EthicsPortal

Notable

• Single flat plan; pricing does not vary by employee count, report volume, or user count.
• Reporter and handler UI are available in English, Bulgarian, German, Greek, French, Croatian, Luxembourgish, Polish, and Romanian (9 locales total; 8 EU official languages plus Luxembourgish).
• Vendor publishes an article-by-article mapping of features to EU Directive 2019/1937, plus a dedicated public page at /whistleblower-laws/<country>/ for each of the 27 EU member-state transpositions, citing official law text and external authorities.
• File uploads are stripped of EXIF, GPS, and author metadata before storage.
• No reporter IP addresses are stored; rate limiting uses one-way hashes.
• End-to-end encryption of all personal data claimed on the vendor compliance page; sensitive fields (report descriptions, reporter contact, message bodies) are additionally encrypted at rest using non-deterministic encryption.
• Append-only audit trail (PostgreSQL trigger blocks UPDATE on semantic fields and TRUNCATE) logs every action with timestamp, actor, and action type; complete audit log of submissions, status changes, messages, assignments, and report views is now visible to handlers as a Turbo Frame tab on each report.
• Two-factor authentication available for handler and admin accounts, with onboarding step prompting setup.
• Reporter access uses two factors: a Case reference (format WB-XXXX-XXXX) plus a 6-digit passcode chosen by the reporter at submission. The passcode is stored only as a bcrypt digest and cannot be recovered. The follow-up inbox and message-posting are gated on the passcode check; no account creation required. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged).
• Configurable data retention: 12, 24, 36, or 60 months, with automatic deletion of expired closed reports.
• 7-day acknowledgement and 3-month feedback deadlines tracked automatically with overdue notifications and a lifecycle stepper UI.
• Closure reason captured as a structured enum (action_taken, no_action_needed, outside_reporting_scope, sent_to_external_authority, withdrawn_by_reporting_person) aligned with Directive Art 9(1)(c) feedback obligations.
• Oral reporting (Directive Art 9(2)(b)) is supported directly in the portal: reporters can record a voice message at submission. Anonymization is always-on and irreversible — a background job pitch-shifts the audio, attaches only the altered MP3, and purges the original blob, so the reporter’s true voice never persists past processing. The pipeline fails closed: until conversion succeeds the recording is hidden from handlers, and on permanent failure the raw audio is purged rather than retained.
• Admins can export an organisation-level compliance report PDF directly from the dashboard.
• Handlers can manually log reports received by phone, email, or in person.
• Report categories are mapped to the Directive’s Art 2(1) Union-law domains: each category carries a :directive (with article reference) or :national tag, the article surfaces as a badge on the handler-facing report detail, and reporters continue to choose from plain-language groups.
• Structured intake questionnaire: five optional, Directive-aligned questions — relationship to the organization (Art 4 personal scope), how the reporter knows, when/how often it happened, whether it was reported before, and whether the reporter fears or faces retaliation (Art 19) — presented as a skippable guided step on the reporter form so anonymity is never compromised by a required answer. Answers are encrypted at rest, shown to handlers and in the PDF export, and a retaliation concern is surfaced as a prominent urgency badge. The same questions are available when a handler logs an offline (phone/in-person) report.
• Three membership role tiers: member (handler), admin, and viewer — a read-only seat for auditors and external legal counsel that can see every report and the full audit trail but cannot act on a case or manage the organisation.
• Organization-level GDPR Art 20 data export: an admin can request a ZIP of the full tenant dataset (reports, messages, attachments, with encrypted fields decrypted for portability); the request and the download are both audit-logged, access is admin-only through the app’s Active Storage authorization, and the ZIP auto-purges after 7 days.
• Deleting an organisation that holds reports is a retention-aware soft-delete, not an instant wipe: the org disappears for users immediately while its reports ride out their per-portal retention windows and are auto-purged afterward, preserving the Directive’s retention obligation. Orgs with no reports still hard-delete immediately.
• No public API or third-party integrations published.
• Hosted in Hetzner’s Nuremberg data-centre park, which holds ISO/IEC 27001:2022 certification (audited by SOCOTEC) covering infrastructure, operation, and customer support. EthicsPortal itself is not separately ISO 27001 certified.
• Published DPA grants the Controller explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6).
• Zero-AI commitment codified in DPA §6.10 and on the public subprocessor list: no LLM or AI inference provider is in the data chain.
• Accessibility statement at /accessibility/ declares WCAG 2.2 Level AA and EN 301 549 V3.2.3 conformance posture, with non-conformances enumerated and a detailed conformance table at /en-301-549-conformance/.
• Users can review and revoke their own active sessions; each session records last_seen_at so stale devices are identifiable.

Verification notes - 2026-05-15

• Source-level verification confirms 9 live product locales: config/application.rb now exposes en bg de el fr hr lb pl ro (Croatian added since the 2026-04-23 review); Croatian translation files exist at config/locales/hr.yml, config/locales/whistleblower.hr.yml, and config/locales/compliance_templates.hr.yml.
• All 27 EU member states have dedicated public legal-reference pages under website/content/en/whistleblower-laws/, each naming the national act, citing its official source, and identifying the external reporting authority. /compliance/ links out to this index from its country-law paragraph.
• DPA §6.4 (Sub-processors): “The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to the change; if no resolution is reached, the Controller may terminate the agreement.”
• DPA §6.6 (Data breach notification) commits to 72-hour notification with required content (nature, consequences, measures).
• DPA §6.10 codifies the zero-AI commitment as a material contractual term, naming OpenAI, Anthropic, Google, and Mistral as not-sub-processors.
• Audit log surfaced to handlers as the third Turbo Frame tab on app/views/organizations/whistleblower/reports/show.html.erb (commit 858ee3a6); audit log actor field is now polymorphic with snapshotted metadata (commits 62aa48b7, 66dd30a8).
• Report lifecycle refactored from a single status enum to milestone timestamps + closure_outcome enum (acknowledged_at, feedback_given_at, closed_at, closure_outcome). Compliance behaviour preserved; closure_outcome enum is now Directive Art 9(1)(c)-aligned.
• Membership now supports deactivation as well as deletion: scope :deactivated, -> { where.not(deactivated_at: nil) } preserves audit history; deactivated members are auto-unassigned from open reports.
• Pricing updated 2026-05-25: Monthly €60 /month, Yearly €41.67 /month billed as €500/year, 30-day money-back guarantee.

Scoring review - 2026-05-15

Re-scored 2026-05-15 under the same 25-criterion rubric at access tier P + R + H with source-code-level access permitted by the vendor. Rubric unchanged from 2026-04-23. Items tracked on the vendor roadmap are scored as gaps, not skipped.

Base score: 42 / 50 in France, Bulgaria, Greece, and Romania contexts (+1 from 2026-04-23, driven by D22). France country bonus: 5 / 8 (unchanged). Bulgaria country bonus: 6 / 6 (+2). Greece country bonus: 4 / 6 (+2). Romania country bonus: 6 / 6 (+2).

What moved since 2026-04-23:

• D22 (subprocessor transparency) 1 → 2. DPA §6.4 now grants the Controller an explicit right to object to subprocessor changes with 30-day notice and termination remedy; /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle.
• bg_law / gr_law / ro_law all 0 → 2. /whistleblower-laws/ ships a dedicated public page for every EU member state, each naming the national act and linking to its official source.
• Croatian (hr) added as a 9th portal locale, fully localised across reporter and handler surfaces.
• Reporter PDF download added to the follow-up portal (audit-logged), strengthening B11.
• Lifecycle stepper UI replaces the simple status string in both reporter and handler views; underlying schema migrated from a status enum to milestone timestamps + a closure_outcome enum aligned with Directive Art 9(1)(c).
• Audit log surfaced to handlers as the third Turbo Frame tab on reports#show.
• Accessibility statement now public at /accessibility/ with detailed EN 301 549 conformance table at /en-301-549-conformance/.
• Trust + security pages consolidated and published, including contracting party, backups, RTO/RPO, session lifecycle, breach SLA, and zero-AI posture.

