Skip to main content
EU Whistleblower Directory

Edition I, 2026 · Tested April 2026

Classement des logiciels de signalement en France

Classement independant des plateformes de signalement pour la France sous la Loi Waserman et Sapin II. Barème fixe de 25 critères ; chaque score est justifié par une preuve.

Outils notés
11
Base max
50
Bonus France max
8
Version du barème
v2

La France est l’un des rares marches de l’UE ou le bonus pays change vraiment le classement. Un simple discours “conforme a la directive europeenne” ne suffit pas : les acheteurs veulent savoir si l’editeur comprend la Loi Waserman, si Sapin II reste dans le perimetre pour les grandes organisations, et si le produit tient la route dans un cycle d’achat francais.

Cette edition combine donc deux couches :

  • le barème de base sur 50 points, agnostique au pays, qui mesure la qualite produit, la posture securite, la transparence tarifaire et la profondeur workflow ;
  • le modificateur France sur 8 points, qui recompense le cadrage explicite Waserman / Sapin II, l’UI en francais et, quand elle est publiee clairement, une option de residence des donnees en France.

Le resultat penalise deux echecs frequents du marche francais : les produits locaux anciens, bien cadres juridiquement mais faibles en profondeur produit, et les produits globaux solides techniquement mais presque muets sur le droit francais.

Top 11 — résumé

#ToolNiveauBase
/ 50		France bonus
/ 8		TotalDernière revue
1EthicsPortal logo EthicsPortalP+R+H465512026-06-14
2Whispli logo WhispliP318392026-05-24
3IntegrityLog logo IntegrityLogP332352026-05-24
4BeSignal logo BeSignalP268342026-05-24
5WeMoral logo WeMoralP292312026-05-24
6NAVEX logo NAVEXP273302026-05-24
7Alertcys logo AlertcysP218292026-05-24
8EQS Integrity Line logo EQS Integrity LineP271282026-05-24
9FaceUp logo FaceUpP261272026-05-24
10Whistleblower Software (Formalize) logo Whistleblower Software (Formalize)P261272026-05-24
11Witik logo WitikP207272026-05-24

Matrice critère par critère

répond pleinement répond partiellement ne répond pas / non vérifiable

CriterionEthicsPortal logo EthicsPortalWhispli logo WhispliIntegrityLog logo IntegrityLogBeSignal logo BeSignalWeMoral logo WeMoralNAVEX logo NAVEXAlertcys logo AlertcysEQS Integrity Line logo EQS Integrity LineFaceUp logo FaceUpWhistleblower Software (Formalize) logo Whistleblower Software (Formalize)Witik logo Witik
Legal compliance · 16 pts max
A1 Local transposition law referenced with article numbers
A2 Directive 2019/1937 Article 2(1) categories in intake
A3 Anonymous reporting default-on or equal-status
A4 7-day acknowledgment + 3-month feedback deadline tracking
A5 Configurable retention with automatic deletion
A6 Report register / log
A7 Append-only handler audit trail
A8 DPA + DPIA support documented
Reporter experience · 10 pts max
B9 Web form, mobile-responsive, with file upload
B10 Two-factor reporter access (Case ID + passcode)
B11 Two-way anonymous communication
B12 Structured intake aligned to Article 2(1)
B13 Reporter form in local language
Handler experience · 10 pts max
C14 Case management dashboard with status workflow
C15 Assign cases to handlers (rotation or multi-handler)
C16 Deadline reminder notifications
C17 Internal notes (not visible to reporter)
C18 Role-based access control (≥3 roles)
Security and trust · 8 pts max
D19 ISO 27001 certified
D20 No EOL software components
D21 EU data residency with country disclosed
D22 Sub-processor list + right to object
Commercial · 6 pts max
E23 Published pricing
E24 Free trial available (self-serve)
E25 Monthly contract option
France bonus · 8 pts max · modificateur, hors base
FR·WASERMAN Loi Waserman compliance stated
FR·SAPIN2 Sapin 2 compliance stated
FR·RESIDENCY France data residency available
FR·UI French-language UI (reporter + handler)
Total5139353431302928272727

Revues par outil

#1
EthicsPortal logo

EthicsPortal

Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €60/month plan.

