Effective date: 2026-05-21
Last reviewed: 2026-05-21
Next review: 2027-05-21
Owner: Yaroslav Shmarov, operator
Version: 1.0
This register lists the top information-security risks assessed against EthicsPortal, the treatment in place, and the residual position the operator has consciously accepted. It exists so that a controller, auditor, or procurement reviewer can verify that the most material risks have been thought about, not just the ones convenient to mention.
Self-service PDF case export available to every organization admin without operator intervention. DPA §6.8
deletion-and-return rights are enforceable independent of operator availability. Application is Kamal-deployed and portable to another EU operator.
Residual position
In treatment. A formal operator-incapacity protocol with a named legal contact is on the roadmap and not yet in place. See the Business continuity plan §8
for the full disclosure of what is and is not in place today. Controllers concerned about this gap are encouraged to take regular self-service exports.
Daily encrypted database dumps to Hetzner Object Storage (separate from compute host) plus Hetzner server-level snapshots; quarterly restore drills into a disposable environment (Security#backups-and-restore
). Kamal deployment configuration is portable to an alternative EU provider for a prolonged-outage scenario.
Residual position
Accepted. A regional Hetzner outage may consume part of the 99.5% monthly SLA budget. Cross-provider hot failover is not in place because the additional sub-processor footprint, key-distribution surface, and operational complexity outweigh the marginal availability gain at the current customer footprint. Re-evaluated annually against the SLA
target.
Medium–High (varies by sub-processor and data category)
Inherent likelihood
Low
Treatment
Minimization: each sub-processor receives only the personal-data category required for its function (see Subprocessors
for the per-row breakdown). Encryption-at-rest under processor-managed keys means that a sub-processor with database access does not have plaintext access to report content or reporter identity (Security#data-encryption
). 30-day sub-processor change notice and controller objection right (DPA §6.4
).
Residual position
Accepted. No personal data covered by the DPA is transmitted to any sub-processor whose breach would expose reporter identity in plaintext. The reporter portal does not load Cloudflare; the reporter portal does not load Crisp; no LLM sub-processor exists. The residual risk is operational metadata (handler email, billing contact) at sub-processors whose breach would not compromise reporter confidentiality.
Hardware-backed two-factor authentication on all operator accounts that have production access (cloud provider, deployment, code hosting, email, password manager). Production database access requires the operator’s authenticated session; credentials are not embedded in code or shared. Append-only audit log records all actions taken by any account, including the operator’s, and cannot be edited by any user (Security#audit-and-compliance
).
Residual position
Monitored. The risk is materially lower than typical SaaS because there are no employee credentials to compromise — the attack surface reduces to one identity. Monitored via AppSignal alerts for anomalous handler-portal authentication patterns. Trigger for re-treatment: a credible phishing attempt against the operator, or a CVE affecting the hardware-key path.
Two complementary backup layers (database dump and server-level snapshot) in independent retention scopes. Restore drill performed at least quarterly into a disposable environment; drill date is published on Security#backups-and-restore
. Restore procedure documented in the Business continuity plan §6
.
Residual position
Accepted. RPO 24 hours and RTO 4 hours are stated in the SLA
. Data written within the 24 hours preceding a catastrophic failure may be lost; this trade-off is disclosed.
The Service does not store reporter IP addresses in the database; rate limiting uses a one-way hash that is not reversible. Application logs for reporter routes are scrubbed. File uploads have metadata stripped (EXIF / GPS / author) server-side before storage. See Security#anonymity-and-privacy
.
Residual position
Accepted. Network-side attribution (the reporter’s ISP, the reporter’s employer’s egress proxy, a man-in-the-middle, or a corporate-device endpoint agent) is outside the processor boundary and cannot be controlled by the Service. Reporters are informed of this on the portal and may choose to report from a personal device on an external network, or via Tor. This residual is disclosed to reporters at the point of submission, which is the only place the trade-off can be acted upon.
R-07. Critical vulnerability in upstream dependency
#
Field
Value
Inherent impact
Medium–High
Inherent likelihood
Medium
Treatment
Continuous SCA on every change: Brakeman
for Rails-specific issues, bundler-audit
for Ruby advisories, importmap audit for JavaScript imports, Dependabot
for weekly grouped updates. End-of-life components are replaced before their upstream support window closes. See Security#secure-development-lifecycle
and Security#dependency-and-patch-management
. Documented vulnerability-response timelines: critical 7 days, high 30 days, medium 90 days.
Residual position
Monitored. The Rails ecosystem is well-staffed for security disclosures. Trigger for re-treatment: a zero-day affecting Rails request-handling, ActiveRecord encryption, or PostgreSQL with no available patch.
Audit-log entries are written append-only and cannot be edited or deleted by any user, including organization administrators. Entries are included in PDF case exports for regulatory review. Database-level access to the audit-log table is not exposed through the application surface. See Security#audit-and-compliance
.
Residual position
Accepted. A privileged database-level intervention by the operator could, in principle, alter audit-log rows. This is the same intervention that could be used to read encrypted columns and is governed by the privileged-access summary available during procurement review. The append-only contract holds at the application surface, which is where customer trust is placed.
Medium (reporters are anonymous and may not have password-recovery channels)
Treatment
The 6-digit passcode is stored only as a bcrypt digest and cannot be recovered by the operator or by any handler. Reporters are informed at submission that the passcode is non-recoverable. Handlers may invite a reporter to re-submit or continue the conversation by an alternative channel.
Residual position
Accepted by design. Recoverability of the passcode is incompatible with the reporter-anonymity model: a recovery channel would require an identifier (email, phone) that defeats anonymity, or an operator-side reset that would allow the operator to impersonate the reporter. The trade-off is disclosed to reporters at the point of choosing the passcode.
Medium (Member-State transpositions and AI-Act delegated acts continue to evolve)
Treatment
Interpretive positions on ambiguous Directive 2019/1937 provisions are documented openly in the Directive 2019/1937 interpretations
, so a controller can verify alignment with their counsel’s reading before subscribing. Per-country law summaries are published in whistleblower laws by country
and reviewed when national-law text changes. Material changes to processing (sub-processors, AI use, transfers) are notified to controllers under DPA §6.4
.
Residual position
Monitored. Trigger for re-treatment: ECJ judgment on a Directive 2019/1937 question that contradicts a published interpretation; CJEU judgment on international-transfer adequacy affecting an EU sub-processor; AI-Act delegated act extending obligations to AI-free processors.
The following are recognized risk categories that this register deliberately omits because they are eliminated by design rather than treated:
AI / LLM exposure of report content. No LLM, generative-AI, or AI-classifier service is engaged as a sub-processor. Report content is not transmitted to such services for any purpose. The attack surface (prompt injection, hallucinated compliance evidence, unauthorized retention by third parties) is therefore not present. Source: DPA §6.10
.
Reporter PII shared with handlers without justification. The Service does not surface reporter IP, browser fingerprint, or device identifiers to handlers, because none of these are collected or stored.
Cross-tenant data leakage at the application layer. Pundit-policy authorization is checked on every controller action; multi-tenant isolation is enforced at the request boundary, not via row-level visibility filters that can be bypassed.
If any of these design constraints changes, the risk re-enters this register.