Skip to content
Close
SEARCH
Contact
Contact
Whalebone
products
Our user-centric, no-installation security products provide people across the globe with an uninterrupted digital life, free from the fear of emerging threats.
Aura menu-min
Immunity menu picture-min
Peacemaker menu picture-min
Can’t find what you are looking for? Contact us
Planet background-min

Whalebone Service Terms and Conditions - Peacemaker

Version: April 2026

1. General provisions

1 . These Whalebone Service Terms and Conditions (hereinafter referred to as "Terms and Conditions”) stipulate the terms and conditions of the use of the Service and software developed and provided by the company, Whalebone, s.r.o. with registered office: Jezuitská 14/13, Brno 60200, Czech Republic ID no.: 05120403, registered in the Commercial Register kept at the Regional Court in Brno, Section C, Insert 93547(hereinafter referred to as "Company" or the “Provider”).


2. These Terms and Conditions, may be unilaterally amended by the Company. The Customer will be notified by Provider about such amendments at least thirty (30) days before they become effective. Such notification shall be made through web portal of the Service or electronically to Customer’s email address and shall be effective after lapse of the notification period, unless Customer rejects such new Terms and Conditions in writing within the specified period. In such a case, all business transactions, the existing as well as those initiated after the effective date of the new Terms and Conditions, will be subject to the original Terms and Conditions.

3. The following Annexes form an integral part of these Terms and Conditions:

     Annex 1 SLA

     Annex 2 Data Processing Agreement

     Annex 3 Peacemaker Service Specification

     In the event of a discrepancy between the Terms and Conditions and its Annex, the provisions of the Terms and Conditions will prevail over provision of the Annex.

2. Definitions

1 . “Customer” means the internet service provider (ISP) which is entitled to use the Service based on an existing contract (Order) with Company or with one of Company’s authorized providers.

2. “Confidential Information” means all information disclosed by a disclosing party to the receiving party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information of Customer includes Customer data; Confidential Information of Company/Provider includes the Service, and the terms and conditions of each Order (including pricing). Confidential Information of each party includes business and marketing plans, database of customers / users, technology and technical information, product plans and designs, pricing policy and business processes disclosed by such party.

3. “End User” is a consumer who is authorized to use the Service based on a valid subscription purchase for him by the Customer. End Users include, for example, individuals, households, contractors or other rightful users of the Service who are not using the Service for their entrepreneurial activity.

4. “Purchase Order” means an ordering document specifying the Service to be provided hereunder that upon Provider’s confirmation enters into force between Customer and Provider, and constitutes the contract for provision of Services, including any addenda and amendments thereto.

5. “Provider” means the Company or an authorized provider of the Service who sales / provides the Service to Customer pursuant to a valid contract (Purchase Order) with the Customer.

6. “Service Page” means a website containing the necessary information for the proper Service operation. Service page is available at https://support.whalebone.io.

7. “Technical Support” means and comprises the activities as stipulated in Art.7 hereunder.

3. Deployment of the Service

1. Based on an Purchase Order, the Provider shall provide to the Customer the Whalebone Peacemaker DNS Security & Management service with a possible extension by Peacemaker Content Filtering or Peacemaker Profit add-on (hereinafter referred to as the “Service”).

2. Whalebone Peacemaker DNS Security & Management is a service providing security and infrastructure services to internet providers. The essential part of the Service runs online, selected software modules run directly in the Customer’s networks. Whalebone Peacemaker DNS Security & Management handles network traffic, detects security incidents, offers the ability to block malicious traffic, and helps companies gain insight into traffic over selected network protocols.

3. The Whalebone Peacemaker DNS Security & Management provision is deemed to have started by providing the Customer with the customer account login data and shall be provided within three (3) days upon Purchase Order confirmation. The provision of the Whalebone Peacemaker DNS Security & Management service is considered to be initiated by creating an account for the Customer by the Provider and providing the login data to Customer. In the event that there is no delay in cooperation with the customer, the Provider is obliged to perform activities related to the establishment of a Customer account and the provide the login data to the Customer within 3 business days of Purchase Order confirmation.

4. Whalebone Peacemaker Content Filtering is an extension of Whalebone's local DNS with the ability to filter traffic by content categories. Filtering takes place at the level of control and management of DNS traffic, and if the domain is evaluated as banned, the request for this domain is redirected to the IP address of the blocking page. Configuration is possible from the administration of the Customer’s administration console to the level of a specific IP address. Content can be blocked according to selected categories (such as sexual content, audio / video, social networks, ads, ...). In addition, it is possible to use your own content blacklists, or to allow specific domains through whitelists.

5. Whalebone Peacemaker Profit is an extension of Whalebone's local DNS with the possibility of using the Whalebone Subscription API and activating the Retail version, which allows the Customer to create through integration with its systems an additional product for End Users. This extension enables configuration of Whalebone (de/activation of security functions and content filtering functions, selection of categories to be blocked and own blacklists and whitelists) by the End Customer, records of service use by the Customer and Provider and connection with the Customer's own internal information systems (e.g. for invoicing and registration of services provided to End Customers).

6. Extensions of the Service by PEACEMAKER Content Filtering and Peacemaker Profit are possible only subject to a separate Order confirmed by Provider. Extensions are put into operation by Provider within three (3) business days from the Order confirmation by Provider. The Extension of the Service may be deactivated any time upon written notice provided by Customer and will be deactivated within three (3) business days from confirmation of delivery of such notice.

7. The Customer will be provided with the customer account login data within three (3) days upon Order confirmation. In case of doubt about the exact date of deployment of the Service, the date on which the account login data have been provided to Customer is considered as a start date of the Service provision for the purpose of invoicing. Each user account or sub-account (hereinafter referred to as "Account") in the Service multitenant interface is tied to one customer only. Use of one Account for multiple customers is prohibited.

8. The Customer will receive a two-hours initial Service introduction and training. The Customer shall attend the Service introduction and training session otherwise the Customer runs into a risk of higher amount of user and administrator errors beyond the Provider’s responsibility incl. SLA according to Annex 1a of these Terms and Conditions.

9. The Customer must deploy the Service according to the steps defined in the Technical Documentation available at https://docs.whalebone.io/ ("Administrator's Documentation") and will inform the Provider about Service deployment’s progress and any problems encountered during the deployment in order to provide the necessary support to the Customer.


10. The Service is provided to the Customer to improve and enhance the stability of the Customer's network and the protection of End users, especially against cyber threats. The Customer chooses the individual types of deployment and use of the Service by selecting the type of Service in the Order.

11. The possibilities to charge the Service provision by the Customer to own customers are described below in this article and are determined by the Customer's selected type of Service. The Customer will not allow the use of the Service to third parties in violation to these Terms and Conditions.

12. Product variants and possibilities of their provision to users are further described in Annex 3.

13. Should any changes occur in the Customer’s network infrastructure, the Customer shall adjust the configuration of the Service according to Administrator’s Documentation.

14. The Customer shall inform the Provider about any suspicion of a bug or Service malfunction so that the Provider can fix it.

15. The Customer shall provide the Provider with any required assistance according to these Terms and Conditions.

4. Use of Service

1. The Service is purchased as a subscription for the period specified in the relevant Purchase Order. The Service parameters are the number of connections in the Customer’s network and the volume of DNS traffic determined as the daily average per month of traffic, or the median per month of traffic in the Customer's network. The Service parameters are the number of connections in the Customer’s network and the volume of DNS traffic determined as the daily average per month of traffic, or the median per month of traffic in the Customer's network. If the Customer does not provide the expected volume of DNS traffic, this parameter is set by the Provider as the daily average traffic in the given network per month measured within the testing period of the Whalebone Service in the Customer's network.

2. Except as otherwise specified herein or in an Order, (i) fees are based on Service parameters stipulated in the Order and deployment works provided, (ii) payment obligations are non-cancellable and fees paid are non-refundable, and (iii) quantities of Services subscription purchased cannot be decreased during the relevant subscription term.

