Skip to main content Required by EU law for organizations with 50+ employees

Whistleblower reports do not belong inside an LLM #

Seven whistleblower platforms sold into the EU run report content through large language models. They summarise reports, transcribe voice intake, run AI agents that talk to whistleblowers, and produce “insights” across case archives. Only one of the seven names which AI provider does the work.

EthicsPortal does none of this. Our DPA §6.10 and our sub-processor list say so.

Every claim below is quoted from the vendor’s own live page or public DPA, captured 24 May 2026. Translation and categorisation can run on-prem, so we did not include vendors whose only AI claim is “AI translation” or “AI categorisation”. The seven below claim more than that.

NAVEX — “AI-supported case briefs and suggested rewrites” #

NAVEX is the largest enterprise whistleblowing vendor in the world. EthicsPoint sits inside most Fortune 500 compliance programs.

From the whistleblowing platform page :

“Summarize complex cases with AI-supported case briefs and suggested rewrites

“Spot recurring themes earlier through higher-level insights and analytics”

NAVEX whistleblowing platform — “Summarize complex cases with AI-supported case briefs and suggested rewrites”

To suggest a rewrite, the model has to read the original report. NAVEX does not name the model on any public page.

EQS Integrity Line — “AI-powered summaries and transcription” in 80+ languages #

EQS Group (Munich-listed) runs the largest whistleblower platform in continental Europe. From their Integrity Line page :

AI that works for you. Handle reports in over 80 languages with AI-powered summaries and transcription, and transform voice recordings into searchable texts. Get helpful insights from past cases for faster resolution including suggestions for case categories and priorities.”

EQS Integrity Line — “AI that works for you”: AI-powered summaries, transcription of voice recordings, case-category suggestions

Summaries, voice transcription, and cross-case insights. 4,000+ organisations on the platform. Provider not named.

SpeakUp — “Sienna AI”: a whole AI product line #

SpeakUp’s Sienna AI is not a feature, it is a sub-brand:

Sienna AI. Compliance reimagined. The intelligence layer behind the future of compliance and ethics.”

SpeakUp Sienna AI hero — “Compliance reimagined. The intelligence layer behind the future of compliance and ethics.”

The page markets an AI Voice Agent that has reporters “speak freely and safely” through a “guided, conversational intake”, Sienna Insights (“AI does the digging. You get the insight.”), and AI translation, transcription, and routing of submissions into the case management system. Reporters in SpeakUp’s flow are talking to a model. Provider not named.

Whispli — “Use AI to capture clearer, more complete hotline reports” #

From Whispli’s Voice AI hotline page (the page title is literally “AI Whistleblowing Hotline”):

Use AI to capture clearer, more complete hotline reports. Manage global whistleblowing hotline reporting with an AI-powered voice intake agent that captures, structures and routes cases securely across jurisdictions.”

Whispli hotline hero — “Use AI to capture clearer, more complete hotline reports” with a Voice transcribed / Case created flow

The flow diagram on the page shows it plainly: Incoming Voice Report → Voice transcribed → Case created. The most exposed reporter, the one who picked up a phone, is talking to an AI agent. Provider not named.

FaceUp — “Voice-based AI conducts natural conversations” with whistleblowers #

FaceUp is a Czech-EU platform with 3,500+ organisations across 70+ countries. Their whistleblower hotline page offers three tiers: a Live Hotline staffed by human agents, an Automated Hotline with a scripted flow, and the new AI-Powered Hotline in the middle:

Voice-based AI conducts natural conversations, asks follow-ups, and converts calls into structured, actionable reports. Multilingual, 24/7.”

FaceUp three-tier hotline comparison — “AI-Powered Hotline” (centre, marked “new”) with “Voice-based AI conducts natural conversations, asks follow-ups, and converts calls into structured, actionable reports”

“The AI agent guides the reporter and follows up where needed to capture complete and accurate information.”

FaceUp’s three-card layout is the clearest framing of the choice in the category: a human handles the call, a scripted flow handles the call, or an AI handles the call. They sell all three and mark the AI option “new”. Provider not named.

