataretention (as may be amended by Five9 from time to time).

     

    1. Professional Cooperation. Net2Phone shall reasonably cooperate with and assist the Customer (to the extent applicable in relation to any processing of the personal data and within the scope of the agreed services), with any data protection impact assessment which the Customer is required (by applicable Data Protection Legislation) to carry out in relation to the processing of personal data to be undertaken by Net2Phone. To the extent such cooperation and assistance involves a cost to Net2Phone that is more than nominal, Net2Phone and its subprocessor(s) reserves the right to charge the Customer a reasonable fee for the provision of such cooperation and

     

    Customer Responsibilities:

     

    1. Data Controller. Customer acknowledges and agrees that it serves in the capacity of a Data Controller with respect to the controlling, inputting and administration of Customer Data as necessary for the operation of the Five9 Services which includes but is not limited to call data records, other traffic data, and any personal data. For the purposes of this Addendum, “Controlling” means taking responsibility for and instructing the processor of the purpose and means by which the Data will be processed and what personal data or sensitive information is necessary for filling that purpose. Customer also agrees to take all necessary steps to inform its personnel, and any other person acting under its supervision, of the responsibilities of any Data Protection Legislation attributable to being a Data Controller or the requirements of Data Controlling

     

    1. Instructions. The Customer shall ensure its instructions to Net2Phone and to Five9, to the extent Five9 are a sub-processor, comply with applicable Data Protection Legislation and Net2Phone and Five9 shall not be responsible for determining if the instructions are lawfully compliant. However, if Net2Phone or Five9 is of the opinion that an instruction infringes Data Protection Legislation, either party shall notify the Customer as soon as reasonably practicable and Net2Phone and Five9 shall not be required to comply with such infringing instruction unless and until the matter has been resolved by agreement of the parties or a competent authority determines that instruction to be

     

    1. Authorized Use. Customer acknowledges and agrees that, in its use of the Five9 Services, it shall use the features provided by Five9 and as required to comply with all applicable Data Protection Legislation. In accordance with the foregoing, Customer shall be responsible for: (a) all authorized and unauthorized access, activities, and charges associated with Customer’s, its Affiliates’ and its clients’ account and/or password(s) with the Five9 domain to the extent that such access, activities and charges are attributable to Customer’s subscription to the Five9 Services; and (b) obtaining and maintaining the Internet connectivity necessary to utilize the Five9

     

    1. Consent. Customer shall ensure that it has provided notice and obtained all necessary consents under such legislation for Net2Phone and its subprocessors to lawfully process Customer Data under the agreement(s) between Net2Phone and Customer and agrees to provide full cooperation and assistance to Net2Phone and its subprocessors in ensuring that the rights under Data Protection Legislation of the individuals of whom Customer Data are input into the Five9 Services relates are appropriately

     

    Prohibited Use. For the duration of the term of the agreement(s) between Net2Phone and Customer, Customer, its affiliates and agents agree that they will not use Five9’s Virtual Contact Center (“VCC”) for any purpose except for call center purposes, will not store or process any personal information or sensitive information pursuant to Data Protection Legislation other than telephone numbers, in Five9’s VCC database, or use the VCC to store or process designated record sets or serve as a database of record.

     

    1. Security. Customer, its affiliates and agents agree that they will at all times configure VCC technical security measures which include password requirements in a manner consistent with industry best practices; administer authentication and authorization based on industry best practice and principles including least privilege and individual accountability for all users; and use of only secure protocols as offered by Five9 including encryption of data in transit (e.g. sRTP, VPN, and sFTP) and encryption of call recordings at rest (e.g. Encrypted Storage).

     

    Applicable Law:

    These DPA Terms will be governed by and construed in accordance with the laws of England and Wales without regard to conflict of laws principles with venue in London, England.

