Independent scored ranking of whistleblower-reporting tools for Bulgaria under the Act on Protection of Persons Reporting or Publicly Disclosing Information on Breaches, the local transposition of EU Directive 2019/1937. 25-criterion rubric fixed before scoring; every score carries evidence.
Tools scored
5
Base max
50
Bulgaria bonus max
6
Rubric version
v2
Bulgaria is thinner than Romania, but it is not empty. The visible field today is one real Bulgaria-native software product, several imported tools with live Bulgarian-language commercial surfaces, and a larger ring of advisory-led offers whose underlying product is not independently reviewable.
This edition therefore uses two layers:
the 50-point base rubric, which stays country-agnostic and scores the product itself: legal workflow depth, reporter experience, handler workflow, security posture, and commercial clarity;
the 6-point Bulgaria modifier, which rewards explicit Bulgarian-law posture, a named Bulgaria-acceptable hosting disclosure, and a real Bulgarian-language reporter / handler surface.
That combination penalises the three most common Bulgaria-market failure modes: service-heavy compliance wrappers with no independently reviewable software; imported tools with Bulgarian localisation but no local-law posture; and local offers with credible law framing but weak commercial or security disclosure.
This ranking is software-only and includes both Bulgaria-native vendors and foreign tools with concrete Bulgarian-language or Bulgaria-market go-to-market signal. Law-firm, hotline, or investigations-led services are excluded unless the underlying whistleblowing product is independently reviewable.
Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €49/month plan.
45 / 56
Base 41 · Bonus 4 · Tier P+R+H
Legal
14/16
Reporter
8/10
Handler
9/10
Security
5/8
Commercial
5/6
Strengths
Best article-level legal framing of any tool reviewed: /compliance/ enumerates Art 4, 6, 8, 9, 16, 18, 19–21
Deadline tracking is real, not marketing: code has eu_acknowledgment_deadline + feedback_due_at + overdue/due_soon scopes
Retention is configurable AND auto-purged: RETENTION_MONTHS_OPTIONS [12,24,36,60] + RetentionCleanupJob
Two-factor reporter access: Case ID + reporter-chosen 6-digit passcode (bcrypt digest), session-gated inbox; identifier is separated from secret
Modern stack with no EOL liabilities: Rails 8 + Turbo + Tailwind 4; no CKEditor or jQuery
Transparent monthly pricing (€49/mo) with 8 live product locales, including Greek
Multi-handler case assignment: per-report assigned_to FK on Membership, Pundit scope enforces admin-sees-all / member-sees-only-assigned, assignment changes are audit-logged and the assignee is notified automatically
Weaknesses
No structured intake questions: schema is Subject + Description + Files; does not ask relationship-to-org, source-of-info, prior reporting, or retaliation concerns
Audit log is append-only (DB trigger blocks UPDATE on semantic fields + TRUNCATE) but not hash-chained
Only 8 portal-facing languages (7 EU official languages + Luxembourgish) against 24 EU official languages
No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
Pay-first with 30-day money-back rather than upfront self-serve free trial
Standout
Article-level Directive framing backed by code that actually runs the deadline, retention, and two-factor passcode flows.
Poland · Whistleblowing platform with public monthly pricing, self-serve trial, and 25-language product coverage, legally seated in Poland.
27 / 56
Base 25 · Bonus 2 · Tier P
Legal
5/16
Reporter
7/10
Handler
4/10
Security
2/8
Commercial
6/6
Strengths
Transparent pricing with public monthly billing, self-serve trial, and no cancellation fees
French-language marketing path is live, alongside 25-language product coverage claims
Custom forms, encrypted two-way communication, and task / action workflows are all surfaced publicly
Weaknesses
France-law positioning is thin; no public Waserman or Sapin II framing was found
Hosting and security posture remain under-documented publicly
Reporter return-access mechanism is not documented publicly
Standout
WeMoral has one of the strongest commercial surfaces in the set: public monthly pricing, a self-serve trial, and a clear feature page without forcing a sales cycle.
Sofia, Bulgaria · Bulgarian whistleblowing platform built with Transparency International Bulgaria and Happy Company, with public BGN pricing, live login and registration, and explicit local-law positioning.
24 / 56
Base 20 · Bonus 4 · Tier P
Legal
5/16
Reporter
6/10
Handler
5/10
Security
2/8
Commercial
2/6
Strengths
Strongest Bulgaria-native law posture in the set: explicit local-law framing and buyer targeting around the Bulgarian regime
Public monthly pricing by employee band is better than the usual Bulgaria market opacity
Live login and registration endpoints plus a real app bundle expose more software signal than a normal brochure site
App bundle exposes public reporting pages, correspondence modes, hidden staff-only notes, and status labels
Weaknesses
Commercial conversion is still contact-led despite public pricing
Hosting country is not disclosed publicly
Anonymous reporting is qualified by the vendor's own legal explainer: anonymous written reports do not initiate proceedings
Security and trust posture is thinner than the stronger imported tools: no public ISO 27001 certification or sub-processor posture
Standout
Confidential Reporting System is the clearest Bulgaria-native software entry, but it still behaves more like an institutional local platform than like a polished self-serve SaaS.
Switzerland · Swiss whistleblowing SaaS with Bulgarian and Romanian language pages, public pricing, and a free starter tier.
22 / 56
Base 21 · Bonus 1 · Tier P
Legal
4/16
Reporter
3/10
Handler
7/10
Security
1/8
Commercial
6/6
Strengths
Bulgarian and Romanian commercial entry points are live even though the vendor is Swiss
Commercial transparency is strong: free starter tier, public monthly pricing, and no-credit-card messaging
Public product scope is broad for P-tier review: multi-channel intake, case management, multi-org support, and multiple user roles
Weaknesses
No explicit Bulgaria-law or Romania-law positioning found
Hosting is framed around Switzerland rather than named EU residency
Public pricing pages load a WordPress TinyMCE asset chain, which weakens the trust posture under the EOL-components check
Security claims are broad, but no public ISO 27001 or equivalent certification was found
Standout
Phoenix is a real software competitor with a better self-serve commercial surface than most local Bulgaria- and Romania-facing challengers, but a much weaker local-law posture.
Greece (Athens) · Greek whistleblowing-services provider with ISO 27001, ISO 27701, ISO 37001, and ISO 37002 certifications, deployed across 11 countries.
18 / 56
Base 16 · Bonus 2 · Tier P
Legal
5/16
Reporter
4/10
Handler
2/10
Security
5/8
Commercial
0/6
Strengths
Bulgarian-language market entry is real, not just theoretical: a dedicated /bg/ commercial surface is live
Anonymous reporting plus an open communication channel are documented publicly
Trust posture is stronger than most local challengers: ISO 27001, ISO 27701, ISO 37001, and ISO 37002 are all claimed publicly
Microsoft Azure hosting in Western Europe is disclosed publicly
Weaknesses
Commercial surface is opaque: no pricing, no self-serve trial, and no monthly contract signal
Bulgaria-specific legal framing is weak; the page references whistleblower laws generically rather than the Bulgarian act itself
Handler workflow remains thin at public-page tier: no explicit status workflow, reminders, or role model are documented
Standout
Fraud Line looks credible as a managed software-plus-services operator, but it scores like a service-heavy platform rather than like a transparent product SaaS.
25 criteria across 5 categories, weighted by criterion count. Each criterion scores 0, 1, or 2 — rendered as ○ / ◐ / ●. Maximum base score is 50. Bulgaria-specific bonuses add up to 6 on top (modifier, not part of base).
Access tiers
Each tool carries an access tier reflecting what was testable:
P — public pages only (marketing, pricing, security, reporter URL).
P + R — above plus a test report submission.
P + R + H — above plus handler / admin dashboard (via free trial or demo).
Criteria that cannot be verified at the current tier score 0 with the evidence line "Requires handler tier" or "Not documented publicly". Scores depressed by tier, not by product quality, are explicitly flagged on each tool's profile.
Integrity guarantees
The rubric was fixed before scoring. No criterion was added mid-test to favour or punish a specific tool.
Every score carries evidence — a URL, a quote, or a file path — visible in each tool's profile.
Tools operated by the publisher are scored by the same rubric. Placement is by score, not by construction.
Each tool carries a Last reviewed date and is re-tested at least annually.
Vendors can dispute a score or submit evidence of a shipped fix using the contact address in the site footer. Disputes and updates appear as dated addenda on the respective tool profile.
Law applied
Act on Protection of Persons Reporting or Publicly Disclosing Information on Breaches (the Bulgaria transposition of EU Directive 2019/1937). Tools are scored against the Directive first and against the local law's specifics second.
Coverage note
This ranking covers 5 tools with a scoring block published. Additional tools are being added as scoring completes. Unscored tools will appear in the ranking once they have a published scoring block.