Information security policy #
Effective date: 2026-05-21 Last reviewed: 2026-05-21 Next review: 2027-05-21 Owner: Yaroslav Shmarov, operator Version: 1.0
1. Purpose #
This policy states the information-security objectives that govern EthicsPortal, the controls that satisfy them, and the responsibilities that maintain them. It exists so that customers, controllers under GDPR, regulators, and procurement reviewers can refer to a single named document for the security posture of the Service.
This policy is the parent document for the business continuity plan , the risk register , and the ISO/IEC 27001:2022 Annex A control map .
2. Scope #
This policy applies to:
- The EthicsPortal Service — the reporter portal, handler portal, and supporting infrastructure listed on the Security page.
- All personal data processed by the Service on behalf of customer organizations (controllers under GDPR), including report content, reporter identity, handler messages, file attachments, and audit-log entries.
- The operator and all sub-processors listed on the subprocessors page.
This policy does not extend to systems operated by the controller (the customer organization) outside the Service.
3. Objectives #
EthicsPortal commits to three primary security objectives, in order of priority:
- Confidentiality of reporter identity. Personal data identifying or reasonably capable of identifying a whistleblower is protected against unauthorized disclosure to any party — including controller-side personnel who are not designated handlers, sub-processors, and the operator’s own infrastructure providers — to the extent technically feasible.
- Integrity of the audit trail. Records of who did what, when, are preserved in an append-only form that cannot be altered by any user, including organization administrators.
- Availability of the reporting channel. The reporter portal is available to whistleblowers under the SLA target so that the protected reporting right under EU Directive 2019/1937 is not silently degraded.
Confidentiality takes precedence over availability where the two conflict — the reporter portal will be taken offline in the event of a credible threat to reporter identity, with disclosure under the incident register .
4. Roles and responsibilities #
EthicsPortal is operated by a single named individual, Yaroslav Shmarov, who holds all of the following responsibilities:
| Role | Responsibility |
|---|---|
| Information security officer | Owns this policy and its review |
| Data protection officer (functional) | Privacy and data-subject-rights inquiries; reachable at privacy@ethicsportal.eu and dpo@ethicsportal.eu |
| Incident response lead | Owns the response process for events meeting the incident register scope |
| Authorized signatory | Signs DPAs, security questionnaires, and commercial agreements |
| Sub-processor manager | Reviews sub-processor relationships and publishes the list on the subprocessors page |
The single-operator structure is documented openly on the Trust page. Continuity arrangements that compensate for this structure are stated in the business continuity plan .
5. Control commitments #
The technical and organizational measures implementing this policy are documented on the Security page and are summarized below. Each commitment maps to one or more ISO/IEC 27001:2022 Annex A controls in the control map .
| Domain | Commitment | Detail |
|---|---|---|
| Encryption at rest | Non-deterministic encryption of all sensitive report data and reporter identity | Security#data-encryption |
| Encryption in transit | HTTPS/TLS for all connections; unencrypted HTTP is redirected | Security#data-encryption |
| Reporter anonymity | No raw IP storage; one-way hashing for rate limiting; metadata stripped from uploads | Security#anonymity-and-privacy |
| Access control | Role-based access enforced at the controller boundary via Pundit policies; least-privilege defaults; mandatory two-factor authentication available for handler accounts | Security#access-control |
| Session management | 14-day idle timeout; per-session revocation; nightly sweep | Security#access-control |
| Audit trail | Append-only, actor + action + timestamp, cannot be edited by any user | Security#audit-and-compliance |
| Retention | Customer-configurable 12/24/36/60-month retention with automatic deletion after closure | Security#audit-and-compliance |
| Secure development | Documented lifecycle covering design review, code review, static analysis, dependency management, environment separation, vulnerability response | Security#secure-development-lifecycle |
| Vulnerability management | Continuous SCA in CI; weekly Dependabot; no end-of-life components | Security#dependency-and-patch-management |
| Backup and restore | Daily encrypted database dumps + server-level snapshots in EU; RPO 24h, RTO 4h; quarterly restore drill | Security#backups-and-restore |
| Sub-processor management | Published list, 30-day change notice, controller objection right | Subprocessors , DPA §6.4 |
| No AI / LLM processing | Personal data covered by the DPA is not transmitted to any LLM, generative-AI, or AI-classifier service | DPA §6.10 |
| No BYOK | Customer-managed encryption keys are not supported; deliberate architectural choice | DPA §6.11 |
| Incident response | Material incidents recorded publicly within 7 days of containment; final report within 30 days | Incident register |
| Personal data breach notification | Notification to affected controllers within 72 hours of awareness | DPA §6.6 |
6. Risk management #
Information-security risks are assessed against the Service annually and after any material change to architecture, sub-processors, or the threat landscape. The current assessment, treatment, and residual-position decisions are published in the risk register .
