Call Center Security & Privacy Management Software | Five9

SOC 2 Type 2 Attestation in Accordance with AICPA Standard AT 101

Five9 has completed a SOC 2 Type 2 audit in accordance with American Institute of Certified Public Accountants (AIPCA) Standard AT 101 and AICPA Trust Services Principles and Criteria for Security, and Availability. Our SOC 2 Type 2 attestation offers customers one of the highest forms of assurance available in the marketplace today. Our report covers the AICPA Security Principle in relation to the Five9 Intelligent Cloud Contact Center and provides an independent and objective opinion that Five9 has developed, implemented, operates, and maintains security controls that customers expect for data protection and regulatory compliance purposes.

Payment Card Industry Data Security Standard (PCI DSS)

Five9, as a Level 1 PCI DSS Service Provider, engages an Independent Qualified Security Auditor (QSA) to perform an annual assessment of Five9’s control environment covering all 12 PCI DSS requirements for the design, implementation, and continuous improvement of controls for safeguarding cardholder data and sensitive information. Five9 has received our annual Report on Compliance (ROC) and an associated Attestation of Compliance (AOC). Customers who order the security features required to comply with the PCI DSS standard including encryption of voice in transit (sRTP or VPN) and encryption of call recordings at rest (Encrypted Storage) are provided a PCI compliant environment for their Contact Center services.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation, better known as GDPR, is a European Union (EU) regulation focused on data protection and privacy for EU citizens which took effect May 25, 2018.

Five9 is evolving and improving our Virtual Contact Center service to offer features required for our customers to comply with the GDPR regulation. Areas of focus include: information security, breach management, content management, data visibility, individual data rights management, and records management.

Five9 is also requesting our customers, otherwise known as the data controllers, notify us of their EU processing activities so we can maintain an accurate report of processing activity as required by the GDPR.

Five9 is committed to providing services to our customers, which enable GDPR compliance.

International Organization for Standardization (ISO 27001)

The International Organization for Standardization (ISO) offers guidance through the ISO/IEC 27000 family of standards to help organizations establish, implement, and enhance their information security management systems (ISMS). ISO/IEC 27001 outlines ISMS requirements, best practices, and security controls for managing information risks. The standard provides a framework for comprehensive and continuous improvement of information security. The ISO/IEC 27001:2013 standard guides the development of an ISMS, allowing organizations to design, implement, and improve information security over time. It incorporates best practices from ISO/IEC 27002:2013. The standard covers security domains such as Information security incident management, Access control, Information systems, acquisition, development and maintenance, and more.

ISO/IEC 27001:2013 specifies security best practices and controls, requiring organizations to systematically evaluate risks, implement comprehensive security controls, and maintain an ongoing management process. Certifications are conducted by independent third-party auditors, demonstrating Five9’s commitment to information security and adherence to industry-leading best practices.

Health Insurance Portability and Accountability Act (HIPAA)

Five9 has many customers in the healthcare sector including providers, hospitals, insurance companies, and business process outsourcers. As a Business Associate, Five9 has designed and implemented appropriate administrative, physical, and technical safeguards for protected health information in transit and at rest in compliance with the Health Insurance Portability and Accountability Act (HIPAA). These safeguards include, but are not limited to:

• Least-privilege, minimum necessary access controls
• Two-factor authentication for highly privileged users
• Encryption of data in transit between customers and the Five9 Intelligent Cloud Contact Center (requires sRTP or VPN option)
• Encryption of data at rest for call recordings (requires encrypted storage option)
• Encryption of chat, email, and SMS transcripts at rest
• Rigorous change management processes
• Anti-virus and anti-malware defenses
• Intrusion detection and prevention systems
• Internal and external vulnerability scanning
• Periodic network penetration testing
• Secure code development lifecycle
• 24x7x365 Network Operations Center (NOC)
• SIEM monitoring by a 24x7x365 Security Operations Center (SOC)
• Problem and incident management processes
• Geographic redundancy for business continuity
• AICPA Service Organization Control (SOC2 Type2) attestation reports
• Ongoing information security and privacy training and awareness

Cloud Security Office: Trustworthy Cloud Computing

The Five9 Cloud Security Office is responsible for securing our infrastructure, applications, and operations against security breaches and unforeseen events—even natural disasters.

Five9 is a proud member of the Cloud Security Alliance (CSA). The CSA is a not-for-profit, vendor-neutral organization with a mission to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.

Customer Proprietary Network Information (CPNI)

Five9 complies with Federal Communications Commission (FCC) regulations for protecting the confidentiality of CPNI data including telephone numbers, times, dates, and duration of calls, as well as the types of services and products we provide you. We have designed and implemented security and privacy controls to protect CPNI from unauthorized access or improper use. Five9 does not sell CPNI to third parties, and we do not disclose CPNI without customer consent except as required by law.