Independent scored ranking of whistleblower-reporting tools for Bulgaria under the Act on Protection of Persons Reporting or Publicly Disclosing Information on Breaches, the local transposition of EU Directive 2019/1937. 25-criterion rubric fixed before scoring; every score carries evidence.
Tools scored
5
Base max
50
Bulgaria bonus max
6
Rubric version
v2
Bulgaria is thinner than Romania, but it is not empty. The visible field today is one real Bulgaria-native software product, several imported tools with live Bulgarian-language commercial surfaces, and a larger ring of advisory-led offers whose underlying product is not independently reviewable.
This edition therefore uses two layers:
the 50-point base rubric, which stays country-agnostic and scores the product itself: legal workflow depth, reporter experience, handler workflow, security posture, and commercial clarity;
the 6-point Bulgaria modifier, which rewards explicit Bulgarian-law posture, a named Bulgaria-acceptable hosting disclosure, and a real Bulgarian-language reporter / handler surface.
That combination penalises the three most common Bulgaria-market failure modes: service-heavy compliance wrappers with no independently reviewable software; imported tools with Bulgarian localisation but no local-law posture; and local offers with credible law framing but weak commercial or security disclosure.
This ranking is software-only and includes both Bulgaria-native vendors and foreign tools with concrete Bulgarian-language or Bulgaria-market go-to-market signal. Law-firm, hotline, or investigations-led services are excluded unless the underlying whistleblowing product is independently reviewable.
Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €60/month plan.
52 / 56
Base 46 · Bonus 6 · Tier P+R+H
Legal
15/16
Reporter
10/10
Handler
10/10
Security
6/8
Commercial
5/6
Strengths
Best article-level legal framing of any tool reviewed: /compliance/ enumerates Art 4, 6, 8, 9, 16, 18, 19–21 and links to a dedicated page for each of the 27 EU transpositions
All 27 EU national whistleblower laws are named on public /whistleblower-laws/<country>/ pages with official source citations, closing the BG/GR/RO legal-posture gap from the 2026-04-23 review
Oral reporting (Art 9(2)(b)) is built into the portal as in-browser voice recording, and is privacy-engineered rather than bolted on: the raw audio is automatically pitch-shifted, only the anonymized MP3 is ever served, and the original recording is purged after processing (fail-closed — no ffmpeg, no playback, raw never persists)
Report categories are tagged to specific Directive Art 2(1) Union-law domains (CATEGORY_TAXONOMY), with the article reference surfaced as a handler-side badge; reporters still pick plain-language categories
Structured intake: five optional, Directive-aligned questions (relationship to org per Art 4, source of knowledge, incident timing, prior reporting, retaliation concern per Art 19) presented as a skippable guided step, surfaced to handlers + PDF with retaliation flagged as an urgency badge — a built-in default set where competitors leave these to per-org custom-field configuration
Three role tiers (member / admin / viewer): viewer is a read-only seat for auditors and external counsel that sees every report plus the full audit trail without any write or management path, enforced at the Pundit layer
GDPR Art 20 portability: admins can export the full organization dataset (reports, messages, attachments, decrypted PII) as a ZIP; export and download are audit-logged and the ZIP auto-purges after 7 days
Deadline tracking is real, not marketing: code has eu_acknowledgment_deadline + feedback_due_at + overdue/due_soon scopes; lifecycle stepper UI surfaces SLA timing in both reporter and handler views
Retention is configurable AND auto-purged: RETENTION_MONTHS_OPTIONS [12,24,36,60] + RetentionCleanupJob
Two-factor reporter access: Case reference (WB-XXXX-XXXX) + reporter-chosen 6-digit passcode (bcrypt digest), session-gated inbox. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged)
Audit log surfaced to handlers as the third Turbo Frame tab on reports#show; append-only at DB level via PostgreSQL trigger blocking mutation of semantic fields
Modern stack with no EOL liabilities: Rails 8.1 + Turbo + Tailwind 4 + daisyUI 5; no CKEditor or jQuery
Transparent monthly pricing (€60/mo) with 9 live product locales (8 EU official languages — bg, de, el, en, fr, hr, pl, ro — plus Luxembourgish)
Multi-handler case assignment: per-report assigned_to FK on Membership, Pundit scope enforces admin-sees-all / member-sees-only-assigned, assignment changes are audit-logged, deactivated members auto-unassigned from open reports
Published DPA grants Controller explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6); /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle
Zero-AI commitment codified contractually: DPA §6.10 prohibits transmission of personal data to any LLM or AI inference provider; /subprocessors/ lists no AI sub-processor
Weaknesses
Audit log is append-only (DB trigger blocks UPDATE on semantic fields + TRUNCATE) but not hash-chained
Only 9 portal-facing languages (8 EU official languages + Luxembourgish) against 24 EU official languages
No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
Pay-first with 30-day money-back rather than upfront self-serve free trial
Role tiers are org-scoped, not per-case ACLs: the viewer role added the auditor seat the rubric wanted, but a handler's report visibility is still governed by assignment/participant scoping rather than a per-case permission model
DPIA template not yet published as a customer-facing artifact on the public site
Standout
Article-level Directive framing paired with a 27-page country-law reference and privacy-engineered oral reporting, all backed by code that actually runs the deadline, retention, two-factor passcode, audit-log, voice-anonymization, and subprocessor-notification flows.