51 / 58
Base 46 · Bonus 5 · Niveau P+R+H
Legal
15/16
Reporter
10/10
Handler
10/10
Security
6/8
Commercial
5/6

Forces

  • Best article-level legal framing of any tool reviewed: /compliance/ enumerates Art 4, 6, 8, 9, 16, 18, 19–21 and links to a dedicated page for each of the 27 EU transpositions
  • All 27 EU national whistleblower laws are named on public /whistleblower-laws/<country>/ pages with official source citations, closing the BG/GR/RO legal-posture gap from the 2026-04-23 review
  • Oral reporting (Art 9(2)(b)) is built into the portal as in-browser voice recording, and is privacy-engineered rather than bolted on: the raw audio is automatically pitch-shifted, only the anonymized MP3 is ever served, and the original recording is purged after processing (fail-closed — no ffmpeg, no playback, raw never persists)
  • Report categories are tagged to specific Directive Art 2(1) Union-law domains (CATEGORY_TAXONOMY), with the article reference surfaced as a handler-side badge; reporters still pick plain-language categories
  • Structured intake: five optional, Directive-aligned questions (relationship to org per Art 4, source of knowledge, incident timing, prior reporting, retaliation concern per Art 19) presented as a skippable guided step, surfaced to handlers + PDF with retaliation flagged as an urgency badge — a built-in default set where competitors leave these to per-org custom-field configuration
  • Three role tiers (member / admin / viewer): viewer is a read-only seat for auditors and external counsel that sees every report plus the full audit trail without any write or management path, enforced at the Pundit layer
  • GDPR Art 20 portability: admins can export the full organization dataset (reports, messages, attachments, decrypted PII) as a ZIP; export and download are audit-logged and the ZIP auto-purges after 7 days
  • Deadline tracking is real, not marketing: code has eu_acknowledgment_deadline + feedback_due_at + overdue/due_soon scopes; lifecycle stepper UI surfaces SLA timing in both reporter and handler views
  • Retention is configurable AND auto-purged: RETENTION_MONTHS_OPTIONS [12,24,36,60] + RetentionCleanupJob
  • Two-factor reporter access: Case reference (WB-XXXX-XXXX) + reporter-chosen 6-digit passcode (bcrypt digest), session-gated inbox. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged)
  • Audit log surfaced to handlers as the third Turbo Frame tab on reports#show; append-only at DB level via PostgreSQL trigger blocking mutation of semantic fields
  • Modern stack with no EOL liabilities: Rails 8.1 + Turbo + Tailwind 4 + daisyUI 5; no CKEditor or jQuery
  • Transparent monthly pricing (€60/mo) with 9 live product locales (8 EU official languages — bg, de, el, en, fr, hr, pl, ro — plus Luxembourgish)
  • Multi-handler case assignment: per-report assigned_to FK on Membership, Pundit scope enforces admin-sees-all / member-sees-only-assigned, assignment changes are audit-logged, deactivated members auto-unassigned from open reports
  • Published DPA grants Controller explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6); /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle
  • Zero-AI commitment codified contractually: DPA §6.10 prohibits transmission of personal data to any LLM or AI inference provider; /subprocessors/ lists no AI sub-processor

Faiblesses

  • Audit log is append-only (DB trigger blocks UPDATE on semantic fields + TRUNCATE) but not hash-chained
  • Only 9 portal-facing languages (8 EU official languages + Luxembourgish) against 24 EU official languages
  • No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
  • Pay-first with 30-day money-back rather than upfront self-serve free trial
  • Role tiers are org-scoped, not per-case ACLs: the viewer role added the auditor seat the rubric wanted, but a handler's report visibility is still governed by assignment/participant scoping rather than a per-case permission model
  • DPIA template not yet published as a customer-facing artifact on the public site

Point distinctif

Article-level Directive framing paired with a 27-page country-law reference and privacy-engineered oral reporting, all backed by code that actually runs the deadline, retention, two-factor passcode, audit-log, voice-anonymization, and subprocessor-notification flows.

Fiche complète Visiter EthicsPortal
#2
Whispli logo

Whispli

Sydney, Australia (Paris office) · Enterprise whistleblowing, disclosure, hotline, and investigation platform operating in 60+ countries.

39 / 58
Base 31 · Bonus 8 · Niveau P
Legal
9/16
Reporter
9/10
Handler
7/10
Security
6/8
Commercial
0/6

Forces

  • France-specific public content names Loi Waserman and compares it with Sapin 2.
  • Product pages support 70+ languages, Safe Inbox, web/mobile/email/QR/Voice AI intake, configurable workflows, SLAs, retention, routing, and audit logs.
  • Security page supports ISO 27001, SOC 2 Type II, customer-managed encryption keys, regional hosting/data residency, API/integrations, 2FA, SSO, and penetration testing.

