Prevent leaks of your company's
most delicate matters. Go for the highest security.

ISAE 3000 audit badge.
ISAE 3000
Independent auditor’s ISAE 3000 report on information security and data protection measures in relation to the data processor agreement with data controllers.
ISO 27001 hosting badge.
ISO 27001 servers
Data is securely hosted with ISO 27001 certified AWS.
Penetration test badge.
Penetration test
Last performed May 2021 by Zencurity
Kristoffer Abell from whistleblower Software
Any questions?
+45 71 99 63 83
Kristoffer Abell
kab@whistleblowersoftware.com

Security

Data Storage

Physical storage

AWS (Amazon Web Services) is responsible for handling the physical security of the infrastructure. AWS is built to not only allow for truly scalable cloud-solutions, but also to meet the highest expectations for security.

To address the Schrems || ruling Whistleblower Software supports full End-to-End encryption in accordance with the recommendations of the European Union. Click here to read more.

The data is stored on servers from a facility that is ISO 27001, ISO 27017, ISO 27017 and SOC 1, SOC 2 & SOC 3 -certified. To get the full overview of the compliance programs, click here.

Location

All data and backups are stored with AWS in Frankfurt. Backups are stored in different availability zones to ensure data availability.

Get an understanding of the data centers perimeter layer, infrastructure layer, data layer and environmental layer, click here.

Application security

Whistleblower Software's development team's highest priority is to ensure maximum security. We do this through preventive features such as End-to-End Encryption, Multi-Factor Authentication (MFA) and through a continuous focus on high-quality, clean and secure code, code reviews, our Quality Assurance environment (QA) and through manual and automated tests.

Whistleblower Software takes the shared responsibility of security between our cloud infrastructure and our application serious. To give you a glimpse of some of the best practices we follow, click here.

System description

A document explaining about the system and its security

To spot weaknesses, Whistleblower Software often carries out a series of automated and manual tests to check for critical vulnerabilities such as potential for Cross Site Script (XSS)-attacks, SQL-injections, session-related vulnerabilities and more.

To ensure the highest security, we are also undertaking regular penetration tests from third-parties.

Penetration test badge.

Penetration test

Carried out at 1st of april 2021 by Zencurity ApS.

Network protection

Whistleblower Software has the perfect conditions for enforcing Network Firewall protections at scale through AWS, helping us mitigate potential DDoS-attacks and other potential exploits. Whistleblower Software minimizes risk through fine-grained network segmentation and our system is continously monitored for threats on both the network level and on the application level.

Privacy

We can not see your data

Whistleblower Software values privacy, and we do so by building our entire system around security and privacy that goes beyond best practices for the industry.

Even our software developers can’t see your cases, due to our End-to-End Encryption. All case-related free text forms and text-input fields are encrypted before stored in our database. Your company will be the only party to receive the keys to unlocking the information. This also means that if the worst should happen, any intruder won’t be able to read case-information from the database.

Whistleblower anonymity

In most countries, it is a best practice to allow the whistleblowers to report confidentially, due to the fact that the whistleblower is often better protected by law if they are identifiable. However, in some cases, whistleblowers might have a hard time reporting due to the fear of possible personal consequences.
Therefore, Whistleblower Software is capable of allowing the whistleblower to report anonymously, but also for screeners and case-handlers to anonymize or pseudonymize cases in case multiple case-handlers are involved. Having the tools to protecting the whistleblower's identity can be the key to getting an incident reported in time.

Privacy by design

Whistleblower Software’s development process is based on Privacy by Design, which consists of seven principles on how to ensure a high level of security around private sensitive information and security in general. For example, through the so-called Privacy Enhancing Technologies (PETs) and organizational measures.

The core of Privacy by Design is that we build our IT systems and organizational processes cohesively around privacy and transparency from the very beginning and do not consider it a secondary element.

Special measures

End-to-End Encryption

Whistleblower Software uses End-to-End Encryption (E2EE) to ensure a high standard of data privacy in communications through our platform. Information is encrypted through your company’s unique key, before it is sent through an SSL-connection, where it then gets stored in our AWS database. When the information is then to be read by your company or the whistleblower, for example, the encrypted data is received and decrypted directly in your browser with your unique decryption key.

Your unique decryption key can be stored outside of our AWS-environment, to enable the highest security. This means that Whistleblower Software employees cannot read your cases and other privacy related information from your account. This is also an extensive protection against MITM-attacks.

In addition, this ensures that Whistleblower Software is fully compliant with Schrems || (GDPR), as it prevents cross-Atlantic access from any government institution.

Data sent (in transit), is encrypted using TLS and data stored (in rest) is also encrypted.

Access control

The case-hub is per default password protected. An additional layer of security can be put into place by enabling the Multi-Factor Authentication. This requires users to verify by, for example, SMS before they can proceed into the system.

Once inside the system, users and external advisors must be granted permissions to access certain content or carry out additional operations. Furthermore, the system does not give users access to all cases. At the case level, access can be given to individuals, so it is ensured that no unauthorized persons (created in the system) can access cases. This can also be done at the category level, so that when creating new cases, certain individuals are automatically given access to, for example, cases that are marked as being within the "money laundering" category.

In addition, it is also possible to apply rules such as “archive permissions”. For example, this could require that any case can only get archived if 2 or all case handlers agree.

Transparency & logging

Whistleblower Software is built to be transparent for whistleblowers and case managers. For example, it is always possible for case-managers to go back in time to see any case changes and case handler actions through the activity logs.

Through the reporting channel, the whistleblower can see who will handle the case based on the category and department they’ve chosen. After submitting, the whistleblower can access the communication at any time to add more information or just to communicate with the company, even if they reported anonymously. In this overview, the whistleblower will be able to see the current status of the case handling and the people involved. Screeners and case-handlers can anonymize or pseudonymize cases if case multiple case-handlers are involved, all still visible to the whistleblower.

Compliance

Whistleblower laws

Whistleblower Software is built to be fully compliant with major whistleblowing and privacy laws, even for businesses spanning multiple legal jurisdictions. Including:

EU Whistleblower Protection Directive 2019/19378

US SOX Act Section 301 on Corporate Responsibility

U.K. FCA

German Corporate Governance Code

French Loi Sapin II

This of course includes the EU Whistleblower Protection Directive, where we are following related local legislations closely, to be able to meet all local requirements.

We’re preparing for being able to support the upcoming ISO 37002 -standard, giving globally standardized guidelines for whistleblowing management systems.

ISAE 3000

Request our independent auditor’s ISAE 3000 report on information security and data protection measures in relation to the data processor agreement with data controllers. In the external audit you can read more about how the system works as well as organizational and technical security measures we have implemented. The ISAE 3000 Audit is done annually and is built around the ISO 27001 standard.

ISAE 3000 audit badge.

ISAE 3000

Carried out at 1st of june 2021 by Beierholm.

GDPR audited

Due to Whistleblower Software’s focus on Privacy by Design , it has been easy to introduce several features into the product to accommodate not only legislation, but also best practice privacy initiatives.

Whistleblower Software is compliant with major privacy laws including GDPR . Read more about how our solution takes Schrems II into account through E2EE, here.

We carry out regular external GDPR audits.

Kristoffer Abell from whistleblower Software
Any questions?
+45 71 99 63 83
Kristoffer Abell
kab@whistleblowersoftware.com