Prevent leaks of your company's
most delicate matters. Go for the highest security.

Quick navigation
  1. Security
  2. Privacy
  3. Special measures
  4. Compliance
ISO 27001 certified badge.
ISO/IEC 27001:2013
To ensure that we, as an organization, follow the best practices for information security we have implemented the ISO/IEC 27001:2013 management system.
ISAE 3000 Type 2 audit badge.
ISAE 3000 Type 2
Independent auditor’s ISAE 3000 Type 2 report on information security and data protection measures in relation to the data processor agreement with data controllers.
ISO 27001 hosting badge.
ISO 27001 servers
Data is securely hosted with ISO 27001 certified AWS.
Penetration test badge.
Penetration test
Last performed May 2023 by TRUESEC
landing-page.security.ens_image_alt
ENS Certification
Compliance with ENS security regulations is mandatory for the public sector in Spain.
WCAG 2.1 AA silver certificate badge
WCAG 2.1 AA Certification
Web Content Accessibility Guidelines (WCAG) aims to make it easier for people with visual or hearing disabilities to navigate through website pages.

Any questions?

landing-page.global.any_questions_alt

Kristoffer Abell

kab@whistleblowersoftware.com

+45 71 99 63 83

Security

Data Storage

Physical storage

AWS (Amazon Web Services) is responsible for handling the physical security of the infrastructure. AWS is built to not only allow for truly scalable cloud-solutions, but also to meet the highest expectations for security.

To address the Schrems || ruling Whistleblower Software supports full End-to-End encryption in accordance with the recommendations of the European Union. Click here to read more.

The data is stored on servers from a facility that is ISO 27001, ISO 27017, ISO 27017 and SOC 1, SOC 2 & SOC 3 -certified. To get the full overview of the compliance programs, click here.

Location

All data and backups are stored with AWS in Frankfurt. Backups are stored in different availability zones to ensure data availability.

Get an understanding of the data centers perimeter layer, infrastructure layer, data layer and environmental layer, click here.

Application security

Whistleblower Software's development team's highest priority is to ensure maximum security. We do this through preventive features such as End-to-End Encryption, Multi-Factor Authentication (MFA) and through a continuous focus on high-quality, clean and secure code, code reviews, our Quality Assurance environment (QA) and through manual and automated tests.

Whistleblower Software takes the shared responsibility of security between our cloud infrastructure and our application serious. To give you a glimpse of some of the best practices we follow, click here.

System description

A document explaining about the system and its security

To spot weaknesses, Whistleblower Software often carries out a series of automated and manual tests to check for critical vulnerabilities such as potential for Cross Site Script (XSS)-attacks, SQL-injections, session-related vulnerabilities and more.

To ensure the highest security, we are also undertaking regular penetration tests from third-parties.

Penetration test badge.

Penetration test

Carried out on 26th of May 2023 by Truesec A/S.

Network protection

Whistleblower Software has the perfect conditions for enforcing Network Firewall protections at scale through AWS, helping us mitigate potential DDoS-attacks and other potential exploits. Whistleblower Software minimizes risk through fine-grained network segmentation and our system is continously monitored for threats on both the network level and on the application level.

Privacy

We can not see your data

Whistleblower Software values privacy, and we do so by building our entire system around security and privacy that goes beyond best practices for the industry.

Even our software developers can’t see your cases, due to our End-to-End Encryption. All case-related free text forms and text-input fields are encrypted before stored in our database. Your company will be the only party to receive the keys to unlocking the information. This also means that if the worst should happen, any intruder won’t be able to read case-information from the database.

Whistleblower anonymity

In most countries, it is a best practice to allow the whistleblowers to report confidentially, due to the fact that the whistleblower is often better protected by law if they are identifiable. However, in some cases, whistleblowers might have a hard time reporting due to the fear of possible personal consequences.
Therefore, Whistleblower Software is capable of allowing the whistleblower to report anonymously, but also for screeners and case-handlers to anonymize or pseudonymize cases in case multiple case-handlers are involved. Having the tools to protecting the whistleblower's identity can be the key to getting an incident reported in time.

Privacy by design

Whistleblower Software’s development process is based on Privacy by Design, which consists of seven principles on how to ensure a high level of security around private sensitive information and security in general. For example, through the so-called Privacy Enhancing Technologies (PETs) and organizational measures.

The core of Privacy by Design is that we build our IT systems and organizational processes cohesively around privacy and transparency from the very beginning and do not consider it a secondary element.

Special measures

End-to-End Encryption

Whistleblower Software uses End-to-End Encryption (E2EE) to ensure a high standard of data privacy in communications through our platform. Information is encrypted through your company’s unique key, before it is sent through an SSL-connection, where it then gets stored in our AWS database. When the information is then to be read by your company or the whistleblower, for example, the encrypted data is received and decrypted directly in your browser with your unique decryption key.

Your unique decryption key can be stored outside of our AWS-environment, to enable the highest security. This means that Whistleblower Software employees cannot read your cases and other privacy related information from your account. This is also an extensive protection against MITM-attacks.

In addition, this ensures that Whistleblower Software is fully compliant with Schrems || (GDPR), as it prevents cross-Atlantic access from any government institution.

Data sent (in transit), is encrypted using TLS and data stored (in rest) is also encrypted.

Access control

The case-hub is per default password protected. An additional layer of security can be put into place by enabling the Multi-Factor Authentication. This requires users to verify by, for example, SMS before they can proceed into the system.

Once inside the system, users and external advisors must be granted permissions to access certain content or carry out additional operations. Furthermore, the system does not give users access to all cases. At the case level, access can be given to individuals, so it is ensured that no unauthorized persons (created in the system) can access cases. This can also be done at the category level, so that when creating new cases, certain individuals are automatically given access to, for example, cases that are marked as being within the "money laundering" category.

In addition, it is also possible to apply rules such as “archive permissions”. For example, this could require that any case can only get archived if 2 or all case handlers agree.

Transparency & logging

Whistleblower Software is built to be transparent for whistleblowers and case managers. For example, it is always possible for case-managers to go back in time to see any case changes and case handler actions through the activity logs.

Through the reporting channel, the whistleblower can see who will handle the case based on the category and department they’ve chosen. After submitting, the whistleblower can access the communication at any time to add more information or just to communicate with the company, even if they reported anonymously. In this overview, the whistleblower will be able to see the current status of the case handling and the people involved. Screeners and case-handlers can anonymize or pseudonymize cases if case multiple case-handlers are involved, all still visible to the whistleblower.

Compliance

Whistleblower laws

Whistleblower Software is built to be fully compliant with major whistleblowing and privacy laws, even for businesses spanning multiple legal jurisdictions. Including:

EU Whistleblower Protection Directive 2019/19378

US SOX Act Section 301 on Corporate Responsibility

U.K. FCA

German Corporate Governance Code

French Loi Sapin II

This of course includes the EU Whistleblower Protection Directive, where we are following related local legislations closely, to be able to meet all local requirements.

We’re preparing for being able to support the upcoming ISO 37002 -standard, giving globally standardized guidelines for whistleblowing management systems.

ISO/IEC 27001:2013

To ensure that we, as an organization, follow the best practices for information security we have implemented the ISO/IEC 27001:2013 management system. The certificate proves that Whistleblower Software’s operations adhere to the internationally recognized standards for the management of development, sales, and service of whistleblower solutions.

ISO 27001 certified badge.

ISO/IEC 27001:2013

Carried out on 21st December 2023 by Intertek.

ISAE 3000 Type 2

Request our independent auditor’s ISAE 3000 Type 2 report on information security and data protection measures in relation to the data processor agreement with data controllers. In the external audit you can read more about how the system works as well as organizational and technical security measures we have implemented. The ISAE 3000 Type 2 Audit is done annually and is built around the ISO 27001 standard.

ISAE 3000 Type 2 audit badge.

ISAE 3000 Type 2

Carried out on 1st June 2023 by Beierholm.

ENS Certification

ENS (Spanish National Security System) makes it mandatory for the public sector in Spain and companies supplying technology to public entities to live up to high-security standards. These regulations guarantee the security of the systems, data, and communication to protect individuals. Whistleblower Software is certified with the level “Alta”, signifying the highest attainable level.

ENS certified badge.

ENS Certification - level: High

Carried out on 3rd May 2023 by BDO.

WCAG 2.1 AA

A WCAG certification is a quality seal to prove web accessibility according to the international W3C guidelines (WCAG) making it easier for people with visual or audible impairment to navigate through website pages. This makes the product more accessible and inclusive for people with disabilities. The certificate recognizes web accessibility efforts and ensures compliance with legal requirements.

WCAG 2.1 AA silver certificate badge

WCAG 2.1 AA Silver

Carried out on 27th September 2023 by TÜV TRUST IT.

GDPR audited

Due to Whistleblower Software’s focus on Privacy by Design , it has been easy to introduce several features into the product to accommodate not only legislation, but also best practice privacy initiatives.

Whistleblower Software is compliant with major privacy laws including GDPR . Read more about how our solution takes Schrems II into account through E2EE, here.

We carry out regular external GDPR audits.

Any questions?

landing-page.global.any_questions_alt

Kristoffer Abell

kab@whistleblowersoftware.com

+45 71 99 63 83

Book a demo

5/5 stars on G2