3. If during the usage of the Service the Service parameters are exceeded, the Provider will notify the Customer and will provide the Customer with the updated price corresponding to the actual current usage, that will be confirmed by a new/additional order from the Customer. If, notwithstanding Provider’s efforts, no agreement is reached on a new pricing, which corresponds to the actual volume of Service use, the Customer promptly reduces the relevant usage so that it conforms to the volume predicted by Service parameters, or Provider will charge the Customer for excess usage.

4. The Customer shall (i) use the Service only in accordance with these Terms and Conditions, Documentation, Order and applicable laws (e.g. Regulation (EU) 2015/2120 of the European Parliament and of the Council dated 25th November 2015), (ii) be responsible for the accuracy, quality and legality of the transmitted data, the means by which Customer gained such data, Customer’s use of the data with the Service, and (iii) use commercially reasonable efforts to prevent unauthorized access to or use of the Service. Any use of the Service in breach of the foregoing by Customer or End Users that according to Provider’s opinion threatens the security or availability of the Service may result in Provider‘s immediate suspension of the Service.

5. The Customer shall indemnify the Provider for any cost, charge, damages, expenses or loss it has incurred due to the Customer’s violation of the foregoing or lack of compliance with the applicable law which affects the Provider.

5. Ordering

1. The Customer submits Purchase Order for the Service using the Purchase Order form, template of which will be provided to the Customer. The Purchase Order shall include the Customer's identification data, parameters of Service (such as number of subscriptions, devices or other agreed indicator), starting date of the Service, subscription term, Deployment, if applicable, and any free trial period, if any. Each Purchase Order is subject to confirmation (acceptance by) the Provider. In case of any doubt about the starting the date of the Service, the Service operation is deemed to have started after completion of Deployment.

2. Any oral order of the Customer shall always be confirmed in writing. In the event of an oral order, the contract won’t be entered into until confirmed in writing by Provider.

3. Any derogating undertakings in the Purchase Order precede over the provisions hereof.

4. Any changes or amendments to an existing Purchase Order may only be made in the form of written amendments signed by both Parties

6. Price and payment conditions

1. The Service price is calculated in accordance with (i) the currently valid Company’s pricelist, and (ii) the Service parameters. Company reserves the right to change the price list that is subject to at least thirty (30) days notification before the change becomes effective. The Service parameters are the number of connections in the Customer’s network and the volume of DNS traffic determined as the daily average per month of traffic, or the median per month of traffic in the Customer's network. If the Customer does not provide the expected volume of DNS traffic, this parameter is set by the Company as the daily average traffic in the given Customer’s network per month measured within the Whalebone test period.

2. The price is valid for up to a 10% deviation from the specified Service parameters (whether in the number of connections or in the volume of DNS traffic in Customer’s network) within the respective quarter.

3. If the usage limits are exceeded, the Provider will notify the Customer and will provide the Customer with the updated price corresponding to the actual current usage, that will be confirmed by a new order from the Customer. If, notwithstanding Provider’s efforts, no agreement is reached on a new pricing, which corresponds to the actual volume of Service use, the Customer promptly reduces the usage so that it conforms to the volume predicted by Service parameters, or Provider will charge the Customer for excess usage.

4. Company’s prices do not include any taxes, fees, customs, duties or similar governmental assessments of any nature, including, value-added, sales or withholding taxes, assessable by any jurisdiction whatsoever (the “Taxes”). Customer shall be responsible for the payment of Taxes associated with the purchase of a Service. Taxes related to Service and Technical Support services purchased shall be paid by the Customer or the Customer shall present an exemption certificate acceptable to the taxing authorities. The Customer shall reimburse to the Provider all taxes, charges and duties of any kind applicable within thirty (30) days after presentation of proof of payment thereof by the Provider. For clarity, Provider is solely responsible for taxes assessable against it based on its income, property and employees.

5. The invoices are payable within fourteen (14) days from the date of delivery of the invoice, unless other due date is indicated in the invoice.

6. The invoices may be issued electronically and sent via e-mail. Unless the parties agree otherwise, invoices shall be issued annually in advance according to the number and size of Customers.

7. Payments shall be made via bank transfer to Provider’s designated account. The payment is considered paid on the day of receipt to the Provider’s bank account.