Risks accepted as residual are stated openly with a justification; risks not yet treated are stated openly with a target.
7. Sub-processor management #
EthicsPortal engages sub-processors only where the function cannot reasonably be performed in-house and where the sub-processor materially improves availability, confidentiality, or compliance for the customer. The current list, the data each sub-processor receives, and the legal jurisdiction of each are published on the subprocessors page.
No large language model, generative-AI service, or AI-based classifier is engaged as a sub-processor. This is a documented product commitment (DPA §6.10 ) and a confidentiality-grade decision (Coverage map §5 ), not a configuration default.
Controllers are notified at least 30 days before any sub-processor is added or replaced. A controller that objects to a proposed change may terminate the agreement under DPA §6.4 without penalty.
8. Personnel security #
EthicsPortal has no employees or contractors. All personal data is processed exclusively by the named operator. ISO/IEC 27001:2022 Annex A personnel controls (A.6.1 screening, A.6.3 awareness, A.6.4 disciplinary process) are therefore marked Not applicable in the control map , with the substantive concerns addressed through compensating arrangements: privileged-production-access summary available during procurement review, operator self-directed awareness via subscribed security feeds (see ISO 27001 A.5.6), and continuity arrangements stated in the business continuity plan .
If EthicsPortal engages additional personnel in the future, this policy will be updated to state the screening, training, and offboarding procedures that apply.
9. Physical security #
EthicsPortal does not operate its own physical infrastructure. Server, database, and object-storage hosting are provided by Hetzner Online GmbH in Nuremberg, Germany. Physical security controls (data-center access, environmental controls, media destruction) are inherited from Hetzner and documented in their published certifications. See subprocessors .
The operator does not maintain a physical office that processes customer data. Operator workstations used for production access are protected by full-disk encryption and screen-lock controls.
10. Compliance #
EthicsPortal commits to compliance with:
- GDPR (Regulation 2016/679), particularly Articles 5, 28, 32, and 33.
- EU Directive 2019/1937 on the protection of persons who report breaches of Union law.
- National transpositions of the Directive in the customer’s country of operation. See whistleblower laws by country .
- EU Accessibility Act / EN 301 549 for the reporter-facing portal. See accessibility and the EN 301 549 conformance statement .
EthicsPortal does not currently hold ISO/IEC 27001 certification. The platform publishes a structured self-assessment against ISO/IEC 27001:2022 Annex A controls at /iso-27001/ . When accreditation is obtained, the certificate scope and date will be published on /trust/ .
11. Policy violations and enforcement #
A violation of this policy by the operator is a violation of the contractual commitments to controllers and may trigger:
- A reportable entry in the incident register
- Notification to affected controllers under DPA §6.6
- Notification to the competent supervisory authority where Art. 33 GDPR requires it
Where a violation is suspected or reported, the operator is required to record, investigate, remediate, and disclose under the same process as any other security incident.
12. Document control #
| Field | Value |
|---|---|
| Document title | EthicsPortal Information Security Policy |
| Version | 1.0 |
| Effective date | 2026-05-21 |
| Last reviewed | 2026-05-21 |
| Next scheduled review | 2027-05-21 |
| Review trigger (interim) | Any material change to architecture, sub-processors, regulatory obligations, or the risk register |
| Owner | Yaroslav Shmarov, operator |
| Distribution | Published on ethicsportal.eu/policies/ |
This policy is reviewed annually and after any of the interim triggers above. The effective date and version are incremented when the policy is materially revised.
Signed: Yaroslav Shmarov, on behalf of EthicsPortal — 2026-05-21.
Last updated: