AWS (Amazon Web Services) is responsible for handling the physical security of the infrastructure. AWS is built to not only allow for truly scalable cloud-solutions, but also to meet the highest expectations for security.
To address the Schrems || ruling Whistleblower Software supports full End-to-End encryption in accordance with the recommendations of the European Union. Click here to read more.
The data is stored on servers from a facility that is ISO 27001, ISO 27017, ISO 27017 and SOC 1, SOC 2 & SOC 3 -certified. To get the full overview of the compliance programs, click here.
All data and backups are stored with AWS in Frankfurt. Backups are stored in different availability zones to ensure data availability.
Get an understanding of the data centers perimeter layer, infrastructure layer, data layer and environmental layer, click here.
Whistleblower Software's development team's highest priority is to ensure maximum security. We do this through preventive features such as End-to-End Encryption, Multi-Factor Authentication (MFA) and through a continuous focus on high-quality, clean and secure code, code reviews, our Quality Assurance environment (QA) and through manual and automated tests.
Whistleblower Software takes the shared responsibility of security between our cloud infrastructure and our application serious. To give you a glimpse of some of the best practices we follow, click here.
A document explaining about the system and its security
To spot weaknesses, Whistleblower Software often carries out a series of automated and manual tests to check for critical vulnerabilities such as potential for Cross Site Script (XSS)-attacks, SQL-injections, session-related vulnerabilities and more.
To ensure the highest security, we are also undertaking regular penetration tests from third-parties.
Carried out at 1st of april 2021 by Zencurity ApS.
Whistleblower Software has the perfect conditions for enforcing Network Firewall protections at scale through AWS, helping us mitigate potential DDoS-attacks and other potential exploits. Whistleblower Software minimizes risk through fine-grained network segmentation and our system is continously monitored for threats on both the network level and on the application level.
Whistleblower Software values privacy, and we do so by building our entire system around security and privacy that goes beyond best practices for the industry.
Even our software developers can’t see your cases, due to our End-to-End Encryption. All case-related free text forms and text-input fields are encrypted before stored in our database. Your company will be the only party to receive the keys to unlocking the information. This also means that if the worst should happen, any intruder won’t be able to read case-information from the database.
Whistleblower Software’s development process is based on Privacy by Design, which consists of seven principles on how to ensure a high level of security around private sensitive information and security in general. For example, through the so-called Privacy Enhancing Technologies (PETs) and organizational measures.
The core of Privacy by Design is that we build our IT systems and organizational processes cohesively around privacy and transparency from the very beginning and do not consider it a secondary element.
Whistleblower Software uses End-to-End Encryption (E2EE) to ensure a high standard of data privacy in communications through our platform. Information is encrypted through your company’s unique key, before it is sent through an SSL-connection, where it then gets stored in our AWS database. When the information is then to be read by your company or the whistleblower, for example, the encrypted data is received and decrypted directly in your browser with your unique decryption key.
Your unique decryption key can be stored outside of our AWS-environment, to enable the highest security. This means that Whistleblower Software employees cannot read your cases and other privacy related information from your account. This is also an extensive protection against MITM-attacks.
In addition, this ensures that Whistleblower Software is fully compliant with Schrems || (GDPR), as it prevents cross-Atlantic access from any government institution.
Data sent (in transit), is encrypted using TLS and data stored (in rest) is also encrypted.
The case-hub is per default password protected. An additional layer of security can be put into place by enabling the Multi-Factor Authentication. This requires users to verify by, for example, SMS before they can proceed into the system.
Once inside the system, users and external advisors must be granted permissions to access certain content or carry out additional operations. Furthermore, the system does not give users access to all cases. At the case level, access can be given to individuals, so it is ensured that no unauthorized persons (created in the system) can access cases. This can also be done at the category level, so that when creating new cases, certain individuals are automatically given access to, for example, cases that are marked as being within the "money laundering" category.
In addition, it is also possible to apply rules such as “archive permissions”. For example, this could require that any case can only get archived if 2 or all case handlers agree.
Whistleblower Software is built to be transparent for whistleblowers and case managers. For example, it is always possible for case-managers to go back in time to see any case changes and case handler actions through the activity logs.
Through the reporting channel, the whistleblower can see who will handle the case based on the category and department they’ve chosen. After submitting, the whistleblower can access the communication at any time to add more information or just to communicate with the company, even if they reported anonymously. In this overview, the whistleblower will be able to see the current status of the case handling and the people involved. Screeners and case-handlers can anonymize or pseudonymize cases if case multiple case-handlers are involved, all still visible to the whistleblower.
Whistleblower Software is built to be fully compliant with major whistleblowing and privacy laws, even for businesses spanning multiple legal jurisdictions. Including:
EU Whistleblower Protection Directive 2019/19378
US SOX Act Section 301 on Corporate Responsibility
German Corporate Governance Code
French Loi Sapin II
This of course includes the EU Whistleblower Protection Directive, where we are following related local legislations closely, to be able to meet all local requirements.
We’re preparing for being able to support the upcoming ISO 37002 -standard, giving globally standardized guidelines for whistleblowing management systems.
To ensure that we, as an organization, follow the best practices for information security we have implemented the ISO/IEC 27001:2013 management system. The certificate proves that Whistleblower Software’s operations adhere to the internationally recognized standards for the management of development, sales, and service of whistleblower solutions.
Carried out at 1st of december 2021 by Intertek.
Request our independent auditor’s ISAE 3000 report on information security and data protection measures in relation to the data processor agreement with data controllers. In the external audit you can read more about how the system works as well as organizational and technical security measures we have implemented. The ISAE 3000 Audit is done annually and is built around the ISO 27001 standard.
Carried out at 1st of june 2021 by Beierholm.
Due to Whistleblower Software’s focus on Privacy by Design , it has been easy to introduce several features into the product to accommodate not only legislation, but also best practice privacy initiatives.
Whistleblower Software is compliant with major privacy laws including GDPR . Read more about how our solution takes Schrems II into account through E2EE, here.
We carry out regular external GDPR audits.