Sofia, Bulgaria · Bulgarian whistleblowing platform built with Transparency International Bulgaria and Happy Company, with public BGN pricing, live login and registration, and explicit local-law positioning.
24 / 56
Base 20 · Bonus 4 · Tier P
Legal
5/16
Reporter
6/10
Handler
5/10
Security
2/8
Commercial
2/6
Strengths
Explicit local-law framing and buyer targeting around the Bulgarian regime
Public monthly pricing by employee band
Live login and registration endpoints plus an app bundle expose public software evidence
App bundle exposes public reporting pages, correspondence modes, hidden staff-only notes, and status labels
Weaknesses
Commercial conversion is still contact-led despite public pricing
Hosting country is not disclosed publicly
Anonymous reporting is qualified by the vendor's own legal explainer: anonymous written reports do not initiate proceedings
Security and trust disclosures are limited: no public ISO 27001 certification or sub-processor posture
Standout
Confidential Reporting System is a Bulgaria-native software entry with local-law framing, public pricing, and contact-led procurement.
Switzerland · Swiss whistleblowing SaaS with Bulgarian and Romanian language pages, public pricing, and a free starter tier.
24 / 56
Base 23 · Bonus 1 · Tier H
Legal
4/16
Reporter
7/10
Handler
6/10
Security
0/8
Commercial
6/6
Strengths
Public pricing now shows a free Starter tier, Basic at $65/month or $650/year, Premium at $110/month or $995/year, and Enterprise custom pricing
Prior self-serve review provisioned a dedicated per-tenant subdomain and a working handler admin in minutes; public pages still describe the same setup shape
Public materials describe multi-channel intake, secure inbox communication, case management, pipelines, triage, roles, and dashboard reporting
Starter is published as a free plan with no credit card and no hidden fees; no time-limited free trial was found on public pages reviewed
Weaknesses
Starter setup page lists Switzerland, Singapore, and Indonesia as server-location options; no EU residency option was found on public pages reviewed
No public Bulgaria-law or Romania-law positioning was found on public pages reviewed
No ISO 27001 certification, public DPA, public sub-processor list, API documentation, or AI documentation was found on public pages reviewed
The Starter tier public feature list includes one Manager account only; Operator and Agent accounts are listed on the Premium tier
Standout
Public pages show self-serve pricing, a free Starter tier, BG/RO language surfaces, and published product features; DPA/sub-processor documentation and EU-only hosting were not found.
25 criteria across 5 categories, weighted by criterion count. Each criterion scores 0, 1, or 2 — rendered as ○ / ◐ / ●. Maximum base score is 50. Bulgaria-specific bonuses add up to 6 on top (modifier, not part of base).
Access tiers
Each tool carries an access tier reflecting what was testable:
P — public pages only (marketing, pricing, security, reporter URL).
P + R — above plus a test report submission.
P + R + H — above plus handler / admin dashboard (via free trial or demo).
Criteria that cannot be verified at the current tier score 0 with the evidence line "Requires handler tier" or "Not documented publicly". Scores depressed by tier, not by product quality, are explicitly flagged on each tool's profile.
Integrity guarantees
The rubric was fixed before scoring. No criterion was added mid-test to favour or punish a specific tool.
Every score carries evidence — a URL, a quote, or a file path — visible in each tool's profile.
Tools operated by the publisher are scored by the same rubric. Placement is by score, not by construction.
Each tool carries a Last reviewed date and is re-tested at least annually.
Vendors can dispute a score or submit evidence of a shipped fix using the contact address in the site footer. Disputes and updates appear as dated addenda on the respective tool profile.
Law applied
Act on Protection of Persons Reporting or Publicly Disclosing Information on Breaches (the Bulgaria transposition of EU Directive 2019/1937). Tools are scored against the Directive first and against the local law's specifics second.
Coverage note
This ranking covers 5 tools with a scoring block published. Additional tools are being added as scoring completes. Unscored tools will appear in the ranking once they have a published scoring block.