Skip to main content Required by EU law for organizations with 50+ employees

Frequently asked questions #

For compliance officers and decision makers #

Does EthicsPortal comply with EU Directive 2019/1937? #

Yes. EthicsPortal is built specifically to meet the requirements of the EU Whistleblower Protection Directive. This includes secure reporting channels, anonymous two-way communication, deadline tracking (7-day acknowledgment, 3-month feedback), access controls, data retention policies, and a complete audit trail. See the Directive 2019/1937 coverage map for an article-by-article breakdown.

Which countries is EthicsPortal compliant in? #

EthicsPortal covers the requirements of EU Directive 2019/1937, which has been transposed into national law across EU member states. The platform is designed to meet the Directive’s baseline requirements, which apply across the EU. If your country has additional national requirements (e.g., France’s Loi Waserman), check our country-specific guides or contact us .

Can we operate the reporting channel in-house? #

Yes — Article 8(5) of Directive 2019/1937 explicitly permits it. But meeting the Directive’s conditions is structurally harder in-house.

Article 9(1) requires confidentiality of the reporter’s identity, impartial follow-up, and restricted access to reports. An in-house channel runs these through the same IT administrators, backups, and litigation-hold tooling that touch every other system in the company. A separate subdomain or mailbox does not change who has access.

GDPR adds a second problem. Whistleblowing is on the EDPB’s mandatory-DPIA list. An in-house DPIA has to document how the controller prevents itself from accessing data about itself — which is circular on its face.

External operation is contemplated in Art. 8(5) and in the national transpositions: Loi Sapin II / Waserman (FR), HinSchG §14 (DE), D.Lgs. 24/2023 (IT), Ley 2/2023 (ES).

Where is my data stored? #

Core report data is stored on Hetzner servers in Nuremberg, Germany. The marketing site is delivered via Cloudflare (United States); the reporting and handler portals are not. Hetzner is a German hosting provider subject to EU data protection law, and transfer safeguards are described in the DPA and subprocessors pages.

Is the reporting truly anonymous? #

Yes, if the reporter chooses it. Providing a name or contact information is optional. EthicsPortal does not log IP addresses, strips file metadata (EXIF, GPS, author info) from uploads, and the secure message thread never reveals the case handler’s identity to the reporter. There is no technical mechanism to trace an anonymous report back to a person.

How does the 7-day and 3-month deadline tracking work? #

When a report is submitted, EthicsPortal automatically starts two timers based on the Directive’s requirements:

Overdue reports are flagged in the dashboard, and handlers receive notifications as deadlines approach.

Do you offer a Data Processing Agreement (DPA)? #

Yes. The current DPA is published at DPA , and a countersigned PDF is available on request.

What certifications do you have? #

EthicsPortal does not currently claim ISO 27001, SOC 2, or equivalent certification on this site. We document the current security posture, subprocessors, incident disclosure, and service commitments publicly on the security , subprocessors , incidents , and SLA pages.

Who is the contracting party? #

EthicsPortal is operated by Yaroslav Shmarov, registered in Poland. Baseline contracting and procurement details are published on the trust page.

Can you support procurement review? #

Yes. Public due-diligence materials are published on the website, and additional procurement materials are available on request during procurement review. See the trust page.

Can I export case data for auditors? #

Yes. Every report can be exported to PDF, including the full message history, timeline, and audit trail. This is designed for sharing with legal counsel, auditors, or regulators. If you need an additional portability format for migration or regulatory review, contact us during procurement or offboarding review.

For employees and reporters #

Do I need to create an account to submit a report? #

No. You do not need an account, an email address, or any personal information. You visit the portal link, fill in the report, choose a 6-digit passcode, and receive a Case ID. That’s it.

Can my employer find out who I am? #

Not through EthicsPortal. If you choose to submit anonymously (without providing your name or contact details), there is no way for your employer to identify you through the platform. EthicsPortal does not log your IP address and strips identifying metadata from any files you upload.

That said, be mindful of what you write — if your report contains details that only you could know, that’s outside the platform’s control.

How do I check back on my report? #

You need two things: the Case ID (format WB-XXXX-XXXX) shown to you after submission, and the 6-digit passcode you chose. Return to the portal anytime, enter both, and see the current status or exchange messages with the case handler. Keep the Case ID somewhere safe and remember the passcode — we cannot recover the passcode and both are required.

Can I attach files to my report? #

Yes. You can upload images, PDFs, video, and audio files up to 100 MB each. All file metadata (location data, author info, camera details) is automatically stripped before storage to protect your identity.

Can I communicate with the case handler anonymously? #

Yes. The built-in message thread is fully anonymous. You see “Case handler” — never a real name. The handler sees your messages but has no way to identify you unless you choose to share that information yourself.

What happens after I submit a report? #

Your report is received by the organization’s designated case handler. Under EU law, they must acknowledge receipt within 7 days and provide substantive feedback within 3 months. You can check the status at any time using your Case ID and passcode.

For IT and technical teams #

What encryption do you use? #

All sensitive report data is encrypted at rest in the database. All connections use TLS (HTTPS). File uploads are stored encrypted on EU-hosted infrastructure.

Do you strip file metadata? #

Yes. Image uploads are stripped server-side before storage. PDF, video, and audio uploads are also processed for metadata removal in the standard production setup described on the security page . This reduces the risk of accidental identity disclosure through file properties.

Do you scan uploaded files for viruses? #

Yes. All uploaded files are scanned for malware using ClamAV, an open-source antivirus engine. Scanning happens server-side — no file data is sent to external services. Infected files are removed automatically before case handlers can access them.

Do you log IP addresses? #

The application does not store the reporter’s raw IP address in the database. Public whistleblower portal rate limiting uses a one-way hash, and application logs for portal routes are scrubbed to protect reporter anonymity. See security for the precise wording.

What third-party services do you use? #

No ad networks or third-party tracking cookies are used on the reporting portal itself.

Do you have an API? #

Not currently available. Contact us if API access is a requirement for your organization.

Do you support custom domains? #

Not currently available. All portals are served under the EthicsPortal domain.

Do you support SSO? #

Not currently available. Users sign in via magic link (passwordless email authentication).

Billing #

How much does EthicsPortal cost? #

€49/month, flat. One plan, everything included. No per-user fees, no per-report fees, no feature tiers.

Is there a free trial? #

No — create your account, pick a plan, and your portal is live in under 10 minutes. €49/month or €490/year. Cancel anytime.

Can I cancel anytime? #

Yes. Cancel from your account settings at any time. No contracts, no cancellation fees, no phone call required.

What payment methods do you accept? #

Credit and debit cards via Stripe. If you need to pay by invoice or bank transfer, email support@ethicsportal.eu .

Still have a question? #

Email support@ethicsportal.eu . You’ll hear back within one business day.

Last updated: