// Trust & Security Report
Five9, Inc.
Cloud Contact Center as a Service (CCaaS)
Certifications held
13
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trustcenter.five9.com“Five9 SOC 2 Type 2 Report [available in Trust Center]; annual SOC 2 Type 2 attestation performed under AICPA standard AT 101”
Verify on trustcenter.five9.com“ISO/IEC 27001:2022 certification with associated documents available; third-party certified with renewal audits every three years and annual surveillance audits”
Verify on trustcenter.five9.com“ISO/IEC 27017:2015 listed as a held certification in the Five9 Trust Center”
Verify on five9.com“Five9, as a Level 1 PCI DSS Service Provider, engages an Independent Qualified Security Auditor (QSA) to perform an annual assessment of Five9's control environment covering all 12 PCI DSS requirements.”
Verify on trustcenter.five9.com“Five9 2025 HIPAA Type 1 Attestation [available in Trust Center]; as a Business Associate, Five9 has designed and implemented appropriate administrative, physical, and technical safeguards for protected health information in transit and at rest in compliance with HIPAA.”
Verify on trustcenter.five9.com“HITECH listed as a held certification in the Five9 Trust Center”
Verify on trustcenter.five9.com“GDPR listed among compliance certifications in the Trust Center; Global DPA includes 2021 Standard Contractual Clauses (Module Two: controller-to-processor) for EEA transfers, UK Addendum for UK transfers.”
Verify on trustcenter.five9.com“CCPA and CPRA listed as compliance certifications in the Five9 Trust Center; Five9 publishes CCPA Readiness documentation at five9.com/legal/ccpa”
Verify on trustcenter.five9.com“Cyber Essentials listed as a held certification in the Five9 Trust Center”
Verify on trustcenter.five9.com“CSA STAR listed as a held certification in the Five9 Trust Center; Five9 is a Cloud Security Alliance member organization”
Verify on trustcenter.five9.com“TX-RAMP Level 2 listed as a held certification in the Five9 Trust Center”
Verify on trustcenter.five9.com“CPNI (Customer Proprietary Network Information) listed as a compliance certification in the Five9 Trust Center”
Verify on trustcenter.five9.com“EcoVadis OCT 2025 - Committed: listed as a sustainability and governance commitment in the Five9 Trust Center”
> Show 1 unconfirmed / not-held certifications
source: five9.comFive9 is a GovRAMP member organization with plans for additional certifications; FedRAMP authorization not mentioned on the trust center or security pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US primary headquarters. EU/UK transfers handled via 2021 Standard Contractual Clauses (controller-to-processor Module 2) and UK Addendum. Sub-processor list maintained at login.five9.com. Global DPA does not specify geographic region-lock options; customers receive 30-day notice of new sub-processors handling EEA/UK data.
Five9's Global Data Processing Addendum (Section 4.4) explicitly prohibits Five9 from retaining, using, or disclosing Personal Information 'outside of Customer's instructions...or for any commercial purpose not specified in the Agreement.' The public Privacy Policy states it does not cover Customer Personal Information; that is governed by the customer agreement. No public statement explicitly says 'we do not train on your data' but the DPA contractual restriction is the operative protection. The trust center lists AI governance resources including 'AI Training Data and Bias' and 'AI Governance' sections. Custom redaction policies are available via AI Trust and Governance tooling.
// Security controls
Penetration Testing
Annual third-party penetration testing confirmed; Five9 deploys stateful inspection firewalls, DMZs, intrusion prevention and detection systems (IPS/IDS), two-factor authentication, VPN, and vulnerability scanning.
five9.comVulnerability Disclosure Program (VDP)
Managed via Bugcrowd (support@bugcrowd.com). Disclosure-only program: 'Please be aware that this program has no monetary awards.' Prior written approval required for authorized testing at cybersecurity@five9.com. Safe harbor provided under CFAA and DMCA.
five9.comSLA and Uptime
Five9 VCC Platform SLA = 99.999%. Actual average monthly availability last 12 months: 99.997%. 24x7x365 Network Operations Center and Security Operations Center.
five9.comEncryption
Encryption in transit via HTTPS, sFTP, sRTP, VPN. Encryption at rest for recordings and transcripts. Data partitioning in multi-tenant infrastructure.
five9.comData Centers
AICPA AT 101/SSAE 18 audited data centers. Two-factor building access, 24/7 on-site security, real-time intrusion detection/prevention.
five9.comAccess Controls
Role-based access, principle of least privilege, audit logs, data integrity controls, NIST SP 800-53 rev5 password standards, PCI DSS login-attempt controls.
five9.comBi-Annual Trust Reviews
Enterprise customers get bi-annual meetings with top technology executives covering infrastructure changes, system upgrades, and platform enhancements.
five9.comAI Security (AI Trust and Governance)
Dedicated AI Trust and Governance product: granular guardrails, LLM observability, hallucination monitoring, prompt injection detection, custom redaction policies.
five9.com// Products & data scope
data: Full contact center data including customer calls, recordings, transcripts, PII, and call metadata. HIPAA and PCI DSS scope depending on industry use.
ACD, IVR, skills-based routing, omnichannel (voice, chat, email, SMS, social). Subject to full HIPAA/PCI scope.
data: Customer PII, dialing lists, campaign data, call recordings. PCI DSS in scope for payment campaigns.
Predictive, progressive, and preview dialing. STIR/SHAKEN compliance for US outbound calls.
data: Combined inbound and outbound scope. Same HIPAA/PCI DSS considerations.
Unified inbound and outbound queue management.
data: Agent recordings, screen captures, performance data, QM evaluations. Recording data protection features available.
Quality Management, Workforce Management, coaching, scheduling. Dedicated WEM Recording Data Protection data sheet published.
data: Real-time conversation data processed by AI models; customer and agent utterances may be processed by third-party LLMs. Custom redaction policies available.
Includes Agent Assist, IVA, GenAI Studio, and autonomous Voice AI Agents. AI Trust and Governance module provides guardrails, hallucination monitoring, and prompt injection detection. Check DPA and model provider sub-processors for LLM data flows.
data: Monitoring layer over AI interactions; performance metrics, threat detection logs.
Granular guardrail configuration, LLM observability dashboards, prompt injection detection. Separate product add-on.
// What to watch
- VDP via Bugcrowd is disclosure-only with no monetary rewards; limited financial incentive for external researchers.
- AI training policy is contractually restricted in the DPA (Section 4.4) but not stated as a plain-language public commitment; enterprise buyers should request explicit AI data-use addendum.
- Data residency: no published option for region-locked or single-tenant deployment; EU/UK transfers rely on SCCs.
- FedRAMP authorization not held; GovRAMP membership only. US federal agency deployments require independent verification.
- 50-seat minimum makes Five9 unsuitable for SMBs; enterprise-only positioning.
- HIPAA compliance is Type 1 Attestation (design assessment), not Type 2 (operating effectiveness over time). Buyers should verify BAA availability.
// At a glance
Pricing model
Per-seat subscription (monthly). Entry plans from ~$119/seat/month (Digital) and ~$159/seat/month (Core). Plus/Pro/Enterprise tiers require custom quote (typically $200-$300+/seat/month). 50-seat minimum for all plans. Annual contracts standard.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Five9, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.five9.com