     

     

     

     

     

    EXHIBIT C

     

    Data subjects

    The personal data transferred concern the following categories of data subjects:

     

    • Customers of the Data
    • Employees of the Data
    • Any other data subject whose data is processed as part of the Service being: (1) someone who is a party to a communication; or (2) someone whose personal data are included in content hosted or transferred on behalf of the Data

     

    Purposes of the transfer(s)

    The transfer is made for the following purposes:

     

    • Processing: The Data Importer provides cloud contact centre services (including but not limited to automatic call distribution, automated voice recordings and computer integration telephony technology) to the Data
    • Remote access: Data is transferred to the Data Importer because as a global carrier and service provider, technical expertise of the Data Importer is located in the US, Russian Federation and the Philippines.

     

    Categories of data

    The personal data transferred concern the following categories of data:

    • Contact information (incl. [name], [e-mail address], [work extension number] and [log-in details]) of employees of the Data
    • Personal data contained in any content that is hosted or managed on behalf of the Data Exporter (e.g. voice recordings, Data Exporter's customer database).

     

    Special categories of data (if appropriate)

    The personal data transferred may concern the following categories of sensitive data:

     

    • N/A

     

    Recipients

    The personal data transferred may be disclosed only to the following recipients or categories of recipients:

     

    • Employees of the Data
    • Affiliates and subcontractors of the Data Importer [, including telecommunication carriers].
    • Third-party service providers acting for the Data
    • The Data Exporter whose staff are the subject of transferred
    • Customers of the Data Exporter, whose employees and customers are the subject of transferred data.
    • Regulators of the

     

     

    Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(d) and 5(c) of the Standard Contractual Clauses

     

    1. Access control to premises and facilities

     

    Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:

     

    • Access control system.
    • ID reader, chip
    • Issue of
    • Door locking (electric door openers, ).
    • Video/CCTV monitor.
    • Logging of facility exits/entries.

     

    1. Access controls to systems

     

    Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

     

    • Anti-virus protection.
    • Stateful inspection
    • Internal and external vulnerability scans.
    • Intrusion detection and prevention
    • Least-privilege access to IT systems based on job role and segregation of
    • Password procedures (incl. special characters, minimum length, periodic changes).
    • No access for guest users or anonymous
    • Two-factor authentication for privileged IT administrators who access

     

    1. Access controls to data

     

    Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights. These measures shall include:

     

    • Least-privilege access rights based on job role and segregation of
    • Management approval required for new or modified access prior to provisioning or
    • Terminated user access disabled within 72 hours of notification from human
    • Monthly logical and physical access review for workforce members with access to
    • Quarterly administrator access revalidated by
    • Physical access to the data centres restricted to appropriate
    • Two-factor authentication for privileged IT administrators who access

     

    1. Disclosure controls

     

    Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

     

    • Encryption using a VPN for remote
    • Secure File Transfer Protocol (SFTP) for transport and communication of
    • Prohibition of portable
    • Media sanitization and destruction

     

    1. Change management controls

     

     

     

    Measures must be put in place to ensure all changes to production systems are logged, tested and approved. Measures must include:

     

    • Change request and approval required prior to implementation into
    • Critical application changes tested and approved prior to implementation into
    • Access to migrate changes into production restricted to appropriate
    • Critical changes reviewed monthly basis to confirm appropriateness and

     

    1. Data processing controls

     

    Measures must be put in place to ensure that data is processed strictly in compliance with the Data Exporter's instructions. These measures must include:

     

    • Unambiguous wording of contractual
    • Monitoring of contract performance.
    • Monitoring of service level

     

    1. Availability controls

     

    Measures must be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:

     

    • Data backup
    • Uninterruptible power supply (UPS).
    • Business continuity
    • 24x7 Network Operations Centre (NOC)
    • Critical jobs monitored for successful completion and error
    • Problem and incident management and response
    • Security incident management and response
    • Root cause analysis required for problems and incidents affecting

     

    1. Segregation controls

     

    Measures must be put in place to allow data collected for different purposes to be processed separately. These must include:

     

    • Restriction of access to data according to job role and segregation of
    • Segregation of business IT
    • Segregation of IT testing and production environment