What still caps the base score:

• B12 — structured intake (still 0/2): schema remains Subject + Description + Files + optional category; the form does not yet ask relationship-to-org, source-of-info, prior reporting, or retaliation-concern questions.
• C18 — role tiers (still 1/2): membership is still enum :role, %w[member admin]; rubric wants ≥3 case-scoped role tiers. Deactivation lifecycle was added but does not change the role count.
• D19 — ISO 27001 of EthicsPortal itself (still 0/2): only Hetzner infrastructure is certified.
• A7 — hash-chained audit log (still 2/2 but with room): append-only at DB level via PostgreSQL trigger blocking mutation of semantic fields; not hash-chained.
• A8 — DPIA template (still 1/2): DPA, breach SLA, and trust runbook are published — but a customer-facing DPIA template is not yet a public artifact.
• E24 — free trial (still 1/2): pay-first with 30-day money-back; no upfront self-serve trial.

Buyer fit:

• Bulgaria: closes the previous Bulgaria-specific legal-posture gap. The Bulgarian whistleblowing act is now cited publicly at /whistleblower-laws/bulgaria/, with the CPDP’s dual role (external authority + data protection authority) flagged. Bulgarian UI, named EU hosting, and the new explicit legal-act citation now all line up. Bulgaria total: 48 / 56.
• France: top of the Edition I, 2026 rubric. Loi Waserman is cited on /compliance/ and on /whistleblower-laws/france/ with a Légifrance link. Sapin II is not claimed as product scope and is largely a separate anti-corruption regime. FR-local data residency remains the open item — Germany-hosted on Hetzner Nuremberg rather than a Paris or Gravelines option. France total: 47 / 58.
• Greece: now a defensible Greece-market leader. /whistleblower-laws/greece/ cites Law 4990/2022 with the official gazette PDF and the National Transparency Authority as external channel; full Greek reporter and handler UI is live. The remaining delta is hosting fit (Germany-only, no GR option). Greece total: 46 / 56.
• Romania: closes the previous Romania-specific gap. /whistleblower-laws/romania/ cites Legea nr. 361/2022 with the official text PDF and identifies ANI as both external authority and practical guidance body; Romanian UI and named EU hosting were already in place. Romania total: 48 / 56.

Verification notes - 2026-06-14

• Oral reporting shipped as in-portal voice recording (AnonymizesVoiceRecording concern, dedicated voice_recording attachment). Source-level confirmation of the fail-closed/anonymize-then-purge guarantee: a background job pitch-shifts the audio, attaches only the altered MP3, and purges the original; on conversion/ffmpeg failure the raw blob is purged too (voice_recording_failed_at column tracks the failed state once the blob is gone), so the un-altered voice never persists past processing. ffmpeg is in the Dockerfile deploy stage; with no ffmpeg there is no playback (no raw fallback).
• Art 2(1) category mapping shipped: Whistleblower::Report::CATEGORY_TAXONOMY replaces the flat category array, tagging each key :directive (with the Art 2(1) article ref) or :national; the 8 previously-missing Union-law domains (financial services, transport, nuclear, food/animal, public health, NIS, EU financial interests, internal market) were added. Article numbers stay out of the reporter dropdown and surface only as a handler-side badge.
• Viewer role shipped: enum :role, %w[member admin viewer]. Enforced by splitting Whistleblower::ReportPolicy#show? (viewer? || update?) from #update?, and Scope#resolve returns all reports for admin? || viewer?. No migration was needed (role is a free string column); invitation/edit forms and the Avo resource pick the role up automatically. Admin compliance documents are deliberately out of viewer scope.
• GDPR Art 20 data export shipped: DataExport model + DataExport::GenerateJob / DataExport::PurgeJob. Encrypted report fields are exported decrypted for portability; access is admin-only through the app’s Active Storage authorization; request and download are audit-logged and the export’s own audit rows survive its 7-day auto-purge; the request action is rate-limited 5/hour keyed by organization. audit_logs.json was deliberately excluded from the payload (operational record, not Art 20 subject-provided data).
• Organization soft-delete shipped: Organization#soft_delete_or_destroy soft-deletes (sets deleted_at) when the org has a compliance footprint and hard-deletes otherwise; a daily purge job reaps the org after its reports’ retention windows expire (scheduled after retention cleanup). Avo admin deletion is routed through the same path. Deletion is blocked while a Stripe subscription is active (owner must cancel first).
• Audit-logging hardening: compliance report/certificate exports are now audit-logged; report mutations and their audit writes are wrapped in transactions; actor attribution falls back to “system” rather than mislabeling console/job-initiated changes. The documented append-only exception (DELETE permitted only for the GDPR Art 17 org-erasure cascade; UPDATE/TRUNCATE blocked by trigger) is unchanged.
• Structured intake shipped: Whistleblower::Report::INTAKE_QUESTIONS adds five optional, Directive-aligned questions to the reporter form — relationship to org (Art 4), source of knowledge, incident timing, prior reporting, and retaliation concern (Art 19). Each is skippable (a <details> disclosure with a “Prefer not to say” default), so anonymity is never compromised by a required identifying answer; answers are non-deterministically encrypted at rest like the identity fields, surfaced in the handler report detail and PDF export, and retaliation is flagged as a prominent handler urgency badge. A shared partial drives both the reporter portal form and the handler offline-intake form; all strings translated across the 9 locales. Competitor scan (EQS, NAVEX EthicsPoint/WhistleB, FaceUp, Whistlelink, Whispli, SpeakUp, Vault) found no vendor shipping an opinionated Directive-aligned default question set — these appear only as org-configured custom fields — so a built-in fixed set is a differentiator, not parity.

