Edition I, 2026 · Tested April 2026

Whistleblowing software ranking — France

Independent scored ranking of whistleblower-reporting tools for France under Loi Waserman (Loi n° 2022-401) and Sapin II. 25-criterion rubric fixed before scoring; every score carries evidence.

Tools scored: 11
Base max: 50
France bonus max: 8
Rubric version: v2

France is one of the few EU markets where the local bonus genuinely matters. A generic “EU Directive compliant” claim is not enough here: buyers ask whether the vendor understands Loi Waserman, whether Sapin II is still in scope for larger organisations, and whether the product feels credible in a French procurement context.

This edition therefore mixes two layers:

the 50-point base rubric, which is country-agnostic and measures product quality, security posture, pricing transparency, and workflow depth;
the 8-point France modifier, which rewards explicit Waserman / Sapin II framing, French-language UI, and France-specific residency where it is publicly offered.

The result is a ranking that penalises two common failure modes in the French market: old domestic products with strong local positioning but weak product depth, and strong global products with almost no France-law posture.

TOP 11 — summary

#	Tool	Tier	Base / 50	France bonus / 8	Total	Last reviewed
1	EthicsPortal	P+R+H	41	5	46	2026-04-21
2	FaceUp	P+R+H	35	2	37	2026-04-20
3	Whispli	P	26	8	34	2026-04-21
4	Alertcys	P	22	8	30	2026-04-21
5	WeMoral	P	25	2	27	2026-04-21
6	Witik	P	19	7	26	2026-04-19
7	EQS Integrity Line	P	21	4	25	2026-04-20
8	IntegrityLog	P	23	2	25	2026-04-21
9	Whistleblower Software (Formalize)	P	21	3	24	2026-04-20
10	NAVEX	P	17	6	23	2026-04-20
11	Signalement.net	P	15	6	21	2026-04-21

Criterion-by-criterion matrix

● fully meets ◐ partially meets ○ does not meet / not verifiable

Criterion	EthicsPortal	FaceUp	Whispli	Alertcys	WeMoral	Witik	EQS Integrity Line	IntegrityLog	Whistleblower Software (Formalize)	NAVEX	Signalement.net
Legal compliance · 16 pts max
A1 Local transposition law referenced with article numbers	●	◐	◐	◐	◐	◐	◐	◐	◐	◐	●
A2 Directive 2019/1937 Article 2(1) categories in intake	◐	◐	○	○	○	○	○	◐	○	◐	○
A3 Anonymous reporting default-on or equal-status	●	●	●	●	●	●	●	●	●	●	●
A4 7-day acknowledgment + 3-month feedback deadline tracking	●	◐	●	◐	○	○	○	●	◐	○	○
A5 Configurable retention with automatic deletion	●	●	○	○	○	○	○	○	○	○	○
A6 Report register / log	●	●	○	◐	◐	○	○	◐	○	○	◐
A7 Append-only handler audit trail	●	◐	◐	○	◐	◐	◐	○	◐	○	○
A8 DPA + DPIA support documented	◐	○	◐	○	○	○	○	○	○	○	○
Reporter experience · 10 pts max
B9 Web form, mobile-responsive, with file upload	●	●	●	●	●	●	●	●	●	●	●
B10 Two-factor reporter access (Case ID + passcode)	●	○	○	○	◐	○	●	◐	○	◐	◐
B11 Two-way anonymous communication	●	●	●	●	●	●	●	●	●	●	●
B12 Structured intake aligned to Article 2(1)	○	◐	◐	◐	◐	○	◐	◐	○	◐	○
B13 Reporter form in local language	●	●	●	●	●	●	●	●	●	●	●
Handler experience · 10 pts max
C14 Case management dashboard with status workflow	●	●	●	◐	◐	◐	●	●	●	●	◐
C15 Assign cases to handlers (rotation or multi-handler)	●	●	◐	◐	◐	◐	○	◐	○	○	○
C16 Deadline reminder notifications	●	●	●	○	○	○	○	●	○	○	○
C17 Internal notes (not visible to reporter)	●	●	○	○	◐	○	○	○	○	○	○
C18 Role-based access control (≥3 roles)	◐	●	○	◐	◐	○	○	●	○	○	○
Security and trust · 8 pts max
D19 ISO 27001 certified	○	●	●	○	○	●	●	●	●	●	○
D20 No EOL software components	●	●	●	●	●	○	○	●	○	○	○
D21 EU data residency with country disclosed	●	●	●	●	○	●	●	○	◐	◐	●
D22 Sub-processor list + right to object	◐	○	◐	○	○	○	○	○	◐	○	○
Commercial · 6 pts max
E23 Published pricing	●	○	○	●	●	◐	○	○	●	○	○
E24 Free trial available (self-serve)	◐	●	○	◐	●	◐	●	○	●	○	○
E25 Monthly contract option	●	○	○	○	●	◐	○	○	○	○	○
France bonus · 8 pts max · modifier, not in base
FR·WASERMAN Loi Waserman compliance stated	●	○	●	●	○	◐	○	○	○	◐	○
FR·SAPIN2 Sapin 2 compliance stated	○	○	●	●	○	●	◐	○	◐	●	●
FR·RESIDENCY France data residency available	◐	○	●	●	○	●	◐	○	○	◐	●
FR·UI French-language UI (reporter + handler)	●	●	●	●	●	●	●	●	●	●	●
Total	46	37	34	30	27	26	25	25	24	23	21

Per-tool reviews

EthicsPortal

Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €49/month plan.

46 / 58

Base 41 · Bonus 5 · Tier P+R+H

Legal

14/16

Reporter

8/10

Handler

9/10

Security

5/8

Commercial

5/6

Strengths

Best article-level legal framing of any tool reviewed: /compliance/ enumerates Art 4, 6, 8, 9, 16, 18, 19–21
Deadline tracking is real, not marketing: code has eu_acknowledgment_deadline + feedback_due_at + overdue/due_soon scopes
Retention is configurable AND auto-purged: RETENTION_MONTHS_OPTIONS [12,24,36,60] + RetentionCleanupJob
Two-factor reporter access: Case ID + reporter-chosen 6-digit passcode (bcrypt digest), session-gated inbox; identifier is separated from secret
Modern stack with no EOL liabilities: Rails 8 + Turbo + Tailwind 4; no CKEditor or jQuery
Transparent monthly pricing (€49/mo) with EN/FR/PL UI
Multi-handler case assignment: per-report assigned_to FK on Membership, Pundit scope enforces admin-sees-all / member-sees-only-assigned, assignment changes are audit-logged and the assignee is notified automatically

Weaknesses

No structured intake questions: schema is Subject + Description + Files; does not ask relationship-to-org, source-of-info, prior reporting, or retaliation concerns
Audit log is append-only (DB trigger blocks UPDATE on semantic fields + TRUNCATE) but not hash-chained
Only 3 portal-facing languages (EN/FR/PL) against 24 EU official languages
No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
Pay-first with 30-day money-back rather than upfront self-serve free trial

Standout

Article-level Directive framing backed by code that actually runs the deadline, retention, and two-factor passcode flows.

Full profile Visit EthicsPortal

FaceUp

Czech Republic · Whistleblowing and employee-relations platform from Czech Republic.

37 / 58

Base 35 · Bonus 2 · Tier P+R+H

Legal

10/16

Reporter

7/10

Handler

10/10

Security

6/8

Commercial

2/6

Strengths

Perfect C-category score (10/10) — handler experience is the strongest of any tool reviewed so far
Unmatched RBAC granularity: 4 modules (Cases, Analytics, Settings, Surveys) × multiple permissions per module × per-case scoping ('All / Specific categories / Only assigned')
Three-phase Investigation workflow (Start → In progress → End) with structured fields: Date of start, Reported by, Raised against, Witnesses, Investigator
Configurable data retention with auto-delete (12/24/36/60 months) AND 30-day default auto-due-date
Explicit EU data residency: AWS eu-west-1 (Ireland), country-disclosed in org settings
End-to-end encryption offered as a toggle with honest trade-off disclosure (Recovery Key requirement stated)
Self-serve 7-day trial with no credit card required
113 reporting languages covers every EU official language, including FR and EL

Weaknesses

No article-level Directive citations — the product knows about the Directive but does not map features to Articles 4, 6, 8, 9, 16, 18 the way EthicsPortal does
Default category taxonomy (Bullying / OHS / Theft-corruption / Other) overlaps Art 2(1) partially but is not Directive-aligned
Pricing is quote-only: three tiers visible (Starter / Professional / Enterprise), no euro amounts published; drops E-category to 2/6
No monthly-cancellable contract option visible on the pricing page
Loi Waserman and Law 4990/2022 not mentioned on public pages — depresses FR and GR country bonuses
Sub-processor list not surfaced during this review (may exist in Trust Center, not verified)
Reporter access mechanism (single UUID vs Case ID + passcode) not verified in this session

Standout

Handler-side product maturity is the strongest in the review. Case-management, investigation workflow, RBAC, and activity logging are all enterprise-grade. The gaps are in country-specific legal framing and commercial transparency, not in the product itself.

Full profile Visit FaceUp

Whispli

Sydney, Australia (Paris office) · Enterprise case management and whistleblowing platform. Operates in 60+ countries.

34 / 58

Base 26 · Bonus 8 · Tier P

Legal

7/16

Reporter

7/10

Handler

5/10

Security

7/8

Commercial

0/6

Strengths

Strong France-specific legal framing: dedicated Loi Waserman page plus separate Sapin II positioning
Enterprise-grade intake breadth: web, mobile app, and Voice AI hotline in one product
Customer-managed encryption keys and selectable hosting jurisdiction are rare at public tier

Weaknesses

Pricing is fully sales-gated; public materials point to a 3-year contract and annual payment
Directive Article 2(1) breach taxonomy is not documented publicly
Reporter return-access mechanism is not documented publicly
Most handler-depth evidence stays at marketing level because no self-serve trial exists

Standout

Among the France-market tools reviewed, Whispli is the strongest combination of Waserman/Sapin II positioning and enterprise-grade security architecture at public tier.

Full profile Visit Whispli

Alertcys

France · French whistleblowing and psychosocial-risk platform with published annual pricing and optional outsourced mediation.

30 / 58

Base 22 · Bonus 8 · Tier P

Legal

5/16

Reporter

7/10

Handler

3/10

Security

4/8

Commercial

3/6

Strengths

One of the clearest public pricing pages in the France market
Strong France-specific copy: Sapin II and Loi Waserman are both explicit on public pages
France-hosted platform, mediator-led exchange, and a structured multi-step reporter form are all publicly observable

Weaknesses

Public product detail is thin: no documented reporter access mechanism, no structured intake, no public handler demo
No public security certifications or sub-processor documentation found
Annual contract model with referent caps is less flexible than monthly self-serve tools

Standout

Alertcys is a France-native commercial offer first: public annual pricing, France-law framing, and optional outsourced handling make it easy for a buyer to understand the package before any sales call.

Full profile Visit Alertcys

WeMoral

Poland · Whistleblowing platform with public monthly pricing, self-serve trial, and 25-language product coverage, legally seated in Poland.

27 / 58

Base 25 · Bonus 2 · Tier P

Legal

5/16

Reporter

7/10

Handler

4/10

Security

2/8

Commercial

6/6

Strengths

Transparent pricing with public monthly billing, self-serve trial, and no cancellation fees
French-language marketing path is live, alongside 25-language product coverage claims
Custom forms, encrypted two-way communication, and task / action workflows are all surfaced publicly

Weaknesses

France-law positioning is thin; no public Waserman or Sapin II framing was found
Hosting and security posture remain under-documented publicly
Reporter return-access mechanism is not documented publicly

Standout

WeMoral has one of the strongest commercial surfaces in the set: public monthly pricing, a self-serve trial, and a clear feature page without forcing a sales cycle.

Full profile Visit WeMoral

Witik

France · French GRC platform (GDPR + Sapin II + AI Act). Whistleblowing lives inside the Sapin II module; Premium from €100/month.

26 / 58

Base 19 · Bonus 7 · Tier P

Legal

4/16

Reporter

6/10

Handler

2/10

Security

4/8

Commercial

3/6

Strengths

French-sovereign infrastructure: ISO 27001 + HDS, hosted in France
Two-way anonymous messaging (chat box confidentielle) for reporter–handler threads
Published starting price (€100 HT/month) — unusual for FR compliance tools

Weaknesses

No Directive 2019/1937 reference anywhere on the site; Loi Waserman mentioned only in one FAQ line, no article citation
36-month contract is still the default commercial model; monthly billing only exists as a surcharge option
No public reporter demo; most product proof remains marketing-page level
Ad-hoc breach taxonomy; not aligned to Directive 2019/1937 Article 2(1)
Two-factor reporter access not documented

Standout

French-sovereign stack (ISO 27001 + HDS, France-hosted) — a real differentiator for healthcare, public sector, and mutuals who rule out most pan-EU vendors

Full profile Visit Witik

EQS Integrity Line

Munich, Germany · Whistleblowing module of the EQS Compliance COCKPIT. Three tiers; quote-based.

25 / 58

Base 21 · Bonus 4 · Tier P

Legal

4/16

Reporter

9/10

Handler

2/10

Security

4/8

Commercial

2/6

Strengths

Customer holds the encryption key: PGP with 2048-bit RSA — vendor states case content is inaccessible to EQS staff. Unique in this review.
80+ reporter languages including 19 EU languages (both FR and EL covered)
ISO 27001 certified + WACA Bronze (WCAG 2.1) on reporter form — accessibility claim backed by third-party audit
Part of publicly-traded EQS Group AG (Frankfurt Stock Exchange), with strong consolidation track record (Got Ethics 2020, Business Keeper 2021, Convercent 2024)
Essential tier offers a free trial and days-to-deploy timeline

Weaknesses

No article-level Directive citations on public pages reviewed
Neither Loi Waserman nor Law 4990/2022 cited despite supporting FR and international markets
Pricing entirely quote-only for all three tiers (Essential / Professional / Enterprise)
Telephone reporting channel only on Professional / Enterprise tiers — gated behind upgrade
Professional / Enterprise rollout 4–8 weeks (vendor-stated) — slow for self-serve expectations
Most Directive-compliance criteria unverifiable at public tier

Standout

Customer-held encryption key (PGP 2048-bit RSA) is the strongest confidentiality claim reviewed. For buyers whose DPO reviews key custody, EQS has an answer no other incumbent matches.

Full profile Visit EQS Integrity Line

IntegrityLog

France · Whistleblowing module inside the ComplyLog compliance suite, with free trial and ISO 27001 platform positioning.

25 / 58

Base 23 · Bonus 2 · Tier P

Legal

6/16

Reporter

8/10

Handler

7/10

Security

4/8

Commercial

0/6

Strengths

Public product detail is unusually concrete for a quote-led tool: statuses, reminders, permissions, and communication are all surfaced
French-language product surface plus ISO 27001 positioning make it easier to shortlist than many local incumbents
French-language product surface plus ISO 27001 positioning make it easier to shortlist than many local incumbents

Weaknesses

No explicit public Waserman or Sapin II framing found
Pricing is not published publicly
Reporter return-access mechanism and append-only audit guarantees are not documented publicly

Standout

IntegrityLog is the strongest 'quiet' entrant in the France set: less legal-marketing theatre than local incumbents, but more public product detail and a real free-trial path.

Full profile Visit IntegrityLog

Whistleblower Software (Formalize)

Copenhagen, Denmark · Whistleblower Software product from Formalize (Copenhagen). Tiered €70–€285/month by employee count.

24 / 58

Base 21 · Bonus 3 · Tier P

Legal

5/16

Reporter

6/10

Handler

2/10

Security

4/8

Commercial

4/6

Strengths

Strongest third-party credentials reviewed: ISO 27001 + ISAE 3000 Type 2, G2 4.9/5 across 157 reviews, 500+ consultancy partner network (PwC, Baker McKenzie, DLA Piper)
80+ reporter languages and 23 EU languages — broadest multilingual coverage in the category
Self-serve 14-day trial with no credit card — lowest friction among market leaders
Transparent tiered pricing published (€70 / €80 / €135 / €215 / €285 per month by headcount band)

Weaknesses

No article-level Directive citations on public pages — the dedicated /eu-whistleblowing-directive-summary covers themes but not Articles 4, 6, 8, 9, 16, 18, 19–21 by number
Loi Waserman and Law 4990/2022 not explicitly referenced on the public site despite supporting FR and GR markets
Annual billing only — no monthly option, 30-day renewal notice required
Most Directive-compliance criteria (deadline tracking, retention config, register, audit trail specifics) not verifiable at public tier

Standout

Broadest language coverage in the category (80+ reporter / 23 EU) combined with the strongest cross-market credential stack (ISO 27001 + ISAE 3000 Type 2 + G2 Top Rated + enterprise consultancy network).

Full profile Visit Whistleblower Software (Formalize)

#10

NAVEX

Lake Oswego, Oregon, United States · EthicsPoint hotline and WhistleB platform within the NAVEX One GRC suite.

23 / 58

Base 17 · Bonus 6 · Tier P

Legal

4/16

Reporter

8/10

Handler

2/10

Security

3/8

Commercial

0/6

Strengths

Dedicated country-law resource pages (France / Germany / Spain / Sweden / Belgium) under /solutions/regulations/ — useful procurement artefact
Sapin II dedicated page under /solutions/regulations/sapin-ii-compliance/
ISO 27001 certified (December 2025) + EU Data Privacy Framework
24/7 multilingual phone hotline in 150+ languages
13,000+ customers / 10M+ reports processed (vendor-stated scale)

Weaknesses

No article-level EU Directive citations anywhere on public pages (despite having country-law resource hubs)
Pricing is entirely demo-gated: 'Get Pricing' CTA routes to a sales form
No self-serve trial on either EthicsPoint Essentials or Professional
Neither Loi Waserman nor Law 4990/2022 cited on public pages (country pages use generic 'French/German Whistleblower Protection Law' framing)
Most Directive-compliance criteria (deadline tracking, retention, register, audit trail) unverifiable at public tier

Standout

The compliance resource centre with country-specific landing pages is the most extensive reviewed. Useful for NAVEX's content marketing; not a product-quality signal.

Full profile Visit NAVEX

#11

Signalement.net

France · France-hosted whistleblowing channel by Vaco, focused on anonymous alerts and a simple four-step handling flow.

21 / 58

Base 15 · Bonus 6 · Tier P

Legal

5/16

Reporter

7/10

Handler

1/10

Security

2/8

Commercial

0/6

Strengths

France-hosted and France-native in positioning
Sapin II framing is more concrete than many local competitors because public pages cite the law and decree
Anonymous reporting plus instant messaging are both public claims

Weaknesses

Very thin public product surface: deadlines, roles, retention, and audit semantics are mostly undocumented
No published pricing or self-serve trial
No public Waserman update / positioning found on the vendor surface reviewed

Standout

Signalement.net is narrow and domestic: it wins on France-hosting simplicity and Sapin II grounding, not on product depth or commercial transparency.

Full profile Visit Signalement.net

Methodology

Scoring rubric

25 criteria across 5 categories, weighted by criterion count. Each criterion scores 0, 1, or 2 — rendered as ○ / ◐ / ●. Maximum base score is 50. France-specific bonuses add up to 8 on top (modifier, not part of base).

Access tiers

Each tool carries an access tier reflecting what was testable:

P — public pages only (marketing, pricing, security, reporter URL).
P + R — above plus a test report submission.
P + R + H — above plus handler / admin dashboard (via free trial or demo).

Criteria that cannot be verified at the current tier score 0 with the evidence line "Requires handler tier" or "Not documented publicly". Scores depressed by tier, not by product quality, are explicitly flagged on each tool's profile.

Integrity guarantees

The rubric was fixed before scoring. No criterion was added mid-test to favour or punish a specific tool.
Every score carries evidence — a URL, a quote, or a file path — visible in each tool's profile.
Tools operated by the publisher are scored by the same rubric. Placement is by score, not by construction.
Each tool carries a Last reviewed date and is re-tested at least annually.
Vendors can dispute a score or submit evidence of a shipped fix using the contact address in the site footer. Disputes and updates appear as dated addenda on the respective tool profile.

Law applied

Loi n° 2022-401 du 21 mars 2022 (Loi Waserman) + Loi Sapin II for 500+ organisations (the France transposition of EU Directive 2019/1937). Tools are scored against the Directive first and against the local law's specifics second.%!(EXTRA string=France)

Coverage note

This ranking covers 11 tools with a scoring block published. Additional tools are being added as scoring completes. Unscored tools will appear in the ranking once they have a published scoring block.

All tools Other country rankings