Security #
EthicsPortal handles sensitive whistleblower data. This page documents the specific technical and organizational measures we have in place. It is written for compliance officers, DPOs, and legal teams evaluating the platform.
Last updated: April 2026.
Data encryption #
All sensitive fields are encrypted at rest using Rails ActiveRecord Encryption with non-deterministic encryption (each encryption produces a unique ciphertext, preventing pattern analysis).
| Field | Encrypted | Deterministic |
|---|---|---|
| Report description | Yes | No |
| Reporter name | Yes | No |
| Reporter contact details | Yes | No |
| Message body (reporter–handler communication) | Yes | No |
Non-deterministic encryption means these fields cannot be queried by value at the database level. Even with full database access, an attacker cannot search for a specific reporter name across records.
All connections to EthicsPortal use HTTPS/TLS. Unencrypted HTTP requests are redirected.
Anonymity and privacy #
IP anonymization #
EthicsPortal never stores IP addresses. Portal routes (report submission, case lookup, messaging) use a one-way SHA256 hash of the IP address solely for rate limiting. The hash is not reversible — it is impossible to recover the original IP from the stored value.
This applies to all portal-facing endpoints. No IP address is written to any log, database field, or analytics system.
File metadata stripping #
Uploaded files are automatically stripped of identifying metadata before storage:
| File type | Metadata removed | Method |
|---|---|---|
| Images (JPEG, PNG, TIFF, WebP) | EXIF data: GPS coordinates, camera model, device serial number, author, timestamps | Vips image processing |
| PDF documents | Author, creator application, modification history | exiftool |
| Video files | GPS, device info, recording software | exiftool |
| Audio files | Recording device, GPS, software tags | exiftool |
Reporters are not required to trust that their files are safe — metadata is removed server-side regardless of what the file contains.
Virus scanning #
All uploaded files are automatically scanned for malware using ClamAV, an open-source antivirus engine. Scanning happens server-side in a background process after upload. Infected files are removed automatically and never reach case handlers.
Files are scanned on EthicsPortal infrastructure — no file data is sent to third-party scanning services.
Handler anonymity #
Whistleblowers never see the real names or email addresses of the people handling their report. All messages from handlers are displayed as “Case handler”. This protects handler identity and prevents social engineering.
No tracking #
EthicsPortal does not use third-party tracking cookies, advertising pixels, or fingerprinting scripts. We use Cloudflare Web Analytics on marketing pages only — it is cookie-free, collects no personal data, and is fully GDPR-compliant. The whistleblower portal itself has no analytics.
Access control #
Authorization is enforced at the application level using Pundit policies.
| Role | Can view reports | Can manage organization settings | Can assign handlers |
|---|---|---|---|
| Admin | All reports | Yes | Yes |
| Handler | Only assigned reports | No | No |
- Handlers cannot see reports they are not assigned to.
- Reporters have no user account — they access their report via a unique, randomly generated access code.
- Every controller action checks authorization. Unauthorized access attempts are blocked and logged.
Rate limiting #
Public portal endpoints are rate-limited to prevent abuse and enumeration attacks:
| Endpoint | Limit |
|---|---|
| Report submission | 5 per 10 minutes per anonymized IP |
| Case lookup (access code) | 10 per 3 minutes per anonymized IP |
| Message submission | 10 per 3 minutes per anonymized IP |
Rate limiting uses the one-way IP hash described above — no actual IP is stored.
Audit and compliance #
Immutable audit trail #
Every action in EthicsPortal is logged with:
- Timestamp (UTC)
- Actor (which user or system process performed the action)
- Action type (report created, status changed, message sent, handler assigned, report viewed, report exported, report deleted, etc.)
Audit log entries are append-only. They cannot be edited or deleted by any user, including organization admins. The full audit trail is included in PDF case exports for regulatory review.
Data retention #
Organizations configure their own retention period: 12, 24, 36, or 60 months after a report is closed. When the retention period expires, the report and all associated data (messages, attachments, audit log entries) are automatically and permanently deleted by a background job.
This satisfies GDPR storage limitation requirements (Art. 5(1)(e)) and Directive 2019/1937 record-keeping obligations (Art. 17–18).
CSRF protection #
All form submissions are protected against cross-site request forgery using Rails’ built-in CSRF tokens.
Infrastructure #
| Component | Provider | Location |
|---|---|---|
| Application server and database | Hetzner | Nuremberg, Germany (EU) |
| File storage | Cloudflare R2 | EU |
| Transactional email | Postmark | US (with EU processing, Standard Contractual Clauses) |
| Payment processing | Stripe | EU |
- All primary data processing occurs within the European Union.
- No credit card numbers or payment credentials are stored on EthicsPortal servers. All payment data is handled by Stripe.
- Postmark is used for transactional email (handler notifications, not whistleblower-facing). Email delivery to US servers is covered by Standard Contractual Clauses.
Responsible disclosure #
If you discover a security vulnerability in EthicsPortal, please report it to [email protected]. We ask that you:
- Do not publicly disclose the vulnerability before we have had a chance to address it.
- Provide enough detail for us to reproduce and fix the issue.
- Do not access or modify other customers’ data.
We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities promptly.