# EU Whistleblower Directory — Full Content > Independent directory of whistleblower reporting tools for EU Directive 2019/1937 compliance. Compare features, pricing, and compliance coverage. This directory lists whistleblower reporting platforms marketed for compliance with EU Directive 2019/1937. Every fact is sourced from the vendor's own published materials and dated at last verification. --- ## Compare ## Tools # Canal Etico App - Website: https://canaleticoapp.com - Headquarters: Spain - Pricing: €96/month (€116.16/month incl. 21% IVA). Annual plan available (saves €153/year). Enterprise plan quote-based. - Note: Unlimited reports, written and voice channels. - Languages on reporting form: true - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - National laws referenced: Spain (Ley 2/2023) - Last verified: 2026-04-14 - Sources: - https://canaleticoapp.com/ Notable Flat pricing of €96/month regardless of organisation size; annual billing available with €153 savings. Unlimited reports, written and voice reporting modes, tracking code for reporters. Bidirectional anonymous channel between reporter and case handler. No IP addresses, location data, or device identifiers stored; content encrypted; HTTPS in transit. Positioned specifically for Spanish Ley 2/2023 obligations (mandatory for organisations with 50+ employees from 1 December 2023). Also referenced for companies requiring UNE 19601, ISO 37001, ISO 37002 certification and AML obligations. Enterprise plan adds custom field personalisation, multiple portals for corporate groups, custom payment terms, multilingual service, and dedicated compliance expert support. Operated by Smart Dev Technology; Spanish-language support via phone, email, and WhatsApp chat. Implementation process typically completed in 1-2 business days (vendor-stated). Fines referenced on vendor page: up to €300,000 for individuals and €1,000,000 for legal entities for non-compliance with Ley 2/2023. No public API or ISO 27001 certification published as of verification date. --- # Clym - Website: https://www.clym.io - Headquarters: Wilmington, Delaware, United States (UK office in London) - Hosting: Not specified on public pages; Enterprise tier offers custom data server location - Pricing: Start $49/month (no whistleblowing); Grow $149/month (includes whistleblowing, HIPAA, age gating, content takedown); Enterprise from $449/month (custom data location, dedicated instance option, SLA). - Note: Free trial available, no credit card required. Annual payment available via sales. $349 installation assistance add-on. - Anonymous reporting: yes - Case management: yes - Multi-channel intake: no - Public API: yes - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: SOC 2 Type 2, Google CMP certified - National laws referenced: EU Whistleblower Directive (general, no national-law specifics published) - Last verified: 2026-04-17 - Sources: - https://www.clym.io/ - https://www.clym.io/solutions/whistleblowing - https://www.clym.io/pricing - https://www.clym.io/about-us Notable Clym is primarily a data-privacy compliance platform (cookie consent, DSAR handling, privacy policies, accessibility widget); whistleblowing is one module within the broader suite, not a standalone product. Founded 2018; US-incorporated in Delaware with a London office and a team distributed across Europe, North America, and Asia. Whistleblowing is only available on the Grow plan ($149/month) and Enterprise plan ($449+/month) — the $49 Start plan does not include it. Whistleblowing features published: secure reporting portal, anonymous/confidential intake, structured reporting forms, protected investigator–reporter communication, investigation tracking, customisable categories, automated response templates, granular access control. Intake channels: web portal only. Phone and email channels are not described in public materials. No specific national whistleblowing-law coverage (e.g. HinSchG, Sapin II, Whistleblower Protection Act) is claimed — the product is positioned against the EU Whistleblower Directive in general terms and as part of “150+ regulations” covered platform-wide. Enterprise tier adds: custom page-view limits, unified billing across multiple digital properties, unlimited sub-domains, custom AI credits, choice of shared or dedicated instance, custom data server location, API integration, dedicated account manager, business support with SLA. Certifications: SOC 2 Type 2, Google CMP certified. Memberships: IAAP (accessibility), IAB. No ISO 27001 certification published as of verification date. Add-ons: $349 installation assistance, $5 per 100 additional AI assistant credits. Free trial available without credit card; annual payment available via sales team; multi-year licenses negotiable. Best fit for organisations already using Clym for privacy/consent compliance that want an adjacent whistleblowing channel — not a natural choice for organisations specifically needing Directive 2019/1937 feature depth (national-law templates, multi-jurisdictional language coverage, phone intake). --- # Cortina Compliance Hub - Website: https://cortina-consult.com/software/ - Headquarters: Münster, Germany - Hosting: German data centres (vendor claim) - Pricing: Compliance Hub from €45/month for 1 core module (DSMS, ISMS, or Hinweisgeberschutz/whistleblowing). Bundle discounts: 6% for 2 modules, 12% for all 3. Add-ons: KI-Governance +€15/month; Website-Compliance +€20/month; expanded E-Learning +€180/month. Separate managed service — External Whistleblower Officer (eMSB) — from €125/month. - Note: Published prices exclude VAT. LMS access (3 courses) included in base. - Anonymous reporting: yes - Case management: yes - Multi-channel intake: no - Public API: yes - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 (Compliance Hub software, per vendor) - National laws referenced: Germany (HinSchG); EU Directive 2019/1937 - Last verified: 2026-04-17 - Sources: - https://cortina-consult.com/software/ - https://cortina-consult.com/software/preise/ - https://cortina-consult.com/hinweisgeberschutzgesetz/preise/ - https://cortina-consult.com/unternehmen/ Notable Cortina Consult GmbH: founded 2013, headquartered in Münster, 20+ experts, 400+ managed customers. Hybrid offering — consulting practice (TÜV-certified data protection officers, IRCA auditors, ISO 27001 auditors) plus a software product line. The software line is “Compliance Hub”: three core modules (DSMS for data protection, ISMS for information security, Hinweisgeberschutz for whistleblowing) with bundle discounts. Whistleblower module described as HinSchG-compliant with anonymous reporting and structured case management; audit trail and deadline tracking included. The company also markets a standalone whistleblower portal brand called Parlabox (launched 2023); documented pricing paths lead to Compliance Hub. REST API with named integrations to Personio, Microsoft Azure, and SAP SuccessFactors — notable among German mid-market competitors. Related managed services (separately priced): External Data Protection Officer, External Information Security Officer, External Whistleblower Officer — each from €125/month. Reporting-form languages, customer names, and specific data-centre location not disclosed on public pages. Best fit when the buyer wants both software and a managed officer service from one vendor, or is already deploying DSMS/ISMS. --- # EasyWhistle - Website: https://www.easywhistle.com - Headquarters: Finland - Hosting: Not disclosed on public pages - Pricing: Starter €39/month (0–49 employees), Medium €79/month (50–249), Large €109/month (250–1,000), Enterprise €199/month (1,000+). Rates shown on annual billing; vendor advertises 'Save 43%' for annual vs. monthly. - Note: 14-day free trial with no credit-card charge during trial. Add-ons: SSO (included), Customisable forms +€5/month. Self-serve signup flow at self-signup-prod.web.app. - Anonymous reporting: yes - Case management: yes - Multi-channel intake: no - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - National laws referenced: EU Directive 2019/1937 - Last verified: 2026-04-17 - Sources: - https://www.easywhistle.com/en/ - https://www.easywhistle.com/en/pricing/ - https://www.easywhistle.com/en/company/ - https://self-signup-prod.web.app/ Notable Operated by Easywhistle Oy, Finnish VAT FI31327372; CEO listed as Matti Timonen. Marketed as compliant with the EU Whistleblowing Directive and GDPR; specific Finnish transposition law not explicitly named. Four tiers visible in the self-signup flow: Starter (0–49), Medium (50–249), Large (250–1,000), Enterprise (1,000+) — priced €39 / €79 / €109 / €199 per month on annual billing. Add-ons in signup: SSO via Microsoft / Google (included), customisable reporting-form fields (+€5/month). Positions itself on “fully anonymous” reporting with anonymous two-way communication between whistleblower and caseworker. Offers an outsourced reception service via partner network (“Outsource” and “Resellers” sections). Vertical pages published for healthcare providers and NGOs. Public marketing copy is explicit about security testing; no ISO 27001 claim. Neither product founding year nor hosting data centre is published on the vendor’s history or pricing pages. Procurement funnel: marketing site → embedded Pipedrive form → self-signup at self-signup-prod.web.app, which hosts the tier picker. --- # EQS Integrity Line - Website: https://www.integrityline.com - Headquarters: Munich, Germany - Pricing: Three tiers: Essential, Professional, Enterprise. Pricing not published; sales engagement required. - Note: Essential tier offers a free trial. - Languages on reporting form: 80 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 - National laws referenced: Germany (HinSchG); France (Sapin II); Austria - Last verified: 2026-04-13 - Sources: - https://www.integrityline.com/ - https://www.integrityline.com/product/packages/ - https://www.eqs.com/ Notable Acquired Got Ethics A/S (Copenhagen) on 30 November 2020 for ~$12M; product merged into Integrity Line. Acquired Business Keeper GmbH (Berlin) in June 2021 for ~€95M; BKMS System now operated under EQS at eqs.bkms-system.com. Acquired Convercent from OneTrust in December 2024. Reporting process available in 80+ languages; integrated machine translation for case managers. Encryption: PGP with 2048-bit RSA, plus HTTPS in transit. Customer holds the encryption key; vendor states it cannot access report content. No reporter IP addresses, location data, or device specs stored on servers. Telephone reporting channel available in Professional and Enterprise tiers; not in Essential. Reporting form WACA-certified Bronze (WCAG 2.1 accessibility). Essential tier deployable in days; Professional/Enterprise typically 4–8 weeks (vendor-stated). Hosted in ISO 27001-certified data centres in Europe. Part of the broader EQS Compliance COCKPIT (Whistleblowing, Third Parties, Approvals, Policies, Insights modules). --- # EthicsPortal - Website: https://ethicsportal.eu - Headquarters: Poland - Hosting: Hetzner, Nuremberg, Germany - Pricing: €49/month, or €40.83/month billed annually (€490/year) - Note: Single plan. Unlimited users, reports, file uploads. - Languages on reporting form: 3 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 (Hetzner hosting) - National laws referenced: Germany (HinSchG); France (Loi Waserman / Sapin II); Italy (D.Lgs. 24/2023); Spain (Ley 2/2023); Poland (Act of 14 June 2024); All 27 EU member states (vendor claim) - Last verified: 2026-04-13 - Sources: - https://ethicsportal.eu/ - https://ethicsportal.eu/pricing/ - https://ethicsportal.eu/compliance/ - https://ethicsportal.eu/product/ Notable Single flat plan; pricing does not vary by employee count, report volume, or user count. Reporting form is available in English, French, and Polish (3 languages). Vendor publishes an article-by-article mapping of features to EU Directive 2019/1937 requirements. File uploads are stripped of EXIF, GPS, and author metadata before storage. No reporter IP addresses are stored; rate limiting uses one-way hashes. Sensitive fields (report descriptions, reporter contact, message bodies) are encrypted at rest using non-deterministic encryption. Reporters receive an access code (format WB-XXXX-XXXX) to check report status; no account creation required. Configurable data retention: 12, 24, 36, or 60 months, with automatic deletion of expired closed reports. 7-day acknowledgement and 3-month feedback deadlines tracked automatically with overdue notifications. Admins can export an organisation-level compliance report PDF directly from the dashboard. Handlers can manually log reports received by phone, email, or in person. No public API or third-party integrations published. Hosted in Hetzner’s Nuremberg data-centre park, which holds ISO/IEC 27001:2022 certification (audited by SOCOTEC) covering infrastructure, operation, and customer support. EthicsPortal itself is not separately ISO 27001 certified. --- # FaceUp - Website: https://www.faceup.com - Headquarters: Czech Republic - Pricing: Not published — quote-based via demo. - Languages on reporting form: 113 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: yes - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 - National laws referenced: Czech Republic; Slovakia; Germany (HinSchG); UAE; Saudi Arabia; ADGM; California (Workplace Violence Prevention) - Last verified: 2026-04-13 - Sources: - https://www.faceup.com/en - https://www.faceup.com/en/whistleblowing-features - https://www.faceup.com/en/whistleblowing-companies-pricing Notable Reporting form available in 113 languages. End-to-end encryption; ISO 27001 certified; annual penetration testing. Multi-channel intake: web form, voice recording, integrated phone hotline. Investigation module with internal notes and redaction mode. Analytics dashboards including executive, board, and audit views. Native iOS and Android reporter apps (App Store and Google Play). Integrations exposed via Zapier (8,000+ Zapier-supported apps). Includes an Employee Surveys module alongside whistleblower reporting. Vendor lists customers including Mercedes-Benz, PwC, Zendesk, Renault, Heineken, Sephora, Emirates, and Taco Bell. Pricing is no longer published; previous freemium tier removed from the pricing page. Coverage extends beyond the EU to UAE, Saudi Arabia (ADGM), and California state law. --- # Hintbox - Website: https://www.hintbox.eu - Headquarters: Germany - Hosting: Hetzner, Germany - Pricing: Basic: €49 (1–49), €69 (50–99), €79 (100–199), €99 (200–249), from €99 (250+) per month. Premium: €69 / €99 / €109 / €149 / from €149 per month. Plus 19% VAT. - Note: Free trial available. Annual billing offered. - Languages on reporting form: 30 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 - National laws referenced: Germany (HinSchG); Austria - Last verified: 2026-04-13 - Sources: - https://www.hintbox.eu/en/ Notable Two product tiers: Basic and Premium; both priced per employee band. Reporting form available in 30 languages; AI-based translation between handler and reporter. End-to-end encryption; 2FA; isolated per-customer database (no shared multi-tenant DB). Automatic virus scanning and metadata removal from uploads. Multi-client capability for group companies operating multiple entities. Optional add-ons: phone bot intake and email intake. Premium tier adds dynamic no-code forms, live chat for caseworkers, and granular external-editor permissions. Hosted on Hetzner servers in Germany, ISO 27001-certified hoster. No public API published. --- # hintcatcher - Website: https://www.hintcatcher.com - Headquarters: Göppingen, Germany - Hosting: Germany; ISO 27001-certified hoster (hoster not named by vendor) - Pricing: LITE €39, PLUS €59, PREMIUM €99 per month (net of VAT). PARTNER multi-tenant tier quote-based. - Note: 1-month contract with 14-day notice period. No setup fee. Monthly billing. Pricing is flat — not tied to employee count. - Anonymous reporting: yes - Case management: yes - Multi-channel intake: no - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - National laws referenced: Germany (HinSchG); EU Directive 2019/1937 - Last verified: 2026-04-17 - Sources: - https://www.hintcatcher.com/en/ - https://www.hintcatcher.com/en/imprint/ Notable Operated by product kitchen GmbH (Göppingen, Baden-Württemberg), founded October 2019. Flat pricing independent of employee count — unusual among German HinSchG tools where tiered-by-headcount is the norm. Four tiers: LITE, PLUS, PREMIUM (self-serve monthly) and PARTNER (multi-tenant reseller solution, quote only). End-to-end encryption; reports accessible only to the whistleblower and selected caseworkers. Anonymous two-way dialogue between whistleblower and caseworker. Case management with audit-proof audit log; monitoring of legal deadlines and email notifications. Corporate design and custom texts on the reporting office; custom domain available on request (optional / add-on). Oral hint reporting by voice recording is marked optional on every tier. Partner programme for law firms, external data protection officers, and ombudspersons. Hosted on servers in Germany at an ISO 27001-certified hoster; hoster not named in public materials. No public API documented. --- # iBlow - Website: https://iblow.eu - Headquarters: Lisbon, Portugal - Hosting: Amen (Portuguese hosting provider), per iBlow's privacy policy; specific data centre not named - Pricing: Not published — all four tiers (Base, Value, Elite, Premium) quote-based. Tiers scale by collaborator count: 0–249, 250–499, 500–999, 1,000+. - Note: No free trial advertised. Premium tier priced on request. - Languages on reporting form: 4 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: no - Public API: no - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - National laws referenced: Portugal (Law 93/2021); EU Directive 2019/1937 - Last verified: 2026-04-17 - Sources: - https://iblow.eu/ - https://iblow.eu/features-packages/ - https://iblow.eu/about/ - https://iblow.eu/privacy-policy/ Notable Registered address: Rua Mouzinho da Silveira, 32, 1250-167 Lisboa, Portugal. Phone +351 210 987 308. Entire product positioning anchored on Portuguese Law 93/2021; the site publishes a nine-point summary of the law. Four packages — Base, Value, Elite, Premium — differentiated primarily by: channels per customer (1 / 3 / 10 / request), team-manager seats (3 / 10 / 45 / request), support hours (1h / 4h / 6h / request), and collaborator band (0-249 / 250-499 / 500-999 / 1,000+). Communication languages capped at 4 across every tier. Single sign-on offered from Elite (SSO optional) and required with 2FA at Premium. No published pricing, hosting location, founding year, or ISO certifications on the public site. Complementary services mentioned: whistleblowing training, legal/HR guidance, “dedicated support team.” Fills a geographic gap in vendor coverage: no other Portugal-specific whistleblowing tool is currently listed. Privacy policy names Amen (Portuguese host) as data processor, plus Stripe for payments and InvoiceExpress for invoicing. --- # ithikios - Website: https://ithikios.com - Headquarters: Spain - Pricing: From €29/month for the whistleblowing channel. Enterprise and modular add-ons quote-based. - Note: Free start option available. No hidden fees. - Languages on reporting form: 7 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 - National laws referenced: Spain (Ley 2/2023); ISO 37301 compliance alignment - Last verified: 2026-04-14 - Sources: - https://ithikios.com/ Notable Whistleblowing is one module of a broader modular compliance suite: Incident Manager (DORA, GDPR, NIS2), Rights Manager (consent), Policy Manager, Third Party Manager, Trust Center. Interface languages: Spanish, English, French, German, Italian, Portuguese, Catalan. 256-bit SSL; ISO 27001-certified servers; adapted to Spanish LOPD and EU GDPR. Anonymous and confidential reporting modes; teams/roles defined per risk category; case management with consolidated documentation. Cloud SaaS deployment — no customer infrastructure required. Configurable without programming: colours, logo, messages, custom fields, multi-company, multiple integrated channels. Target customers include lawyers, consultants, and advisors through an affiliate partner program. Set-up and compliance achievable in hours (vendor-stated). No public API published as of verification date. --- # Legality Whistleblowing (DigitalPA) - Website: https://www.whistleblowing.software - Headquarters: Cagliari, Italy (offices in Milan, Rome, Sulmona, and Barcelona) - Pricing: Annual billing excluding VAT. Standard: from €29/month for <50 employees; Premium: from €41/month for <50 employees. Medium/Large/Enterprise tiers quote-based. - Note: Annual billing only. - Languages on reporting form: true - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001, ISO 37001 (anti-bribery), ISO 37002 (whistleblowing management), ISO 37301 (compliance management) - National laws referenced: Italy (D.Lgs. 24/2023); Spain (Ley 2/2023); Germany (HinSchG) - Last verified: 2026-04-14 - Sources: - https://www.whistleblowing.software/en/ - https://www.whistleblowing.software/en/pricing-software-whistleblowing/ Notable Operated by DigitalPA, an Italian software company with offices in Cagliari, Milan, Rome, Sulmona, and Barcelona. Multi-channel intake: written reports, voice recording, phone reports, and in-person meeting requests. Mobile reporter app available (Legality Whistleblowing Mobile app). Strong 2-factor authentication; fully anonymous or confidential reporting modes. Automatic AI translator of reports and messages between handler and reporter. Transcription of voice and telephone reports. Configurable investigation templates and investigation reports (Release 6.0, 2026). Multi-company configuration for groups of companies in the Premium tier. Three tiers: Standard, Premium, Enterprise — each available across Small Business, Medium Company, Large Company sizing. Certified against ISO 27001, ISO 37001, ISO 37002, and ISO 37301. Target market spans public authorities as well as private companies. No public API published. --- # LegalTegrity - Website: https://legaltegrity.com - Headquarters: Frankfurt am Main, Germany - Hosting: Deutsche Telekom Open Telekom Cloud, Germany - Pricing: Annual billing: Essential €588/year (€49/mo) for <50 employees; Professional 250 €1,188/year (€99/mo) for <250; Professional 1,000 €1,990/year (€165.83/mo) for <1,000; Enterprise on request for 1,000+. - Note: 12-month contract, auto-renews annually. 3-month money-back guarantee. - Languages on reporting form: 40 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 (Open Telekom Cloud hosting) - National laws referenced: Germany (HinSchG) - Last verified: 2026-04-14 - Sources: - https://legaltegrity.com/en/home/ - https://legaltegrity.com/en/pricing/ Notable 40+ languages available; 2 included in Professional plans, €29/month per additional language. Multi-channel intake: online reporting form and phone channel on every plan. Hosted on Deutsche Telekom’s Open Telekom Cloud (German data residency, ISO 27001-certified hoster). Chatbot defence on public reporting forms to filter automated submissions. Read-aloud function available from Professional tier upward. Corporate group / multi-entity configurations supported from Professional 250. 3 administrator accesses included in Professional tiers; €29/month per additional account. Premium add-ons: online trainings, OmbuTegrity (external ombudsperson / reporting-office operation). Bilingual customer service (German/English) via phone and email; premium phone support at Enterprise tier. 3-month money-back guarantee; cancellation requires 1 month notice before annual renewal. No public API or third-party integrations published. --- # NAVEX - Website: https://www.navex.com - Headquarters: Lake Oswego, Oregon, United States - Pricing: Not published — sales engagement required. NAVEX One platform sold by tier. - Languages on reporting form: 75 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: yes - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 (achieved December 2025), EU Data Privacy Framework - National laws referenced: Germany (HinSchG); France (Sapin II); United Kingdom; United States (Sarbanes-Oxley, Dodd-Frank) - Last verified: 2026-04-13 - Sources: - https://www.navex.com/en-us/ - https://www.navex.com/en-us/data-privacy/ - https://www.navex.com/en-us/company/press-room/ Notable Acquired WhistleB (Stockholm) in December 2019; product retained as a separate EU-native offering alongside EthicsPoint. Acquisition by Goldman Sachs Alternatives + Blackstone consortium completed 14 October 2025. Reporting platform available in 75+ languages; phone hotline supported by interpretation services in 150+ languages. 24/7 multilingual phone hotline operated by NAVEX. ISO 27001 certification announced December 2025. EU Data Privacy Framework certified for cross-border data transfers. Data centres in both North America and the European Union. Whistleblowing is one module of the broader NAVEX One GRC platform (also includes policy management, third-party risk, ethics training, ESG modules). Vendor claims 75% of the Fortune 100 use NAVEX (figure cited on company materials). Pricing not published anywhere in vendor’s public materials; not included in this entry. --- # osapiens - Website: https://osapiens.com/solutions/whistleblower-protection/ - Headquarters: Mannheim, Germany - Hosting: EU servers (vendor claim; specific data centre not disclosed) - Pricing: Not published — demo required. Vendor describes 'flexible pricing tailored to company size.' - Anonymous reporting: yes - Case management: yes - Multi-channel intake: no - Public API: no - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO/IEC 27001:2017 (DEKRA), ISO 9001:2015 (DEKRA), SOC 2 Type II - National laws referenced: EU Directive 2019/1937; Germany (HinSchG); Germany (LkSG — Supply Chain Act grievance mechanism); EU CSDDD - Last verified: 2026-04-17 - Sources: - https://osapiens.com/solutions/whistleblower-protection/ - https://osapiens.com/platform/ - https://osapiens.com/imprint/ - https://news.osapiens.com/about/ Notable Whistleblowing is one of 25+ modules in the osapiens HUB (CSRD, EUDR, CSDDD, LkSG, PPWR, PFAS, REACH, RoHS, product compliance, supplier relationship management, carbon footprint, facility management, maintenance). Dual-purpose positioning: handles both EU Directive 2019/1937 reporting and the German Supply Chain Act (LkSG) grievance mechanism in a single application. Reporting supported “anonymously under a pseudonym or with personal identification” (vendor copy). AI-powered pre-grouping auto-categorises incoming reports by topic; cases auto-created, assigned, and routed per workflow. Positioned as “built in partnership with leading law firms”; audit trail with time-stamped records. Customizable reporting forms and workflows; vendor emphasises adaptability over a fixed template. Founded 2018 in Mannheim by Alberto Zamora, Stefan Wawrzinek, and Matthias Jungblut. January 14, 2026: closed $100M Series C led by Decarbonization Partners (BlackRock / Temasek JV) — Germany’s first unicorn of 2026. 300+ employees (newsroom bio) to 500+ (platform page); figures vary across vendor sources. Reference customer named on product page: Bartels-Langness Handelsgesellschaft (Bela), German food retailer, 10,000+ employees / 15,000+ suppliers — deployed primarily for LkSG. Hosting is on “EU servers” per third-party directory listings; osapiens does not publish a dedicated trust or security page with data-centre details. No public pricing, no self-serve signup, no free trial — sales-led procurement only. --- # SpeakUp - Website: https://www.speakup.com - Headquarters: Amsterdam, Netherlands - Pricing: Not published — quote-based, scales by company size and feature selection. - Languages on reporting form: 99 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: yes - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001, ISO 27002, ISO 27701, ISAE 3000 Type II (audited quarterly), TISAX - National laws referenced: Germany (HinSchG); France (Sapin II); Netherlands; German Supply Chain Act (LkSG) - Last verified: 2026-04-13 - Sources: - https://www.speakup.com/ - https://www.speakup.com/about-us Notable Originally founded as People Intouch in 2004; rebranded to SpeakUp. Offices in Amsterdam, Bengaluru, and New York. Reporting form available in 99+ languages. Multi-channel intake: web, iOS app, Android app, phone hotline. Vendor publishes ISAE 3000 Type II audits performed quarterly (most other vendors run them annually). TISAX certification (automotive supply chain information-security standard). AI-assisted reporting and case resolution workflows. Vendor lists customers including Electrolux, Daimler, IKEA, BMW, and Mann+Hummel. Coverage extends to German Supply Chain Act (LkSG), NIS2, and DORA in addition to Directive 2019/1937. G2 named SpeakUp a 2025 Leader in whistleblowing software. --- # Sygnanet - Website: https://sygnanet.pl - Headquarters: Poland - Pricing: Annual billing, net of VAT. Standard: 4,000 zł/year (370 zł/month) for 2 report recipients. Premium: 7,000 zł/year (650 zł/month) for 4 recipients. Enterprise: 10,000 zł/year (920 zł/month) for 6 recipients; each additional recipient 1,000 zł/year. - Note: 25% discount for public bodies with fewer than 50 employees. Free trial available. - Languages on reporting form: 12 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - National laws referenced: Poland (Act on the Protection of Whistleblowers, in force 25 September 2024) - Last verified: 2026-04-14 - Sources: - https://sygnanet.pl/pl/ - https://sygnanet.pl/pl/price-list Notable End-to-end encryption of reports and attachments; vendor states it has no access to report content. Two-factor authentication available as an option. Reporting form available in 12 languages; case-handler panel available in Polish, English, German, French (other languages possible on request). Anonymous, explicit, or optional-identity reporting modes; anonymous two-way correspondence between organisation and reporter. Report register, reports export, response templates, internal notes, delegation between handlers, full audit history. Periodic penetration testing. External reporting channel for public authorities bundled free for public bodies that purchase the internal-reporting licence. Training materials provided for both case handlers and employees; sample internal procedure template included. Operator SpecFile Project Sp. z o.o. also operates specfile.pl. No ISO 27001 certification published on the pricing page as of verification date. No public API published. --- # Trusty Compliance - Website: https://trusty.report - Headquarters: Hünenberg, Zug, Switzerland - Pricing: Credit-based — customers purchase credits usable across Trusty products. Specific subscription tiers not published on homepage. - Note: 7-day free trial, no commitment. - Languages on reporting form: 6 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - National laws referenced: Switzerland; Germany (HinSchG); Austria (HSchG) - Last verified: 2026-04-14 - Sources: - https://trusty.report/ Notable Reporting channel set up in under 5 minutes with intuitive dashboard (vendor-stated). Whistleblowing is one module in a broader compliance platform: Risk Screening & Management (QuickScreen360), EUDR Passport, Policy App, Third-Party Risk, and Trusty Academy (training/certification). Credit-based billing — credits are purchased once and spent across any Trusty product as needed. 7-day free trial available with no commitment. Interface languages: English, Spanish, German, French, Italian, Portuguese. Swiss-registered company; localized whistleblowing policies offered for DE, IT, ES, PL, CZ, SK and other jurisdictions. Positioned as “compliance-as-one-platform” — policies, training, reporting channels, and risk all in one environment. No ISO 27001 certification published on the homepage as of verification date. No public API or third-party integrations published. --- # Vispato - Website: https://vispato.com - Headquarters: Germany - Hosting: DATEV-hosted servers, Germany - Pricing: Business: €79/month flat with unlimited users, cases, and storage. Enterprise: custom quote. - Note: 12-month minimum term. No free trial; demo required before signup. - Languages on reporting form: 18 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 (hosting), WCAG 2.1 AA - National laws referenced: Germany (HinSchG / DGCK); France (Sapin II); United Kingdom (FCA); United States (SOX Section 301) - Last verified: 2026-04-14 - Sources: - https://vispato.com/en/home/ - https://vispato.com/en/pricing/ Notable Single flat price of €79/month regardless of organisation size; unlimited users, cases, and storage. No setup costs, no hidden fees, no consulting upsells. 18 languages available on the reporting form. Hosted on DATEV-managed servers in Germany; system can also be hosted in alternate regions to meet data-residency requirements. ISO 27001-certified hosting; WCAG 2.1 AA accessibility compliance. Part of HR WORKS, described by the vendor as a leading DACH HR software group with 25 years of experience. Enterprise tier adds custom branding, multiple reporting portals, custom domain, custom reporting tools, SSO, and custom payment terms. Setup described as immediate post-signup; no lengthy rollout process. Partner program available. No public API or third-party integrations published. --- # Whispli - Website: https://www.whispli.com - Headquarters: Sydney, Australia (Paris office) - Pricing: Not published — enterprise sales engagement required. - Languages on reporting form: 70 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: yes - Free trial: no - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 (system level) - National laws referenced: France (Sapin II); Germany (HinSchG); United States (Sarbanes-Oxley); Australia (APRA CPS 230) - Last verified: 2026-04-14 - Sources: - https://www.whispli.com/ Notable Reporting form available in 70+ languages. Multi-channel intake: web form, mobile app (iOS/Android), and Voice AI phone hotline. Voice AI module transcribes verbal disclosures into structured cases with anonymity protections. Regional hosting options in EU, North America, and Asia; customer selects jurisdiction and cloud provider. Anonymity by design: no IP addresses, device identifiers, or metadata collected. Reporters represented by unique pictograms via the proprietary Safe Inbox. Customer-managed encryption keys available. ISO 27001 certified at system level; routine third-party penetration testing. Separate product modules: Whispli Core (case management), Whispli Disclosures (conflicts of interest, gifts and hospitality), Whispli Voice AI. Integrated Pulse Survey module for culture monitoring alongside whistleblower reporting. Explicitly positions for EU Whistleblower Protection Directive, SOX, APRA CPS 230, and GDPR-compliant data processing. Pricing is not published on vendor materials; enterprise sales process required. --- # Whistleblower Software (Formalize) - Website: https://whistleblowersoftware.com - Headquarters: Copenhagen, Denmark - Pricing: Annual billing: €70 (0–49), €80 (50–249), €135 (250–499), €215 (500–999), €285 (1,000–1,999) per month. Contact sales for 2,000+. - Note: 14-day free trial, no credit card. 30-day notice required before annual renewal. - Languages on reporting form: 80 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: yes - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 (organisation and hosting), ISAE 3000 Type 2, 2024 penetration testing certification - National laws referenced: Denmark; Germany (HinSchG); France (Sapin II); Italy (D.Lgs. 24/2023); Spain (Ley 2/2023) - Last verified: 2026-04-13 - Sources: - https://whistleblowersoftware.com/en/pricing - https://formalize.com/en Notable Originally branded WhistleblowerSoftware.com; parent company rebranded to Formalize. Whistleblower Software is one of several products in the broader Formalize compliance suite (also covers NIS2, DORA, ISO 27001, GDPR, GRC). Reporting form available in 80+ languages; vendor support in 12. End-to-end encryption; vendor states case content is inaccessible to platform staff. Two-factor authentication, IP whitelisting, SSO via OAuth and SAML 2.0. Public API for integrations. Trust Center surfaces compliance documentation in a customer-branded portal. Implementation typically completed in ~45 minutes with onboarding consultant (vendor-stated). G2 score: 4.9/5 across 157+ reviews (G2 Top Rated). Annual billing only — no monthly option. Vendor lists 500+ consultancy partners including PwC, Baker McKenzie, Fieldfisher, BDO, DLA Piper, and Osborne Clarke. --- # Whistlelink - Website: https://whistlelink.com - Headquarters: Sweden - Pricing: Tiered by employee count: €79 (0–49), €99 (50–149), €149 (150–249), €199 (250–499), €299 (500–999), contact for 1,000+. Annual subscription. - Note: 30-day free trial, no credit card required. - Languages on reporting form: 50 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: yes - Public API: no - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001 - National laws referenced: Sweden; Denmark; Finland; Norway; Germany (HinSchG); France (Sapin II) - Last verified: 2026-04-13 - Sources: - https://whistlelink.com/pricing/ Notable Reporting form available in 50+ languages with multilingual auto-translation between handler and reporter. Supports voice recording with distortion for anonymity. Multi-channel intake: written form, voice recording, QR code / short link. AI-generated case summaries and automated workflow escalations. Single Sign-On, multi-factor authentication, granular role permissions. Tamperproof audit log; metadata removal from uploads. Legal hold functionality and configurable GDPR retention periods. Multi-entity / group company configurations supported. WCAG accessibility compliance. Two paid add-ons: Hotline Live (24/7 live-operator phone intake) and Intake Management (third-party first-receiver service). Annual subscription billing; cancellation possible at any time, service runs to end of period. No public API or self-serve integrations published. --- # Witik - Website: https://www.witik.io - Headquarters: France - Hosting: France ('100% french-made platform', vendor copy); no specific data centre published - Pricing: Sapin II (incl. internal alerts / whistleblowing): Starter free; Premium from €100/month ex-VAT for SMEs. GDPR: Starter free; Premium from €240/month ex-VAT. - Note: Premium plans require 36-month commitment with annual payment. 14-day free trial advertised on Premium. - Languages on reporting form: 7 - Anonymous reporting: yes - Case management: yes - Multi-channel intake: no - Public API: yes - Free trial: yes - GDPR (vendor claim): yes - EU Directive 2019/1937 (vendor claim): yes - Certifications: ISO 27001, HDS (Hébergeurs de Données de Santé) - National laws referenced: France (Sapin II / Loi Waserman); EU Directive 2019/1937; GDPR / RGPD; EU AI Act - Last verified: 2026-04-17 - Sources: - https://www.witik.io/en/ - https://www.witik.io/en/legislations/sapin-2-compliance/ - https://www.witik.io/en/features/sapin-2/internal-whistleblowing-system/ - https://www.witik.io/tarifs/rgpd/ Notable Founded 2020; positions itself as a “100% French-made” GRC platform. Modules: GDPR/RGPD, Sapin II (anti-corruption, including internal alerts), and EU AI Act compliance. Sapin II module bundles four components: internal alerts (whistleblowing), anti-corruption controls, gifts & invitations, and conflicts of interest. Whistleblowing features: ready-to-use alert form, anonymous reporting, automated deadline tracking, secure two-way communication. Public API with webhook engine; integrations advertised via these hooks rather than a marketplace. Certifications: ISO 27001, HDS (French health-data hosting accreditation), plus EcoVadis Bronze (sustainability