Scoring review - 2026-06-14

Re-scored 2026-06-14 under the same 25-criterion rubric at access tier P + R + H with source-code-level access permitted by the vendor. Rubric unchanged.

Base score: 46 / 50 in France, Bulgaria, Greece, and Romania contexts (+4 from 2026-05-15, driven by A2, C18, and B12). Country bonuses unchanged: France 5 / 8, Bulgaria 6 / 6, Greece 4 / 6, Romania 6 / 6.

What moved since 2026-05-15:

• A2 (Art 2(1) categories in intake) 1 → 2. CATEGORY_TAXONOMY now tags each category to a Directive Art 2(1) Union-law domain (with article ref) or marks it :national; the article surfaces as a handler badge and the 8 missing Union-law domains were added — without forcing article jargon into the reporter flow.
• B12 (structured intake aligned to Art 2(1)) 0 → 2. INTAKE_QUESTIONS adds five optional, Directive-aligned questions (relationship to org per Art 4, source of knowledge, incident timing, prior reporting, retaliation concern per Art 19) as a skippable guided step, surfaced to handlers + PDF with retaliation as an urgency badge; encrypted at rest, localized across all 9 locales. The category taxonomy was the on-ramp; this closes the criterion. B reporter experience now scores a full 10 / 10. Only 1 of ~53 profiled tools scored full here, so this moves EthicsPortal from worst-tier to best-in-class on intake.
• C18 (role tiers) 1 → 2. A third role, viewer (read-only auditor/legal-counsel seat with whole-portal read + audit-trail access, no write/manage path), meets the rubric’s named admin/handler/viewer target. C handler now scores a full 10 / 10.
• Oral reporting (Art 9(2)(b)) added as in-portal voice recording with always-on, irreversible voice anonymization (pitch-shift then purge raw). No standalone rubric criterion captures it, so it is recorded as a strength rather than a score change.
• GDPR Art 20 data export and retention-aware organization soft-delete added — both recorded as strengths; neither maps to a numbered Directive criterion (Art 20 portability and the org-deletion retention guarantee sit outside the 25-item rubric).

What still caps the base score:

• D19 — ISO 27001 of EthicsPortal itself (still 0/2): only Hetzner infrastructure is certified.
• A7 — hash-chained audit log (still 2/2 but with room): append-only at DB level via trigger; not hash-chained.
• A8 — DPIA template (still 1/2): DPA, breach SLA, and trust runbook are published; a customer-facing DPIA template is not yet a public artifact.
• E24 — free trial (still 1/2): pay-first with 30-day money-back; no upfront self-serve trial.

Buyer fit (updated totals): Bulgaria 52 / 56, France 51 / 58, Greece 50 / 56, Romania 52 / 56 — the +4 base gain (A2, C18, B12) lifts every market context by four points; the per-market legal/hosting/UI posture is otherwise unchanged from the 2026-05-15 review.