Faiblesses

  • Pricing amounts, self-serve trial, exact EU official-language coverage, subprocessor objection mechanics, and article-by-article Directive mapping were not disclosed on public pages reviewed.
  • The previous /solutions/whistleblower/ and /whispli-pricing/ URLs were not usable current evidence.

Point distinctif

Whispli publishes France-specific legal framing and security architecture for a sales-led enterprise product.

Fiche complète Visiter Whispli
#3
IntegrityLog logo

IntegrityLog

Sweden · Whistleblowing module inside Euronext Corporate Solutions' ComplyLog compliance suite, with ISO 27001-certified infrastructure positioning.

35 / 58
Base 33 · Bonus 2 · Niveau P
Legal
12/16
Reporter
7/10
Handler
7/10
Security
7/8
Commercial
0/6

Forces

  • Public product detail covers statuses, reminders, permissions, and communication
  • 2025 ComplyLog factsheet adds GDPR role clarity, EEA storage, ISO/IEC 27001, encryption, access logging, retention, and DPA/sub-processor disclosures
  • Product page and factsheet support anonymous case handling, written/audio reports, and EU Whistleblowing Directive positioning

Faiblesses

  • No explicit public Waserman or Sapin II framing found
  • Pricing is not published publicly
  • Reporter return-access mechanism and append-only audit guarantees are not fully documented publicly

Point distinctif

IntegrityLog has moved under the Euronext Corporate Solutions surface; the most detailed current evidence comes from the 2025 ComplyLog privacy factsheet rather than a France-law sales page.

Fiche complète Visiter IntegrityLog
#4
BeSignal logo

BeSignal

France · France-hosted whistleblowing and risk-reporting platform by Valeur & Conformité (Vaco), marketed as the successor to Signalement.Net.

34 / 58
Base 26 · Bonus 8 · Niveau P
Legal
9/16
Reporter
7/10
Handler
5/10
Security
5/8
Commercial
0/6

Forces

  • France-hosted positioning is explicit, including OVH and CleverCloud references in privacy/legal materials
  • Signalement.Net successor branding, Directive / Sapin II / Waserman positioning, and a 7-language public site are public
  • Voice/written intake, anonymous reporting, role profiles, and optional translation/document analysis are public claims

Faiblesses

  • Pricing, API access, and self-serve trial are not published publicly
  • ISO 27001 and HDS badges are displayed, but no public certificate, scope statement, or complete public sub-processor register was found
  • Deadline timer automation and append-only audit guarantees are not disclosed on public pages reviewed

Point distinctif

The current Vaco surface describes a France-hosted alert platform with multilingual, voice/written, and anonymous reporting.

Fiche complète Visiter BeSignal
#5
WeMoral logo

WeMoral

Poland · Whistleblowing platform with public monthly pricing, self-serve trial, and 25-language product coverage, legally seated in Poland.

31 / 58
Base 29 · Bonus 2 · Niveau P
Legal
8/16
Reporter
7/10
Handler
4/10
Security
4/8
Commercial
6/6

Forces

  • Transparent pricing with public monthly billing, self-serve trial, and no cancellation fees
  • French-language marketing path is live, alongside 25-language product coverage claims
  • Custom forms, encrypted two-way communication, and task / action workflows are all surfaced publicly

Faiblesses

  • France-law positioning is limited; no public Waserman or Sapin II framing was found
  • Named sub-processors remain under-documented publicly
  • Reporter return-access mechanism is not documented publicly

Point distinctif

Public pages show monthly pricing, self-serve trial access, and a feature page without requiring sales contact first.

Fiche complète Visiter WeMoral
#6
NAVEX logo

NAVEX

Lake Oswego, Oregon, United States · EthicsPoint hotline and WhistleB whistleblowing products within the NAVEX One GRC suite.

30 / 58
Base 27 · Bonus 3 · Niveau P
Legal
9/16
Reporter
5/10
Handler
5/10
Security
5/8
Commercial
3/6

Forces

  • Current whistleblowing page supports web and phone reporting, case tracking, anonymous reporting, AI-powered whistleblowing, and 13,000+/88M+ vendor scale claims.
  • WhistleB pages support ISO 27001, SOC 2 Type II, EU data storage, customer-controlled encryption, MFA, activity logs, Microsoft Azure hosting, Microsoft Translator localization, and up to 150 languages.
  • EthicsPoint service-hosting provider page is public and lists hosting, translation, interpretation, analytics, and platform service providers.