Whistlelink — Mistral AI (France) and DeepL (Germany) named in the public DPA #

Whistlelink is the only vendor of the seven that publicly names its AI providers. Their Romanian DPA , Section 5.5:

“Sub-Imputerniciți: Swerolab AB (Suedia), SMSAPI (Polonia), Brevo (Franța), OPSWAT (Germania), Glesys (Suedia), T-Systems International (Germania), Friendly Captcha (Germania), DeepL (Germania), Mistral AI (Franța).”

Whistlelink DPA Section 5.5 — sub-processor list naming DeepL (Germany) and Mistral AI (France)

The product page explains what the AI Assistant does: “AI Assistant automatically generates concise case summaries.” Mistral is the only LLM provider on the sub-processor list above.

The Article 16 confidentiality concern still applies. But an operator signing this DPA knows what they are signing. Operators signing the other six don’t.

Ethicontrol — “ai intake agent” on the pricing page #

Ethicontrol’s pricing page lists + ai intake agent for web portal and WhatsApp as a paid feature starting at the Standard tier (€174/month):

Ethicontrol pricing — Standard tier includes “+ ai intake agent for web portal and WhatsApp”

In 2026, an “intake agent” for whistleblower reports is a conversational LLM. The privacy policy and Trust Center do not name the provider.

Six of the seven won’t tell you whose AI #

Of the seven above, only Whistlelink names the AI providers (Mistral, DeepL). The other six say “AI”, “AI-powered”, “Sienna AI”, or “Voice-based AI” without naming the model, the provider, the jurisdiction, or whether the inference call leaves the operator’s encryption boundary.

We searched every vendor’s privacy policy, DPA, sub-processor page, and trust center we could reach on 24 May 2026. For six, the provider is not disclosed. The feature is in the marketing copy. The disclosure is not in the legal pages.

That is the harder problem. An operator running a Data Protection Impact Assessment cannot disclose a sub-processor they cannot name, cannot assess GDPR Chapter V transfer mechanisms for a provider that has not been disclosed to them, and cannot offer the reporter a meaningful privacy notice when the architecture has a box labelled “AI” and no further detail.

Why a whistleblower reporting channel is the wrong place for AI #

Article 16 of Directive 2019/1937 says the identity of the reporting person, and information from which it can be deduced, must not be disclosed to anyone beyond authorised case-handling staff. Member-state laws (HinSchG, Sapin II / Loi Waserman, Law 361/2022, the 2024 Polish Act) lift that into criminal or administrative penalties. An LLM API provider is not authorised case-handling staff. Their engineers can read prompts. Their abuse-detection systems are designed to read prompts. The Directive has no “but it was just for a summary” carve-out.

Art. 22 of the GDPR sits on top of that. AI categorisation, “suggested rewrites” of a report body, AI case briefs that an investigator reads instead of the original, and “insights” that decide investigative priority are exactly the automated decision-making the article is written about. Disclosure, DPIA, sub-processor listing with notice and objection rights, and reporter-facing transparency all attach.

A no-AI commitment removes the entire disclosure tree. The privacy notice is shorter, the DPIA is shorter, the sub-processor list is shorter, and the reporter’s expectation matches the architecture.

Our commitment #

DPA §6.10 : report content, reporter identity, handler messages, attachments, and audit logs are not transmitted to any large language model, generative AI service, or AI-based classifier, whether operated by us or by a third party. OpenAI, Anthropic, Google, and Mistral are named in the DPA as examples of providers we do not transmit to. A change to this would be a material change to the service, notified 30 days in advance with an objection right.

Our sub-processor list has six entries: Hetzner (EU hosting), Cloudflare (marketing-site CDN only), Mailjet (email), Stripe (billing), AppSignal (handler-side error monitoring), Crisp (handler-side chat). No AI sub-processor appears.

If you are evaluating a vendor #

Ask in writing: is any large language model, generative AI service, or AI-based classifier — operated by you or by a third party — a sub-processor of report content, reporter identity, handler messages, attachments, or audit logs? Name the provider, the jurisdiction, the function, and whether it is on by default. And will you contractually commit that this answer cannot change without 30 days’ notice and an objection right?

We answered both in our DPA before anyone had to ask.

Last updated: