Skip to main content
EU Whistleblower Directory

Edition I, 2026 · Tested April 2026

Whistleblowing software ranking — France

Independent scored ranking of whistleblower-reporting tools for France under Loi Waserman (Loi n° 2022-401) and Sapin II. 25-criterion rubric fixed before scoring; every score carries evidence.

Tools scored
11
Base max
50
France bonus max
8
Rubric version
v2

France is one of the few EU markets where the local bonus genuinely matters. A generic “EU Directive compliant” claim is not enough here: buyers ask whether the vendor understands Loi Waserman, whether Sapin II is still in scope for larger organisations, and whether the product feels credible in a French procurement context.

This edition therefore mixes two layers:

  • the 50-point base rubric, which is country-agnostic and measures product quality, security posture, pricing transparency, and workflow depth;
  • the 8-point France modifier, which rewards explicit Waserman / Sapin II framing, French-language UI, and France-specific residency where it is publicly offered.

The result is a ranking that penalises two common failure modes in the French market: old domestic products with strong local positioning but weak product depth, and strong global products with almost no France-law posture.

TOP 11 — summary

#ToolTierBase
/ 50		France bonus
/ 8		TotalLast reviewed
1EthicsPortal logo EthicsPortalP+R+H465512026-06-19
2Whispli logo WhispliP318392026-05-24
3IntegrityLog logo IntegrityLogP332352026-05-24
4BeSignal logo BeSignalP268342026-05-24
5WeMoral logo WeMoralP292312026-05-24
6NAVEX logo NAVEXP273302026-05-24
7Alertcys logo AlertcysP218292026-05-24
8EQS Integrity Line logo EQS Integrity LineP271282026-05-24
9FaceUp logo FaceUpP261272026-05-24
10Whistleblower Software (Formalize) logo Whistleblower Software (Formalize)P261272026-05-24
11Witik logo WitikP207272026-05-24

Criterion-by-criterion matrix

fully meets partially meets does not meet / not verifiable

CriterionEthicsPortal logo EthicsPortalWhispli logo WhispliIntegrityLog logo IntegrityLogBeSignal logo BeSignalWeMoral logo WeMoralNAVEX logo NAVEXAlertcys logo AlertcysEQS Integrity Line logo EQS Integrity LineFaceUp logo FaceUpWhistleblower Software (Formalize) logo Whistleblower Software (Formalize)Witik logo Witik
Legal compliance · 16 pts max
A1 Local transposition law referenced with article numbers
A2 Directive 2019/1937 Article 2(1) categories in intake
A3 Anonymous reporting default-on or equal-status
A4 7-day acknowledgment + 3-month feedback deadline tracking
A5 Configurable retention with automatic deletion
A6 Report register / log
A7 Append-only handler audit trail
A8 DPA + DPIA support documented
Reporter experience · 10 pts max
B9 Web form, mobile-responsive, with file upload
B10 Two-factor reporter access (Case ID + passcode)
B11 Two-way anonymous communication
B12 Structured intake aligned to Article 2(1)
B13 Reporter form in local language
Handler experience · 10 pts max
C14 Case management dashboard with status workflow
C15 Assign cases to handlers (rotation or multi-handler)
C16 Deadline reminder notifications
C17 Internal notes (not visible to reporter)
C18 Role-based access control (≥3 roles)
Security and trust · 8 pts max
D19 ISO 27001 certified
D20 No EOL software components
D21 EU data residency with country disclosed
D22 Sub-processor list + right to object
Commercial · 6 pts max
E23 Published pricing
E24 Free trial available (self-serve)
E25 Monthly contract option
France bonus · 8 pts max · modifier, not in base
FR·WASERMAN Loi Waserman compliance stated
FR·SAPIN2 Sapin 2 compliance stated
FR·RESIDENCY France data residency available
FR·UI French-language UI (reporter + handler)
Total5139353431302928272727

Per-tool reviews

#1
EthicsPortal logo

EthicsPortal

Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €60/month plan.

51 / 58
Base 46 · Bonus 5 · Tier P+R+H
Legal
15/16
Reporter
10/10
Handler
10/10
Security
6/8
Commercial
5/6

Strengths

  • Article-level legal framing: /compliance/ enumerates Directive 2019/1937 Articles 4, 6, 8, 9, 16, 18, 19–21 and links to a dedicated page for each of the 27 EU transpositions
  • All 27 EU national whistleblower laws are named on public /whistleblower-laws/<country>/ pages with official source citations
  • Oral reporting (Art 9(2)(b)) is built into the portal as in-browser voice recording and is privacy-engineered: the raw audio is automatically pitch-shifted, only the anonymized clip is ever served, and the original recording is purged after processing (fail-closed — nothing is exposed to handlers until anonymization succeeds)
  • Report categories are tagged to specific Directive Art 2(1) Union-law domains, with the article reference shown as a handler-side badge while reporters pick plain-language categories
  • Structured intake: five optional, Directive-aligned questions (relationship to org per Art 4, source of knowledge, incident timing, prior reporting, retaliation concern per Art 19) presented as a skippable guided step, surfaced to handlers and the PDF export with retaliation flagged as an urgency badge — a built-in default set where most tools leave these to per-org custom-field configuration
  • Three role tiers (member / admin / viewer): viewer is a read-only seat for auditors and external counsel that sees every report plus the full audit trail without any write or management path
  • GDPR Art 20 portability: admins can export the full organization dataset (reports, messages, attachments, with encrypted fields decrypted for portability) as a ZIP; export and download are audit-logged and the ZIP auto-purges after 7 days
  • Real deadline tracking: 7-day acknowledgement and 3-month feedback deadlines with overdue/due-soon tracking and a lifecycle stepper in both reporter and handler views
  • Configurable retention (12/24/36/60 months) with automatic purge of expired closed reports
  • Two-factor reporter access: case reference (WB-XXXX-XXXX) plus a reporter-chosen 6-digit passcode, session-gated inbox. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged)
  • Audit log surfaced to handlers on each report; append-only at the database level
  • Modern stack with no end-of-life liabilities
  • Transparent monthly pricing (€60/mo) with 13 live product locales (12 EU official languages — bg, de, el, en, es, fr, hr, it, nl, pl, pt, ro — plus Luxembourgish)
  • Multi-handler case assignment: each report can be assigned to a handler, admins see all reports and members see only assigned, assignment changes are audit-logged, and deactivated members are auto-unassigned from open reports
  • Published DPA grants the Controller an explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6); /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle
  • Zero-AI commitment codified contractually: DPA §6.10 prohibits transmission of personal data to any LLM or AI inference provider; /subprocessors/ lists no AI sub-processor

Weaknesses

  • Audit log is append-only but not hash-chained
  • Only 13 portal-facing languages (12 EU official languages + Luxembourgish) against 24 EU official languages
  • No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
  • Pay-first with 30-day money-back rather than an upfront self-serve free trial
  • Role tiers are org-scoped, not per-case ACLs: the viewer role adds the auditor seat, but a handler's report visibility is still governed by assignment/participant scoping rather than a per-case permission model
  • DPIA template not yet published as a customer-facing artifact on the public site

Standout

Article-level Directive framing paired with a 27-page country-law reference and privacy-engineered oral reporting, all surfaced in the live product alongside working deadline, retention, two-factor passcode, audit-log, voice-anonymization, and subprocessor-notification flows.

Full profile Visit EthicsPortal
#2
Whispli logo

Whispli

Sydney, Australia (Paris office) · Enterprise whistleblowing, disclosure, hotline, and investigation platform operating in 60+ countries.

39 / 58
Base 31 · Bonus 8 · Tier P
Legal
9/16
Reporter
9/10
Handler
7/10
Security
6/8
Commercial
0/6

Strengths

  • France-specific public content names Loi Waserman and compares it with Sapin 2.
  • Product pages support 70+ languages, Safe Inbox, web/mobile/email/QR/Voice AI intake, configurable workflows, SLAs, retention, routing, and audit logs.
  • Security page supports ISO 27001, SOC 2 Type II, customer-managed encryption keys, regional hosting/data residency, API/integrations, 2FA, SSO, and penetration testing.