8. If Customer fails to pay to Provider any amount due in connection with the cooperation pursuant to this Agreement, Customer must pay to Provider the late payment interest of 0.05% (five hundredths of a percent) of the outstanding amount for each commenced day of such default without the need of written notice by Provider. Moreover, Provider is entitled to interrupt or suspend its performance towards the Customer whenever the Customer is in default with the payment of any Provider’s payable receivables or is in default with the fulfilment of other contractual obligations; in such a case, Provider must notify the Customer in writing at least seven (7) days prior to the interruption or suspension of the performance towards the Customer.

7. Technical support

1. The Provider shall maintain, diagnose and develop the system and monitor the whole system to ensure maximum availability of the Service

2. Any requests and defects discovered during Deployment must be reported immediately in writing to Provider, otherwise they will be disregarded

3.  Warranty notice

Should there be any problem running the Service, the Customer shall report the problem to the Provider in the manner specified at Service Page.

4. Customer support

The Provider shall assist the Customer via email and web support. Any defects in the Service shall be notified to the Provider using Whalebone ticket system available at Service Page immediately. On business days the Provider guarantees to inform the responsible person and to commence resolving the ticket within 6 hours of receipt of the ticket. The Provider shall do its best to resolve the ticket even earlier and also in non-business hours.

5. If certain service level and/or guaranteed uptime is required by Customer, Provider may provide such service on the basis of a separate Order. The terms and condition of such service level agreement will be stipulated in writing in the respective Service Level Agreement. The standard SLA is already included in the subscription and is governed by the terms and conditions stipulated in Annex 1 hereto.

8. Liability

1. Customer and Provider shall use reasonable efforts to prevent any damages that may occur in connection with performance hereunder or to mitigate already caused damages


2. No party shall be liable for any failure of or delay in the execution of Purchase Order for the period that such failure or delay is due to causes beyond its reasonable control, including but not limited to acts of God, war, strikes or labor disputes, embargoes, government orders or any other force majeure event. In the event of a threatened default or default as a result of any of the above causes, the defaulting party shall exercise its best efforts to avoid and cure such default.

 

3. Provider’s aggregate liability to the Customer under the specific Service subscription (Purchase Order), whether for breach of contract or in tort, is limited to the monthly price paid by the Customer for the specific Service which gives rise to the claim. In no event will the Provider be liable for any indirect, punitive, special, force majeure events, incidental or consequential damages in connection with or arising out of the specific Service subscription (Purchase Order) (including loss of business, revenue, profits, use, data or other economic advantage), however caused and regardless of the theory of liability, even if Provider has been previously advised of the possibility of such damages, and even if any exclusive remedy provided for herein fails of its essential purpose.

9. Non-disclosure

1. Each Party agrees to refrain from disclosing or using any information of trade and/or production value that they may have learnt in connection with the performance hereof.

2. The non-disclosure obligation shall not apply to information that:

2.1 can be proven was already known to the receiving Party before the disclosing Party disclosed it; or

-  2.2 was made accessible to the receiving Party by third parties without breach of a non-disclosure or any similar obligation; or
-  2.3 is or becomes publicly known without breach of any obligation of the receiving Party hereunder; or

-  2.4 the receiving Party is required by the relevant applicable law or enforceable decision to disclose to courts or public authorities provided that the receiving Party limits the disclosure to the required information only and takes appropriate measures to prevent further disclosure of such information by such third parties.


3. The obligation of confidentiality will survive any termination or expiration of the respective Purchase Order for the period of three (3) years.

4. The Provider may use the data processed in connection with the Service provision in anonymized form for research purposes.

10. Term and termination

1. The term of each Service subscription shall be as specified in the applicable Purchase Order.

2. Except as otherwise specified in the Purchase Order, the subscriptions will automatically renew for additional periods equal to the expiring subscription term, unless either party gives the other notice of non-renewal at least thirty (30) days before the end of the relevant subscription term.

3. A party is entitled to terminate a particular Service subscription (Purchase Order) for a material breach of the other party’s obligations related to the relevant subscription (Purchase Order), if such breach remains without remedy within a reasonable time period. The reasonable time for remedy shall be at least 30 (thirty) days and the termination notice must be in writing.

4. Any termination of Services subscription will be without prejudice to any other rights or remedies of either party under a contract or at law, and will not affect any accrued rights or liabilities of either party or any provision herein which comes into, or continues in, effect after termination. The termination of the Service subscription for any legal reason does not affect already provided Service or the claims arising therefrom (in particular, the claim to pay the price for the Service already provided).

5. Upon expiration or termination of the Service the Customer is obliged to delete the data about the threats and potentially malicious content and encryption keys by the Service from its systems, all pursuant to the procedure set forth by the Provider in the Administrator’s Documentation. For this purpose the deletion of the entire virtual machine is regarded as sufficient.

Without prejudice to any other Provider’s rights and claims under the contract or at law, a usage of the Service without a valid Order or any failure or delay to provide the evidence of the undertaken actions leading to complete deletion of the said data is subject to a penalty amounting to the double of the monthly amount of the subscription fee for each month of delay or failure to provide such evidence.

11. Final provisions

1. If any provision of the Purchase Order or of these Terms and Conditions is or becomes invalid, unenforceable, implied or ineffective, this will not affect the validity, enforceability and effectiveness of the remaining provisions of the Purchase Order Contract or these Terms and Conditions. In such a case, the Parties are obliged to make every effort to enter into a written amendment to the Contract by which the respective invalid, unenforceable or ineffective provision shall be replaced with a new one that will better satisfy the initially intended purpose.

2. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld).

3. No failure or delay by either party in exercising any right under the respective Purchase Order will constitute a waiver of that right.

4. With regard to any paper documents, any notice shall be deemed delivered once it has been accepted by the addressee, or on the third day after it has been deposited with a postal operator, even if the other Party fails to collect the document, or on the day of refusal to accept the consignment, whichever comes earlier. Email correspondence shall be deemed delivered the following day after it has been sent, unless it is factually delivered earlier.

5. The legal relationship of the parties, as well as the validity and existence of the contract, shall be governed by the law of the Czech Republic. The application of the UN Convention of 11 April 1980 on the International Sale of Goods is excluded.

6. The courts located in Brno, Czech Republic, will have exclusive jurisdiction over any dispute relating to this Agreement, and each party consents to the exclusive jurisdiction of those courts.

7. The Parties agree to use references based on the subject matter of the Agreement. This includes in particular the mutual mention of the company name, logo, general characteristics and technical and economic description of the service provided or purchased and the form of cooperation. The reference may be used by both parties in all marketing and communication activities.

8. These Terms and Conditions (incl. its Annexes), together with the Purchase Order and any other documents referred to in the Purchase Order, form an entire agreement and supersede any previous arrangements between the Parties regarding the subject matter of the contract.

Annex 1 – Standard Service Level Agreement - SLA

1. Service specification
1. The terms used with capitalized initial letters in this SLA have the meaning as defined in the Whalebone Service Terms and Conditions unless defined otherwise below.


2. Service parameters

1. The operating hours of the Service are 24 hours a day, 7 days a week.
2. Subject to exclusions within this Agreement the Provider guarantees the Customer availability of the Service as described in paragraphs 2.3 and 2.4 related to particular services.
3. The overall combined Whalebone DNS resolvers’ availability is at 99,95 % of the operating time of the Service. The DNS resolver is deemed to be unavailable when it does not respond to DNS requests sent from an IP range defined by the Customer on the web portal.
4. The overall web portal availability is at 99 % of the operating time of the Service. The web portal is deemed to be unavailable if it is not possible to log into the web interface, track the list of detected events and perform critical configurations of Service behaviour. The web interface is linked via the Service page.
5. The evaluation period of the services availability is a calendar month.
6. The period of the service unavailability is deemed to start upon a notification of the Customer according to section 8 of Terms and Conditions stating that the service is unavailable. The period of unavailability deems to end by renewing availability of the specific service.