rating, non-security). Hosting: France exclusively, on a “cloud de confiance” (trusted cloud) per vendor copy; specific data centre not named. Site UI available in 7 languages; the EU-language-coverage breakdown for the reporting form itself is not enumerated on public pages. Starter (free) tier exists on both GDPR and Sapin II modules with sharp limits; Premium subscription is the production tier. Fits the module-based pattern also represented in the directory by Clym (privacy suite) and osapiens (ESG suite). --- ## Guide # EU Directive 2019/1937 on whistleblower protection A practical guide for organisations that need to understand and comply with the European Union's Whistleblower Protection Directive. Key compliance deadlines 17 December 2021 — Deadline for member states with 250+ employee threshold 17 December 2023 — Deadline extended to organisations with 50–249 employees All EU member states have now transposed the Directive into national law What is the Whistleblower Protection Directive? Directive (EU) 2019/1937 of the European Parliament and of the Council, adopted on 23 October 2019, establishes common minimum standards for the protection of persons reporting breaches of Union law. It requires organisations to set up secure, confidential reporting channels and prohibits retaliation against whistleblowers. The Directive covers a broad range of EU law areas, including public procurement, financial services, product safety, environmental protection, food safety, public health, consumer protection, data protection, and more. Who must comply? The Directive requires internal reporting channels for: Private sector organisations with 50 or more employees All public sector entities, including municipalities and government bodies Financial sector entities, regardless of size (banks, insurance, investment firms) Organisations in regulated sectors covered by EU law (AML, aviation safety, etc.) Note that individual member states may set broader requirements in their national transposition. Always verify the specific obligations in each jurisdiction where your organisation operates. Core requirements Organisations subject to the Directive must: 1. Establish internal reporting channels Provide secure channels that allow workers to report breaches confidentially. Channels must accept reports in writing (online platform, email, postal) and/or orally (telephone hotline, voice messaging). The channel must ensure the confidentiality of the reporting person’s identity. 2. Designate a responsible person or department Assign an impartial person or department to receive and follow up on reports. This function must have the authority to conduct investigations and must operate independently from management that could be subject to reports. 3. Follow prescribed timelines 7 days — Acknowledge receipt of the report to the whistleblower 3 months — Provide feedback to the whistleblower on the follow-up actions taken Maintain records of all reports in compliance with data protection requirements 4. Protect whistleblowers from retaliation The Directive prohibits any form of retaliation, including dismissal, demotion, intimidation, damage to reputation, and blacklisting. Member states must provide effective remedies and support measures for reporting persons who suffer retaliation. 5. Ensure data protection compliance All personal data collected through the reporting channel must be processed in accordance with the General Data Protection Regulation (GDPR). Data must be stored only as long as necessary and access must be limited to authorised personnel. Penalties for non-compliance Member states define their own penalty regimes in national transposition laws. Penalties may be imposed for: Failing to establish reporting channels Obstructing or attempting to obstruct reporting Retaliating against reporting persons Breaching confidentiality obligations Bringing vexatious proceedings against reporting persons In Germany, for example, the Hinweisgeberschutzgesetz (HinSchG) provides for fines of up to €50,000 for failing to establish a reporting channel and up to €100,000 for retaliation. Other member states have similar penalty ranges. National transpositions Each EU member state has transposed (or is in the process of transposing) the Directive into national law, often with additional requirements: Germany — Hinweisgeberschutzgesetz (HinSchG), in force since July 2023 France — Loi Sapin II (updated 2022), with broader scope than the Directive Sweden — Visselblåsarlagen, in force since December 2021 Denmark — Lov om beskyttelse af whistleblowere, in force since December 2021 Netherlands — Wet bescherming klokkenluiders, updated February 2023 Poland — Ustawa o ochronie sygnalistów, in force since September 2024 Choosing a reporting channel solution When selecting a digital reporting platform to meet the Directive’s requirements, organisations should evaluate: Compliance coverage — Does the platform support all jurisdictions where you operate? Anonymous reporting — Can reporters submit reports without identifying themselves? Two-way communication — Can the designated person communicate with the reporter while maintaining anonymity? Deadline tracking — Does the platform enforce the 7-day and 3-month response deadlines? Data hosting — Is data processed and stored within the EU, in compliance with GDPR? Audit trail — Does the platform maintain a complete record of all actions for compliance documentation? Deployment speed — How quickly can the channel be operational? Compare reporting platforms We maintain an independent directory of whistleblower reporting tools evaluated against EU Directive 2019/1937 requirements. View platform comparison → Browse all platforms → ---