Weaknesses

  • Pricing amounts, self-serve trial, exact EU official-language coverage, subprocessor objection mechanics, and article-by-article Directive mapping were not disclosed on public pages reviewed.
  • The previous /solutions/whistleblower/ and /whispli-pricing/ URLs were not usable current evidence.

Standout

Whispli publishes France-specific legal framing and security architecture for a sales-led enterprise product.

Full profile Visit Whispli
#3
IntegrityLog logo

IntegrityLog

Sweden · Whistleblowing module inside Euronext Corporate Solutions' ComplyLog compliance suite, with ISO 27001-certified infrastructure positioning.

35 / 58
Base 33 · Bonus 2 · Tier P
Legal
12/16
Reporter
7/10
Handler
7/10
Security
7/8
Commercial
0/6

Strengths

  • Public product detail covers statuses, reminders, permissions, and communication
  • 2025 ComplyLog factsheet adds GDPR role clarity, EEA storage, ISO/IEC 27001, encryption, access logging, retention, and DPA/sub-processor disclosures
  • Product page and factsheet support anonymous case handling, written/audio reports, and EU Whistleblowing Directive positioning

Weaknesses

  • No explicit public Waserman or Sapin II framing found
  • Pricing is not published publicly
  • Reporter return-access mechanism and append-only audit guarantees are not fully documented publicly

Standout

IntegrityLog has moved under the Euronext Corporate Solutions surface; the most detailed current evidence comes from the 2025 ComplyLog privacy factsheet rather than a France-law sales page.

Full profile Visit IntegrityLog
#4
BeSignal logo

BeSignal

France · France-hosted whistleblowing and risk-reporting platform by Valeur & Conformité (Vaco), marketed as the successor to Signalement.Net.

34 / 58
Base 26 · Bonus 8 · Tier P
Legal
9/16
Reporter
7/10
Handler
5/10
Security
5/8
Commercial
0/6

Strengths

  • France-hosted positioning is explicit, including OVH and CleverCloud references in privacy/legal materials
  • Signalement.Net successor branding, Directive / Sapin II / Waserman positioning, and a 7-language public site are public
  • Voice/written intake, anonymous reporting, role profiles, and optional translation/document analysis are public claims

Weaknesses

  • Pricing, API access, and self-serve trial are not published publicly
  • ISO 27001 and HDS badges are displayed, but no public certificate, scope statement, or complete public sub-processor register was found
  • Deadline timer automation and append-only audit guarantees are not disclosed on public pages reviewed

Standout

The current Vaco surface describes a France-hosted alert platform with multilingual, voice/written, and anonymous reporting.

Full profile Visit BeSignal
#5
WeMoral logo

WeMoral

Poland · Whistleblowing platform with public monthly pricing, self-serve trial, and 25-language product coverage, legally seated in Poland.

31 / 58
Base 29 · Bonus 2 · Tier P
Legal
8/16
Reporter
7/10
Handler
4/10
Security
4/8
Commercial
6/6

Strengths

  • Transparent pricing with public monthly billing, self-serve trial, and no cancellation fees
  • French-language marketing path is live, alongside 25-language product coverage claims
  • Custom forms, encrypted two-way communication, and task / action workflows are all surfaced publicly

Weaknesses

  • France-law positioning is limited; no public Waserman or Sapin II framing was found
  • Named sub-processors remain under-documented publicly
  • Reporter return-access mechanism is not documented publicly

Standout

Public pages show monthly pricing, self-serve trial access, and a feature page without requiring sales contact first.

Full profile Visit WeMoral
#6
NAVEX logo

NAVEX

Lake Oswego, Oregon, United States · EthicsPoint hotline and WhistleB whistleblowing products within the NAVEX One GRC suite.

30 / 58
Base 27 · Bonus 3 · Tier P
Legal
9/16
Reporter
5/10
Handler
5/10
Security
5/8
Commercial
3/6

Strengths

  • Current whistleblowing page supports web and phone reporting, case tracking, anonymous reporting, AI-powered whistleblowing, and 13,000+/88M+ vendor scale claims.
  • WhistleB pages support ISO 27001, SOC 2 Type II, EU data storage, customer-controlled encryption, MFA, activity logs, Microsoft Azure hosting, Microsoft Translator localization, and up to 150 languages.
  • EthicsPoint service-hosting provider page is public and lists hosting, translation, interpretation, analytics, and platform service providers.

