A fully compliant reporting channel, operational in minutes #
EthicsPortal provides a fully configured whistleblower reporting channel that meets EU Directive 2019/1937 out of the box. No implementation project, no IT department required.
For the article-by-article map of how each feature satisfies the Directive, see the Directive 2019/1937 coverage map . For interpretive positions on the Directive’s ambiguous provisions, see the Directive 2019/1937 interpretations .
Set up in 3 steps #
1. Configure your portal (2 minutes) #
Create your account, then customize:
- Organization name and logo: your portal, your identity
- Report categories: fraud, harassment, safety, or define your own
- Welcome text: reassure reporters before they submit (a sensible default is pre-filled)
- Data retention period: 12, 24, 36, or 60 months, then auto-deleted
Your portal is live instantly at a unique URL. No deployment, no waiting.
2. Share the link (1 minute) #
Every portal gets a shareable link and a QR code. Put the QR code in break rooms, bathroom stalls, the employee handbook, onboarding packs. Employees access the portal from any browser. No app, account, or company network is required.
See EthicsPortal’s own reporting channel in production: secure.ethicsportal.eu/p/BiPdmk .
3. Start managing cases #
When a report comes in, you get an email notification. From the dashboard:
- Read the full report: description, category, and uploaded files
- Acknowledge receipt: the Directive requires this within 7 days. EthicsPortal tracks the deadline and flags overdue cases automatically
- Communicate with the reporter: secure two-way messaging via access code. The reporter stays anonymous, your handler names are never revealed
- Provide feedback: the Directive requires this within 3 months. Tracked automatically
- Assign, triage, add internal notes: route cases to the right handler, add notes invisible to the reporter
- Export to PDF: generate a complete case file for legal review, auditors, or compliance documentation
- Log external reports: received a report by phone, email, or in person? Create it manually so everything lives in one place
What reporters experience #
The reporter’s experience matters because it determines whether people actually use the channel.
- No account, no app, no login. Just a browser on any device, including a personal phone on mobile data
- Fully anonymous by default. No IP logging. File metadata (EXIF, GPS, author) stripped automatically before storage
- Optional identity disclosure. Reporters can share their name if they choose to. It is never required
- Two-factor case access. The reporter chooses a 6-digit passcode at submission and receives a Case ID (
WB-XXXX-XXXX). Both are required to check back for updates and respond to handler messages - Handler names are never shown. The reporter sees “Case handler” and nothing more
What’s under the hood #
Every technical decision serves one purpose: keeping you compliant and your reporters protected.
- Encrypted at rest. All report data is encrypted in the database
- Virus scanning. All uploaded files are scanned for malware server-side. Infected files are removed automatically
- Append-only audit trail. Every action is logged. Entries cannot be modified after creation. Auditors get who did what, when
- Two-factor authentication. TOTP-based 2FA for handler and admin accounts, via any standard authenticator app. Reporters authenticate with two factors as well: Case ID plus a reporter-chosen 6-digit passcode (stored only as a bcrypt digest)
- Automatic deadline tracking. 7-day acknowledgment and 3-month feedback deadlines with overdue notifications
- EU-hosted report data. Core report data is stored on Hetzner servers in Nuremberg, Germany. The marketing site is delivered via Cloudflare (CDN, United States); the reporting and handler portals are not. Transfer safeguards are documented in the published subprocessor list
- No tracking. No IP logging, no analytics cookies, no third-party scripts on the reporting portal
Deploy your reporting channel #
Operational in minutes. All features included in a single plan.
Last updated: