Trust #
Everything a procurement reviewer, DPO, or legal team needs to evaluate EthicsPortal.
Last updated: 2026-05-24.
Contracting party #
- Service name: EthicsPortal
- Operator: Yaroslav Shmarov
- Registered address: ul. Obrzeżna 1A, 02-691 Warsaw, Poland
- Tax identification number (NIP): 5272755790
- Authorized signatory for commercial agreements, DPAs, and security questionnaires: Yaroslav Shmarov
- Commercial contact: support@ethicsportal.eu
- Security contact: security@ethicsportal.eu
- Privacy and data protection contact: privacy@ethicsportal.eu
Registry evidence and signed contracting documents are provided on request during procurement.
Data residency and processor relationship #
In the standard subscription model, the customer is the controller and EthicsPortal acts as processor for customer report data.
Core whistleblower report data, including the application, database, and file storage, is hosted in Nuremberg, Germany on Hetzner . Transactional email runs through Mailjet (France). The marketing site uses one named non-EU subprocessor, Cloudflare (CDN), listed in full on the subprocessors page. The reporting portal and handler portal do not load Cloudflare.
Continuity and personnel #
Customer data is recoverable independently of operator availability. At any point during the relationship and on contract exit, customer organizations are entitled to a complete machine-readable export of their data, plus a defined wind-down period to migrate to an alternative provider. These arrangements are stated in the Data Processing Agreement and elaborated in the business continuity plan , which defines activation triggers, RPO 24 hours / RTO 4 hours, and the operator-incapacity procedure.
Backups. Daily encrypted PostgreSQL dumps to Hetzner Object Storage (EU, 7-day retention) plus Hetzner server-level snapshots (7-day retention). Last restore drill: 2026-05-14.
Personnel scope. All customer data is processed by the named operator. There are no other employees or contractors — a deliberate scope decision that removes provider-side personnel risks (background-screening gaps, joiner/leaver leakage, contractor sprawl) from the threat model. Privileged-access controls for the named operator are documented and available during procurement review.
Certification status #
EthicsPortal does not currently claim ISO 27001, SOC 2, or equivalent certification on this site. An independent external penetration test is not currently on record. When either changes, the certification name (or test scope, date, and remediation summary) will be published here.
In place of accredited certification, EthicsPortal publishes a structured self-assessment against the same control sets that an external audit would evaluate:
- An ISO/IEC 27001:2022 Annex A control map covering all 93 controls, with status (Implemented / Self-assessed / Not applicable / Compensating control) and evidence pointers for each.
- Named policy documents at /policies/ : information security policy , business continuity plan , risk register .
- A pre-filled CAIQ-aligned questionnaire for the questions whose answers are already documented publicly.
The self-assessment is the substance an accreditation would attest to. EthicsPortal publishes it directly so a procurement reviewer can evaluate the same evidence without waiting for an auditor.
Operational lifecycle #
| Question | Answer |
|---|---|
| Live availability | Published at secure.ethicsportal.eu/up for the covered surfaces. See Service level agreement for measurement methodology and exclusions. |
| Session and access lifecycle | Sessions expire automatically after 14 days of inactivity and are swept nightly. Users can review and revoke their own sessions at any time. Each session records last_seen_at so stale devices are identifiable. Member deactivation cuts access at the request boundary, unassigns open reports, and removes participantships while preserving audit history. See Security
. |
| Backups and restore | Daily encrypted PostgreSQL dumps to Hetzner Object Storage (EU, 7-day retention) plus Hetzner server-level snapshots (7-day retention). RPO 24 hours, RTO 4 hours. Last restore drill: 2026-05-14. See Security . |
| Dependency and patch management | Continuous SCA in CI (Brakeman, bundler-audit, importmap audit) plus weekly Dependabot updates. No end-of-life components deployed. See Security . |
| Export and deletion | PDF case export is available in-app for every case (description, messages, audit trail, attachments). Machine-readable bulk export of the full organization data set is available on request during contract exit. Contractual commitments are in the Data Processing Agreement . |
| Recovery objectives | See Service level agreement . |
Contracting positions #
A single source of truth for the contractual questions enterprise procurement teams most often ask. Each row links to the document that controls.