Faiblesses

  • EthicsPoint pricing, trial, API access, DPA, retention configuration, and Directive article-level mapping were not disclosed on public pages reviewed.
  • The previous Goldman Sachs/Blackstone acquisition completion date and ISO date were not verified on vendor pages reviewed.

Point distinctif

NAVEX publishes WhistleB starting-price and security evidence plus EthicsPoint service-provider disclosure, while EthicsPoint pricing and deeper package evidence remain sales-led.

Fiche complète Visiter NAVEX
#7
Alertcys logo

Alertcys

France · French whistleblowing and psychosocial-risk platform with published annual pricing and optional outsourced mediation.

29 / 58
Base 21 · Bonus 8 · Niveau P
Legal
5/16
Reporter
6/10
Handler
3/10
Security
4/8
Commercial
3/6

Forces

  • Public annual pricing is available for the Essentiel, Standard, and Pro offers
  • France-specific copy: Sapin II and Loi Waserman are both explicit on public pages
  • France-hosted platform and mediator-led exchange are public claims on vendor pages

Faiblesses

  • Public product detail is limited: no documented reporter return-access mechanism, no public handler demo
  • No public security certifications or sub-processor documentation found
  • Annual contract model with referent caps is less flexible than monthly self-serve tools

Point distinctif

Alertcys publishes annual pricing, France-law framing, and optional outsourced handling before sales contact.

Fiche complète Visiter Alertcys
#8
EQS Integrity Line logo

EQS Integrity Line

Munich, Germany · Whistleblowing module of the EQS Compliance COCKPIT with Essential, Professional, and Enterprise packages.

28 / 58
Base 27 · Bonus 1 · Niveau P
Legal
6/16
Reporter
6/10
Handler
5/10
Security
6/8
Commercial
4/6

Forces

  • Packages page supports 80+ languages, anonymous dialogue, case management, deadline monitoring, telephone reporting on higher tiers, 2FA, and European hosting.
  • Security page supports ISO 27001, ISAE 3000 Type I/II, WACA Bronze, end-to-end encryption, no tracking, and Munich East data-centre disclosure.
  • Localized UK page publishes starting prices, so the prior fully quote-only claim was too broad.

Faiblesses

  • Customer-held PGP/RSA key custody, API access, public DPA, and subprocessor list were not disclosed on public pages reviewed.
  • France Waserman/Sapin II and Greece Law 4990/2022 were not found on public pages reviewed.

Point distinctif

Integrity Line publishes package details and security/accessibility evidence; the earlier customer-held-key claim was not supported in current vendor pages reviewed.

Fiche complète Visiter EQS Integrity Line
#9
FaceUp logo

FaceUp

Czech Republic · Whistleblowing, employee-relations, and workplace-compliance platform from the Czech Republic.

27 / 58
Base 26 · Bonus 1 · Niveau P
Legal
7/16
Reporter
7/10
Handler
5/10
Security
6/8
Commercial
1/6

Forces

  • Current public pricing page no longer exposes the previously captured EUR/GBP/USD/CZK employee-band amounts in the page output reviewed.
  • Public feature/pricing pages support 113 languages, anonymous reporting, two-way chat, online form, voice recording, automated/live/AI hotline add-ons, iOS/Android apps, multiple forms, webhooks, API, Zapier, and Make.
  • Security/DPA pages support ISO 27001:2022, SOC 2, E2EE, no IP storage, metadata removal, SSO, 2FA, penetration testing, selectable AWS regions, subprocessor details, and OpenAI use limited to the AI-powered hotline.

Faiblesses

  • Pricing amounts were not found on the current public pricing page output reviewed.
  • Exact EU official-language list, article-by-article Directive mapping, Loi Waserman, Sapin II, and Greece Law 4990/2022 were not disclosed on public pages reviewed.

Point distinctif

FaceUp has public trial, security, DPA, and integration disclosure; the main correction is removing the stale public price matrix.

Fiche complète Visiter FaceUp
#10
Whistleblower Software (Formalize) logo

Whistleblower Software (Formalize)

Copenhagen, Denmark · Whistleblower Software product from Formalize with public Core and Advanced annual pricing.

27 / 58
Base 26 · Bonus 1 · Niveau P
Legal
7/16
Reporter
4/10
Handler
5/10
Security
6/8
Commercial
4/6

Forces

  • Current pricing is public and materially different from the previous €70-€285 matrix.
  • Security page names ISO 27001:2022, ISAE 3000 Type 2, ENS, WCAG 2.1 AA, end-to-end encryption, and AWS Frankfurt hosting.
  • 80+ languages, anonymized reporting, case management, SSO/OAuth, SAML 2.0 and SCIM 2.0 are disclosed publicly.

Faiblesses

  • API access, DPA download, subprocessor list, retention configuration, and Directive article-level mapping were not disclosed on public pages reviewed.
  • Loi Waserman, Sapin II, and Greece Law 4990/2022 were not found on public pages reviewed.

Point distinctif

Public pages show employee-band pricing and security claims; the previous pricing matrix and API claim were not supported by current pages.

Fiche complète Visiter Whistleblower Software (Formalize)
#11
Witik logo

Witik

France · French GRC platform (GDPR + Sapin II + AI Act). Whistleblowing lives inside the Sapin II module; Premium from €100/month.

27 / 58
Base 20 · Bonus 7 · Niveau P
Legal
4/16
Reporter
6/10
Handler
2/10
Security
5/8
Commercial
3/6

Forces

  • French-sovereign infrastructure: ISO 27001 + HDS, hosted in France
  • Two-way anonymous messaging (chat box confidentielle) for reporter–handler threads
  • Published starting price (€100 HT/month) — unusual for FR compliance tools

Faiblesses

  • No Directive 2019/1937 reference anywhere on the site; Loi Waserman mentioned only in one FAQ line, no article citation
  • 36-month contract is still the default commercial model; monthly billing only exists as a surcharge option
  • No public reporter demo; most product proof remains marketing-page level
  • Ad-hoc breach taxonomy; not aligned to Directive 2019/1937 Article 2(1)
  • Two-factor reporter access not documented
  • Privacy policy names several processors, but no public sub-processor objection workflow was found

Point distinctif

Public pages state ISO 27001, HDS, and France/EU hosting, which may matter for healthcare, public-sector, and mutual buyers.

Fiche complète Visiter Witik

Méthodologie

Barème de notation

25 critères répartis en 5 catégories, pondérés par le nombre de critères. Chaque critère vaut 0, 1 ou 2 — affiché sous la forme ○ / ◐ / ●. Le score de base maximal est de 50. Les bonus spécifiques à France ajoutent jusqu’à 8 points par-dessus (modificateur, hors base).

Niveaux d’accès

Chaque outil porte un niveau d’accès qui reflète ce qui a réellement pu être testé :

  • P — pages publiques uniquement (marketing, prix, sécurité, URL signaleur).
  • P + R — idem, plus un test de dépôt de signalement.
  • P + R + H — idem, plus l’accès au tableau de bord handler / admin (via essai gratuit ou démo).

Les critères non vérifiables au niveau d’accès courant reçoivent 0 avec une ligne de preuve du type « Requires handler tier » ou « Not documented publicly ». Quand le score est déprimé par le niveau d’accès et non par la qualité produit, cela est signalé explicitement sur la fiche de l’outil.

Garanties d’intégrité

  1. Le barème a été figé avant le scoring. Aucun critère n’a été ajouté en cours de test pour favoriser ou pénaliser un outil précis.
  2. Chaque score porte une preuve — URL, citation ou chemin de fichier — visible sur la fiche de l’outil.
  3. Les outils opérés par l’éditeur du site sont notés avec le même barème. Le classement suit le score, pas l’inverse.
  4. Chaque outil affiche une date de dernière revue et fait l’objet d’un re-test au moins annuel.
  5. Les éditeurs peuvent contester un score ou soumettre la preuve d’un correctif livré via l’adresse de contact du site. Les contestations et mises à jour apparaissent comme des addenda datés sur la fiche concernée.

Droit appliqué

Loi n° 2022-401 du 21 mars 2022 (Loi Waserman) + Loi Sapin II pour les organisations de 500+ salaries (France, c’est-à-dire la transposition France de la directive UE 2019/1937). Les outils sont notés d’abord contre la directive, puis contre les spécificités du droit local.

Périmètre

Ce classement couvre 11 outils avec un bloc de scoring publié. D’autres outils seront ajoutés au fur et à mesure que leur scoring est finalisé. Les outils non scorés apparaîtront dans le classement une fois leur bloc publié.

Tous les outils Autres classements pays