7. The DNS resolvers’ availability as per paragraph 2.2 does not apply to an unavailability resulting from:
-  7.1 the circumstances of the force majeure,
-  7.2 any failure of the hardware or software that is not provided by the Provider, and in particular, but not exclusively, by the Customer's insufficient Internet connection to the Service interface,
-  7.3 any use of the Service not compliant with the Provider’s instructions or general principles of using a similar kind of service.


8. The Service is not considered to be unavailable in case of planned downtime of the Service. The Customer shall be informed about such downtime via e-mail at least four (4) calendar days in advance.


3. Penalties

1. Shall the availability of either any or both of the services defined in paragraphs 2.3 and 2.4 does not reach guaranteed values in any evaluation period the Customer shall be entitled to a 8% discount of the price of the Service within the given evaluation period.
2. Shall the availability of either any or both of the services defined paragraphs 2.3 and 2.4 does not reach 98 % in any evaluation period the Customer shall be entitled to a 20% discount of the price of the Service within the given evaluation period.
3. The provisions of paragraphs 3.1. and 3.2. do not apply to unavailability caused by the Customer's conduct or circumstances excluding liability (force majeure).
4. The discounts of the price under this Article 3 are the sole claim of the Customer arising from non-compliance with guaranteed service availability or non-observance of the reaction time. All other claims are excluded.

Annex 2 - Data Processing Agreement

This Data Processing Agreement, including its Exhibits, (“DPA”) forms part of the Whalebone Service Terms and Conditions for the purchase of services from Whalebone to reflect the parties’ agreement with regard to the processing of personal data.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. Purpose of Agreement1. The purpose of this DPA is to ensure the legal compliance of the Processor’s and Controller’s cooperation with respect to the Whalebone Terms and conditions. processing of personal data in the course of providing the Service pursuant to the contract between the parties (the “Purchase Order”).
2. For the purposes of this Agreement, the Provider is referred to as the Processor and the Customer is referred to as the Controller.


2. Parties’ roles

1. The Controller hereby entrusts the Processor, pursuant to Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”), with the processing of personal data under this DPA.

2. In the course of providing the Whalebone services to Controller the Processor will process personal data on behalf of Controller based on the Controller’s provided instructions and in compliance with the following provisions with respect to any Personal Data The data processing is made with respect to the provision of Whalebone services under the respective Order executed between the Controller and Processor of which this DPA is a part.


3. Nature, subject matter and duration of data processing

1. The Processor processes the following types of personal data:
-  1.1 DNS query sent by the Controller’s employees or persons using the Controller’s network;
-  1.2 Resolver DNS response;
-  1.3 DNS query timestamp;
-  1.4 IP address of the device which sent the DNS query;

In case of Peacemaker Profit variant, the Processor may, depending on the extent of Services provided to the Controller, process the following categories of data:

-  1.5 Device identifier which sent the DNS querry;
-  1.6 Name and surname of the Controller’s customer;
-  1.7 Email address of the Controller’s customer;
-  1.8 Telephone number of the Controller’s customer.

2. Controller’s customers are the data subjects under this DPA.

3. The Processor will process the above-mentioned types of data in electronic form only.
4. The subject-matter of processing of personal data by Processor is the performance of the Service, pursuant to the respective Order.
5. The period of time for which the data pursuant to paragraphs 3.1.1 to 3.1.4 will be stored is no longer than six (6) months from the transfer of the respective data by the Controller to the Processor.
6. The Processor will retain the personal data pursuant to paragraphs 3.1.5 to 3.1.8 for the period for which the Controller’s customer will be using the service, i.e. until the Controller removes the customer from Whalebone cloud, thereby deleting these data from the Processor’s storage.


4. Processor’s obligations

1. Security measures. The Processor will assist the Controller in providing for compliance with the duties imposed by Articles 32 to 36 of the GDPR, taking into account the nature of the processing and information which is available to Processor. The Processor has in place such technical and organizational measures (including the adoption of appropriate internal regulations and policies, if required) which will ensure the protection of the processed personal data and prevent them from unauthorized or accidental access to, or change, destruction, loss, unauthorized transfer, unauthorized processing or other misuse. The technical and organizational measures are set forth in the Exhibit 1 hereto.