| Item | EthicsPortal position |
|---|---|
| Aggregate liability cap | 12 months of fees paid in the 12 months preceding the event giving rise to the claim (Terms §11 ). The Data Processing Agreement, Service Level Agreement, and intellectual-property indemnity all fold into the same aggregate cap. |
| Intellectual-property infringement indemnity | The operator will defend the Controller against third-party copyright, trademark, or patent claims arising from use of the Service in accordance with the Terms, subject to standard carve-outs (customer modifications, unauthorized use, non-authorized combinations) and the aggregate liability cap. See Terms §12 . |
| Breach notification window | Without undue delay and in any case within 72 hours of becoming aware (DPA §6.6 ), aligned with Art. 33 GDPR. No shorter window is contractually offered on self-serve plans, because shorter windows risk premature notification and conflict with the GDPR-mandated forensic threshold. |
| Audit rights | Per Art. 28(3)(h) GDPR, on at least 30 days’ advance notice and during normal business hours (DPA §6.9 ). The Processor will respond to written security questionnaires in lieu of on-site audit where the Controller’s review can be satisfied that way. |
| Service credits | Self-serve plans do not include monetary service credits. Remedies for material or repeated availability failures are governed by the aggregate liability cap (SLA ). |
| Customer-managed encryption keys (BYOK / external KMS) | Not supported. Processor-managed keys are required to maintain the reporter–handler key boundary and the end-to-end deletion guarantee. See DPA §6.11 . |
| Source code escrow | Not offered. Continuity is handled through the operator-incapacity provisions of the business continuity plan and the Controller’s data-export and deletion rights under DPA §6.8 . |
| Sub-processor change notice | At least 30 days before adding or replacing a sub-processor; the Controller may object and terminate if no resolution is reached (DPA §6.4 ). |
| Data export and deletion on exit | Self-service PDF case export in-product, plus machine-readable bulk export on request during exit, plus deletion within 30 days of subscription termination on written request (DPA §6.8 ). |
| Cyber liability insurance | Under review. Coverage amount and carrier will be published here when in place. |
| Independent external penetration test | None currently on record. Scope, date, and remediation summary will be published here when one is performed. |
| Governing law and venue | Laws of Poland; courts of Warsaw (Terms §13 ). EU consumers retain the right to proceedings in their country of residence. |
These positions are reflected in the published Terms of Service , Data Processing Agreement , and Service level agreement . Material deviations are not granted on self-serve plans.
Public documents #
Everything a procurement reviewer needs is published openly. Grouped by what the document does.
Contractual #
What governs the relationship between EthicsPortal and the customer.
| Document | Purpose |
|---|---|
| Terms of service | Subscription terms, cancellation, refunds, liability cap, IP indemnity |
| Data Processing Agreement | Processor terms under GDPR Art. 28 |
| Service level agreement | Availability target and measurement |
| Privacy policy | How personal data is handled |
Operational #
How the Service runs day-to-day and who else is involved.
| Document | Purpose |
|---|---|
| Security | Technical and organizational measures |
| Subprocessors | Named subprocessors and their scope |
| Incident register | Material incidents affecting personal data |
| Accessibility | EAA / EN 301 549 conformance status |
Directive reference #
How EthicsPortal maps to, and reads, EU Directive 2019/1937.
| Document | Purpose |
|---|---|
| Directive 2019/1937 coverage map | Feature-to-Directive 2019/1937 article map |
| Directive 2019/1937 interpretations | Interpretive positions on ambiguous Directive provisions |
| Whistleblower laws by country | National transpositions, enforcement authorities |
| Penalties by country | Fines and criminal liability per Member State |
Self-assessment #
Named policy documents and the control mappings an external audit would evaluate.
| Document | Purpose |
|---|---|
| Information security policy | Statement of intent, scope, roles, control commitments |
| Business continuity plan | Activation triggers, recovery objectives, operator-incapacity disclosure |
| Risk register | Top risks, treatment, residual position |
| ISO/IEC 27001:2022 Annex A control map | Structured self-assessment against all 93 controls |
| CAIQ-aligned questionnaire | Pre-filled vendor security assessment (CSA CAIQ v4 domain structure) |
Available during procurement review #
The following materials are shared in controlled disclosure rather than published openly:
- Signed DPA
- Registry extract and NIP / tax proof
- Completed security questionnaire
- Privileged production-access summary
- Incident-response summary
- Business continuity, exit, and customer-export responses
- External penetration test summary (when on record)
To request these, email support@ethicsportal.eu . For security-review questions, email security@ethicsportal.eu .
Last updated: