Five9 Letter of Assu

COMMENT submitted by U.S. Department of Justice

Five9, Inc. Letter of Assurances

2015-06-09

This document pretains to ITC-214-20130119-00017 for International Global Resale Authority on a International Telecommunications filing.

IBFS_ITC2142013011900017_1091374

 Software




                                                                       June 8, 2015


Mr. John Carlin
Assistant Attorney General
National Security Division
US Department of Justice
950 Pennsylvania Avenue, NW
Washington, DC 20530
ttelecom@usdoj.gov

Re: Pending application by Five9, Inc. for authorization under Section 214 of the Communications
Act of 1934, as amended (FCC ITC—214—20130119—00017).

Dear Mr. Carlin:

This Letter of Assurances ("LOA") outlines the commitments made by Five9, Inc. ("Five9") to the
U.S. Department of Justice ("DOJ") in order to address national security, law enforcement, and
public safety potentially relevant to the Five9 application to the Federal Communications
Commission ("FCC") requesting authority to provide global or limited global resale services (47
C.F.R. §§ 63.18(e)(2) to all international points under Section 214 of the Communications Act of
1934, as amended.

Upon grant of the license, Five9 undertakes to comply with the following commitments to DOJ:

Five9 agrees that it is covered by and will comply with all applicable lawful interception statutes,
regulations, and requirements, including the Communications Assistance for Law Enforcement
Act (CALEA) and its implementing regulations, and will comply with all court orders and other
legal process for lawfully authorized electronic surveillance. Five9 will provide DOJ with a report
on the status of its implementation of lawful interception capabilities, including the status of its
compliance with CALEA, within sixty (60) days after the grant of its authority, and every thirty
(30) days thereafter up until the time when Five9 has fully implemented lawful interception
capabilities. Five9 understands that its failure to fulfill its obligations under this paragraph could
constitute a breach ofits commitments to DOJ.




Five9, Inc.
4000 Executive Parkway, Suite 400
San Ramon, CA 94583

www.five9.com


 Software




Five$ also agrees to maintain a U.S. citizen point of contact ("POC") in the U.S., to receive service
of process of U.S. Records,‘ to assist and support lawful requests for surveillance by U.S. federal,
state and local law enforcement agencies, to receive and promptly effectuate any requests for
information from DOJ pursuant to this LOA, and to address any questions or concerns DOJ may
have regarding Five9‘s compliance with the terms of this LOA. The name and contact information
for this POC will be provided to DOJ no later than thirty (30) days ofthe filing of this LOA. In the
event of a change in a POC, Five9 will notify DOJ within ten (10) business days of such change.

Five9 agrees that it will not directly or indirectly disclose or permit disclosure of or access to U.S.
Records or domestic communications or any information (including call content and call data)
pertaining to a wiretap order, pen/trap and trace order, subpoena, or any other lawful request by a
U.S. law enforcement agency for U.S. Records to any person if the identified purpose of such
disclosure or access is to respond to the legal process or request on behalf of a non—U.S.
government withoutfirst satisfying all pertinent requirements of U.S. law and obtaining the
express written consent of DOJ, or the authorization of a court of competent jurisdiction in the
U.S. The term "non—U.S. government" means any government, including an identified
representative, agent, component or subdivision thereof, thatis not a local, state, or federal
government in the U.S. Any such requests for legal process submitted by a non—U.S. government
to Five9 shall be referred to DOJ as soon as possible, but in no event later than five (5) business
days after such request or legal process is received by or made known to Five9, unless disclosure
of the request or legal process would be in violation of U.S. law or an order of a court of the U.S.

Five9 agrees that it is required to keep and maintain information concerning access to U.S.
Records and that it has the capability to audit and maintain logs of all such access to U.S. records.
Five9 further agrees to establish and maintain a compliance plan concerning access to U.S.
Records and train all its employees, contractors, and others with access to Five)‘s system or
network on the compliance plan. Five9 will provide DOJ with its compliance plan, ninety (90)
days after the time the FCC grants FiveY‘s application.




‘ U.S. Records, as used herein, means Five9‘s customer billing records, subscriber information,
and any other related information used, processed, or maintained in the ordinary course of business
relating to the services offered by Five9 in the U.S. For these purposes, U.S. Records also shall
include information subject to disclosure to a U.S. federal or state governmental entity under the
procedures specified in Sections 2703(c) and (d) and Section 2709 of Title 18 of the U.S. Code.