2. Confidentiality. Processor’s personnel engaged in the processing of personal data are informed of the confidential nature of the personal data and have executed written confidentiality agreements. Processor will ensure that such confidentiality obligations survive the termination of the personnel engagement and access to personal data will be limited only to those personnel performing Service in accordance with the Order.

3. Deletion of data. In accordance with the Controller’s decision, the Processor will either delete or return all personal data to the Controller after the provisions of services relating to the processing is terminated and delete all existing copies, unless required by the EU law or other applicable laws to retain the respective data.

4. Audit rights. The Processor will provide to the Controller such information as is requested by Controller to demonstrate compliance with the obligations provided by Article 28 of the GDPR. The Processor will allow for an audit or inspection to be conducted by Controller or an independent auditor engaged by the Controller. Such audit shall be carried out without interfering with the normal business operation of Processor. The audit might be subject to signing of a non-discloser agreement by the auditor and payment by Controller of all expenses thereof. The Parties are obliged to provide each other with materials necessary to accomplish this objective. This obligation of the Parties will be performed in particular in case of dealings with the Data Protection Office or other public authorities.

5. The Processor is under no circumstances responsible for the accuracy, quality, and legality of personal data and the means by which Controller acquired personal data.6. Personal data breach notification. The Processor will notify the Controller without undue delay after becoming aware The of any detected data safety breach, of any unauthorized access to, destruction or loss, unauthorized transfer or other unauthorized processing or misuse of the processed data. The Processor is responsible for immediately notifying the Controller about this in accordance with applicable Data Protection Laws and Regulations. The Processor is also obliged to adopt any appropriate and efficient measures to remedy the defective situation and to guarantee the data security again and to mitigate losses. The obligations herein shall not apply to data breaches that are caused by Controller’s Users.

7. Data subject requests. Processor will, to the extent legally permitted, promptly notify Controller if Processor receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing, or its right not to be subject to an automated individual decision making. Taking into account the nature of processing, the Processor will help the Controller, to the extent this is possible, by appropriate technical means and organizational measures, to fulfil Controller’s duties to respond to data subjects’ requests for the exercise of rights under the Data Protection Laws and Regulations.


5. Sub-processors

1. The Controller gives his general written authorisation that the Processor may engage other processors for the processing with respect to the Service provision. Company’s list of all engaged sub-processors is available at the Processor’s website https://support.whalebone.io. Processor will notify Controller in case of engaging any new sub-processor through the above website. Within ten (10) days from the above described notification of new sub-processor(s), the Controller may object against their engagement. In case that the Controller does not object within ten (10) days, the engagement of these sub-processor(s) is considered authorized.

2. On each sub-processor engaged by Processor to perform certain data processing activities, the Processor will impose, under a written agreement, the data protection obligations not less protective than those provided by this DPA, including but not limited to, the provision of sufficient guarantees of appropriate technical and organizational measures for the data processing to comply with the GDPR requirements.

3. If any of the sub-processors fails to perform his data protection obligations, the Processor remains fully liable to the Controller for the performance of obligations of that sub-processor.


6. Controller’s obligations

1. The Controller ensures and warrants that in engagement of Processor, in use of the Service, all personal data made available to Processor will be collected legally and in accordance with the requirements of Data Protection Laws and Regulations.
2. The Controller is responsible for compliance of its instructions for personal data processing with the Data Protection Laws and Regulations. If Controller’s instructions for the processing of personal data do not comply with Data Protection Laws and Regulations, Processor is entitled to suspend its performance under this Agreement.

3. The Controller is responsible for the performance of all duties with respect to data processing, including but not limited to proper informing data subjects about data processing, obtaining consents to data processing, where necessary, and handling data subjects’ requests with respect to the exercise of their rights.


7. Data protection officer

1. The Processor has appointed a data protection officer (the “DPO”). The DPO may be contacted via email at dataprotection@whalebone.io.

8. Data transfers

The transfer of personal data for processing in a third country shall take place only if such transfer meets the conditions outlined in the GDPR, specifically Chapter V.

Annex 3 - Peacemaker Service Specification

Latest Peacemaker Service Specification Document.