Weaknesses

  • EthicsPoint pricing, trial, API access, DPA, retention configuration, and Directive article-level mapping were not disclosed on public pages reviewed.
  • The previous Goldman Sachs/Blackstone acquisition completion date and ISO date were not verified on vendor pages reviewed.

Standout

NAVEX publishes WhistleB starting-price and security evidence plus EthicsPoint service-provider disclosure, while EthicsPoint pricing and deeper package evidence remain sales-led.

Full profile Visit NAVEX
#7
Alertcys logo

Alertcys

France · French whistleblowing and psychosocial-risk platform with published annual pricing and optional outsourced mediation.

29 / 58
Base 21 · Bonus 8 · Tier P
Legal
5/16
Reporter
6/10
Handler
3/10
Security
4/8
Commercial
3/6

Strengths

  • Public annual pricing is available for the Essentiel, Standard, and Pro offers
  • France-specific copy: Sapin II and Loi Waserman are both explicit on public pages
  • France-hosted platform and mediator-led exchange are public claims on vendor pages

Weaknesses

  • Public product detail is limited: no documented reporter return-access mechanism, no public handler demo
  • No public security certifications or sub-processor documentation found
  • Annual contract model with referent caps is less flexible than monthly self-serve tools

Standout

Alertcys publishes annual pricing, France-law framing, and optional outsourced handling before sales contact.

Full profile Visit Alertcys
#8
EQS Integrity Line logo

EQS Integrity Line

Munich, Germany · Whistleblowing module of the EQS Compliance COCKPIT with Essential, Professional, and Enterprise packages.

28 / 58
Base 27 · Bonus 1 · Tier P
Legal
6/16
Reporter
6/10
Handler
5/10
Security
6/8
Commercial
4/6

Strengths

  • Packages page supports 80+ languages, anonymous dialogue, case management, deadline monitoring, telephone reporting on higher tiers, 2FA, and European hosting.
  • Security page supports ISO 27001, ISAE 3000 Type I/II, WACA Bronze, end-to-end encryption, no tracking, and Munich East data-centre disclosure.
  • Localized UK page publishes starting prices, so the prior fully quote-only claim was too broad.

Weaknesses

  • Customer-held PGP/RSA key custody, API access, public DPA, and subprocessor list were not disclosed on public pages reviewed.
  • France Waserman/Sapin II and Greece Law 4990/2022 were not found on public pages reviewed.

Standout

Integrity Line publishes package details and security/accessibility evidence; the earlier customer-held-key claim was not supported in current vendor pages reviewed.

Full profile Visit EQS Integrity Line
#9
FaceUp logo

FaceUp

Czech Republic · Whistleblowing, employee-relations, and workplace-compliance platform from the Czech Republic.

27 / 58
Base 26 · Bonus 1 · Tier P
Legal
7/16
Reporter
7/10
Handler
5/10
Security
6/8
Commercial
1/6

Strengths

  • Current public pricing page no longer exposes the previously captured EUR/GBP/USD/CZK employee-band amounts in the page output reviewed.
  • Public feature/pricing pages support 113 languages, anonymous reporting, two-way chat, online form, voice recording, automated/live/AI hotline add-ons, iOS/Android apps, multiple forms, webhooks, API, Zapier, and Make.
  • Security/DPA pages support ISO 27001:2022, SOC 2, E2EE, no IP storage, metadata removal, SSO, 2FA, penetration testing, selectable AWS regions, subprocessor details, and OpenAI use limited to the AI-powered hotline.

Weaknesses

  • Pricing amounts were not found on the current public pricing page output reviewed.
  • Exact EU official-language list, article-by-article Directive mapping, Loi Waserman, Sapin II, and Greece Law 4990/2022 were not disclosed on public pages reviewed.

Standout

FaceUp has public trial, security, DPA, and integration disclosure; the main correction is removing the stale public price matrix.

Full profile Visit FaceUp
#10
Whistleblower Software (Formalize) logo

Whistleblower Software (Formalize)

Copenhagen, Denmark · Whistleblower Software product from Formalize with public Core and Advanced annual pricing.

27 / 58
Base 26 · Bonus 1 · Tier P
Legal
7/16
Reporter
4/10
Handler
5/10
Security
6/8
Commercial
4/6

Strengths

  • Current pricing is public and materially different from the previous €70-€285 matrix.
  • Security page names ISO 27001:2022, ISAE 3000 Type 2, ENS, WCAG 2.1 AA, end-to-end encryption, and AWS Frankfurt hosting.
  • 80+ languages, anonymized reporting, case management, SSO/OAuth, SAML 2.0 and SCIM 2.0 are disclosed publicly.

Weaknesses

  • API access, DPA download, subprocessor list, retention configuration, and Directive article-level mapping were not disclosed on public pages reviewed.
  • Loi Waserman, Sapin II, and Greece Law 4990/2022 were not found on public pages reviewed.

Standout

Public pages show employee-band pricing and security claims; the previous pricing matrix and API claim were not supported by current pages.

Full profile Visit Whistleblower Software (Formalize)
#11
Witik logo

Witik

France · French GRC platform (GDPR + Sapin II + AI Act). Whistleblowing lives inside the Sapin II module; Premium from €100/month.

27 / 58
Base 20 · Bonus 7 · Tier P
Legal
4/16
Reporter
6/10
Handler
2/10
Security
5/8
Commercial
3/6

Strengths

  • French-sovereign infrastructure: ISO 27001 + HDS, hosted in France
  • Two-way anonymous messaging (chat box confidentielle) for reporter–handler threads
  • Published starting price (€100 HT/month) — unusual for FR compliance tools

Weaknesses

  • No Directive 2019/1937 reference anywhere on the site; Loi Waserman mentioned only in one FAQ line, no article citation
  • 36-month contract is still the default commercial model; monthly billing only exists as a surcharge option
  • No public reporter demo; most product proof remains marketing-page level
  • Ad-hoc breach taxonomy; not aligned to Directive 2019/1937 Article 2(1)
  • Two-factor reporter access not documented
  • Privacy policy names several processors, but no public sub-processor objection workflow was found

Standout

Public pages state ISO 27001, HDS, and France/EU hosting, which may matter for healthcare, public-sector, and mutual buyers.

Full profile Visit Witik

Methodology

Scoring rubric

25 criteria across 5 categories, weighted by criterion count. Each criterion scores 0, 1, or 2 — rendered as ○ / ◐ / ●. Maximum base score is 50. France-specific bonuses add up to 8 on top (modifier, not part of base).

Access tiers

Each tool carries an access tier reflecting what was testable:

  • P — public pages only (marketing, pricing, security, reporter URL).
  • P + R — above plus a test report submission.
  • P + R + H — above plus handler / admin dashboard (via free trial or demo).

Criteria that cannot be verified at the current tier score 0 with the evidence line "Requires handler tier" or "Not documented publicly". Scores depressed by tier, not by product quality, are explicitly flagged on each tool's profile.

Integrity guarantees

  1. The rubric was fixed before scoring. No criterion was added mid-test to favour or punish a specific tool.
  2. Every score carries evidence — a URL, a quote, or a file path — visible in each tool's profile.
  3. Tools operated by the publisher are scored by the same rubric. Placement is by score, not by construction.
  4. Each tool carries a Last reviewed date and is re-tested at least annually.
  5. Vendors can dispute a score or submit evidence of a shipped fix using the contact address in the site footer. Disputes and updates appear as dated addenda on the respective tool profile.

Law applied

Loi n° 2022-401 du 21 mars 2022 (Loi Waserman) + Loi Sapin II for 500+ organisations (the France transposition of EU Directive 2019/1937). Tools are scored against the Directive first and against the local law's specifics second.

Coverage note

This ranking covers 11 tools with a scoring block published. Additional tools are being added as scoring completes. Unscored tools will appear in the ranking once they have a published scoring block.

All tools Other country rankings