Five9, Inc.
4000 Executive Parkway, Suite 400
San Ramon, CA 94583


www.five9.com


Five9 also agrees to ensure that U.S. Records are not made subject to mandatory destruction under
any foreign laws. The location of the U.S. Records® storage facility will be provided to DOJ no
later than five (5) business days of the filing of this LOA.

Five9 agrees to provide annual reports to DOJ on status of all lawful surveillance request cases for
call content and call data including but not limited to (a) case dates, (b) completion status, (¢)
compliance status, (d) any and all unresolved issues surrounding the lawful surveillance process
(i.e., provisioning, delivery, interface, transport, completion, etc.); and (e) any occurrence of cyber
security incidents*, network and enterprise breaches, and unauthorized access to customer data and
information together with a summary ofall the information Five9 has gathered, reviewed, or
analyzed concerning any of the items specified in (e).

Five9 agrees to provide DOJ within sixty (60) days of the granting of its application a complete list
ofall third party suppliers, including but not limited to foreign contractors, off—shored service
providers, equipment manufacturers, and foreign nationals, authorized to access Five9‘s domestic
communications infrastructure ("DCI") and customer information. For purposes of this LOA, DCI
means: (a) transmission, switching, and routing equipment used by or on behalf of Five9 to
provide telecommunications services within the United States; or (b) equipment located within
facilities outside the United States used by or on behalf of Five9 to control the equipment
described in (a) above. DCI does not include equipment or facilities owned or used by service
providers other than Five9 that are: (a) interconnecting communications providers; or (b) providers
of services or content that are: (i) accessible using the telecommunications services of Five9, and
(ii) available in substantially similar form and on commercially reasonable terms through
communications services of companies other than Five9. The phrase "on behalf of" as used in this
definition does not include entities with which Five9 has contracted for resale, peering,
interconnection, roaming, long distance, or other similar arrangements.



2 "Cyber Security Incident" means (i) any unauthorized access, insertion or execution of malicious
code; insertion or transmittal of viruses, trojans, or worms; denial of service attacks; use of botnets;
spyware, phishing; identity theft (for the purposes of the foregoing list, an incident that is within
the reporting guidelines of the United States Computer Emergency Response Team (US—CERT)
shall be considered a Cyber Security Incident); (ii) establishment of unauthorized communications
channels to any foreign government or unauthorized recipient; (iii) any other unauthorized
addition, alteration, deletion, acquisition, theft, transfer, diversion of, or access to, information or
technology as identified in collaboration with DOJ or related security policies.


Five9, Inc.
4000 Executive Parkway, Suite 400
San Ramon, CA 94583

www.five9.com


 Software




Five9 agrees that within sixty (60) days of the filing of this LOA with the FCC, and thereafter
within thirty (30) days upon request from DOJ, Five9 shall provide an updated list of Principal
Equipment. For purposes of this LOA, "Principal Equipment" means the primary components of
the DCI, including, but not limited to, routers, switches, Home Location Registers, Home
Subscriber Servers, voicemail servers, multimedia messaging service systems, short message
service systems, firewall systems, load balancers, base stations controllers and radio network
controllers, as applicable, and any non—embedded software necessary for the proper monitoring,
administration and provisioning thereof. This list should include available information on each
item‘s manufacturer and the model and/or version number of any hardware or software. In
addition, the list should identify vendors or contractors for the Principal Equipment, including
those who have physical and remote access to the Principal Equipment and those performing
functions that would otherwise be performed by Five9‘s personnel to install, operate, manage, or
maintain the Principal Equipment.

Where a new vendor or contractor for Principal Equipment does not appear on any list of Principal
Equipment previously disclosed by Five9 pursuant to this LOA, Five9 shall provide to DOJ an
annual report that includes an updated list of Principal Equipment and the vendors or contractors
for the new Principal Equipment that has been added since its prior disclosure of Principal
Equipment.

Five9, and any owner of Five9, shall permit DOJ, and such other U.S. Government agency
representatives designated by DOJ, to inspect books and records, equipment, servers, and facilities
and premises owned or leased by Five9 to the extent business relating to Five9‘s FCC—licensed
activity takes place at such location(s). Where Five9 possesses the authority to permit such access,
FiveQalso agrees to make available to DOJ, and such other U.S. Government agency
representatives designated by DOJ, any third—party books and records, equipment, servers,
facilities (including third—party offshore or outsourced facilities), and premises to the extent
business relating to Five9‘s FCC—licensed activity takes place at such location(s). Ordinarily, DOJ
will provide Five9 with fourteen (14) days advance notice, but Five9 shall afford DOJ such access
during normal business hours without advance notice in extraordinary cireumstances.

Five9, and any owner of Five9, shall permit DOJ, and such other U.S. Government agency
representatives designated by DOJ, to conduct confidential interviews, of owners, ownership
groups, employees, or contractors of Five9 concerning compliance with this LOA and any other
law enforcement concerns.



Five9, Inc.
4000 Executive Parkway, Suite 400
San Ramon, CA 94583

www.five9.com


 gpatgmitente                                                                             FI’vfe\@
Five9 shall provide to DOJ a copy of the annual audit of Five$ that is performed each year by a
neutral third party. As of the date of this letter, the neutral third party auditor for Five9 is KPMG
LLP. DOJ shall be granted the right to exclusively meet with Five9‘s auditors at any time, upon
DOJ‘s request.

Five9 agrees to provide Annual Reports to DOJ regarding the company‘s compliance with the
specific terms of this LOA, to include a summary of the content of any notices sent to DOJ during
the prior year pursuant to this LOA and any changes made to its compliance plan relating to access
and disclosure of U.S. Records. The Annual Report also shall include reports of network and
enterprise breaches and unauthorized access to customer data and information; the name of and
contact information for the current LE POC and Company POC; and confirming Five9‘s
compliance with CALEA. These annual reports will be due on the anniversary date of this LOA‘s
execution and should be addressed to the following:

         Assistant Attorney General for National Security
         U.S. Department of Justice
         National Security Division
         Attention: Team Telecom, Foreign Investment Review Staff
         950 Pennsylvania Avenue, N.W.
         Washington, DC 20530

         Electronic mail: ttelecom@usdoj.gov

         Unit Chief, Science and Technology Policy and Law Unit
         Federal Bureau of Investigation
         935 Pennsylvania Ave, NW
         Room 7350
         Washington, DC 20535

Courtesy electronic copies ofall notices and communications also should be sent to the following,
or to such other persons identified to Five9 by DOJ in the future: ttelecom@usdoj.gov: Tyrone
Brown of DOJ (at tyrone.brown@usdoj.gov); Richard Sofield of DOJ
(richard.sofield2@usdoj.gov;); and Ryan Breitenbach of the FBI (at ryan.breitenbach@ic.fbi.gov).

The LOA may be terminated at any time by a written agreement signed by Five9 and DOJ. DOJ
shall notify the FCC of the LOA‘s termination within sixty (60) days of such termination.



Five9, Inc.
4000 Executive Parkway, Suite 400
San Ramon, CA 94583

www.five9.com


 Software                                                                                              »




Five9 shall negotiate in good faith to resolve any national security, law enforcement or public
safety concerns DOJ may raise with respect to the Principal Equipment List, new vendors or
contractors for Principal Equipment, or any other matters set forth in this LOA.


Five9 agrees that in the event the commitments set forth in this letter are breached, in addition to
any other remedy available at law or equity, DOJ may request that the FCC modify, condition,
revoke, cancel, terminate, or render null and void anyrelevant license, permit, or other
authorization granted by the FCC to Five9 or any successors—in—interest. Nothing herein shall be
construed to be a waiver by Five9 of, or limitation on, its right to oppose or comment on any such
request.

Nothing in this letter is intended to excuse Five9 from its obligations to comply with any and all
applicable legal requirements and obligations, including any and all applicable statutes,
regulations, requirements, or orders.

Five9 understands that, upon execution ofthis letter by an authorized representative or attorney for
Five9, DOJ shall notify the FCC that it has no objection to the FCC‘s grant of Five9‘s application.



Sincerely,                          »


              ye_A
         Zwarenstein
  hief Financial Officer

Five9, Inc.




Five9, Inc.
4000 Executive Parkway, Suite 400
San Ramon, CA 94583

www.five9.com



Document Created: 2015-06-09 13:59:03
Document Modified: 2015-06-09 13:59:03

© 2024 FCC.report
This site is not affiliated with or endorsed by the FCC