Skip to main content
EU Whistleblower Directory

Edition I, 2026 · Tested April 2026

Whistleblowing software ranking — Greece

Independent scored ranking of whistleblower-reporting tools for Greece under Law 4990/2022, the local transposition of EU Directive 2019/1937. 25-criterion rubric fixed before scoring; every score carries evidence.

Tools scored
10
Base max
50
Greece bonus max
6
Rubric version
v2

TOP 10 — summary

#ToolTierBase
/ 50		Greece bonus
/ 6		TotalLast reviewed
1EthicsPortal logo EthicsPortalP+R+H464502026-06-14
2Whispli logo WhispliP310312026-05-24
3Digitech (TalkNow) logo Digitech (TalkNow)P235282026-06-10
4EQS Integrity Line logo EQS Integrity LineP270272026-05-24
5NAVEX logo NAVEXP270272026-05-24
6FaceUp logo FaceUpP260262026-05-24
7Whistleblower Software (Formalize) logo Whistleblower Software (Formalize)P260262026-05-24
8myETHOS logo myETHOSP194232026-05-24
9Fraud Line logo Fraud LineP164202026-05-24
10Hellecon logo HelleconP164202026-06-10

Criterion-by-criterion matrix

fully meets partially meets does not meet / not verifiable

CriterionEthicsPortal logo EthicsPortalWhispli logo WhispliDigitech (TalkNow) logo Digitech (TalkNow)EQS Integrity Line logo EQS Integrity LineNAVEX logo NAVEXFaceUp logo FaceUpWhistleblower Software (Formalize) logo Whistleblower Software (Formalize)myETHOS logo myETHOSFraud Line logo Fraud LineHellecon logo Hellecon
Legal compliance · 16 pts max
A1 Local transposition law referenced with article numbers
A2 Directive 2019/1937 Article 2(1) categories in intake
A3 Anonymous reporting default-on or equal-status
A4 7-day acknowledgment + 3-month feedback deadline tracking
A5 Configurable retention with automatic deletion
A6 Report register / log
A7 Append-only handler audit trail
A8 DPA + DPIA support documented
Reporter experience · 10 pts max
B9 Web form, mobile-responsive, with file upload
B10 Two-factor reporter access (Case ID + passcode)
B11 Two-way anonymous communication
B12 Structured intake aligned to Article 2(1)
B13 Reporter form in local language
Handler experience · 10 pts max
C14 Case management dashboard with status workflow
C15 Assign cases to handlers (rotation or multi-handler)
C16 Deadline reminder notifications
C17 Internal notes (not visible to reporter)
C18 Role-based access control (≥3 roles)
Security and trust · 8 pts max
D19 ISO 27001 certified
D20 No EOL software components
D21 EU data residency with country disclosed
D22 Sub-processor list + right to object
Commercial · 6 pts max
E23 Published pricing
E24 Free trial available (self-serve)
E25 Monthly contract option
Greece bonus · 6 pts max · modifier, not in base
GR·LAW Law 4990/2022 referenced
GR·RESIDENCY Greece-acceptable residency
GR·UI Greek-language UI
Total50312827272626232020

Per-tool reviews

#1
EthicsPortal logo

EthicsPortal

Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €60/month plan.

50 / 56
Base 46 · Bonus 4 · Tier P+R+H
Legal
15/16
Reporter
10/10
Handler
10/10
Security
6/8
Commercial
5/6

Strengths

  • Best article-level legal framing of any tool reviewed: /compliance/ enumerates Art 4, 6, 8, 9, 16, 18, 19–21 and links to a dedicated page for each of the 27 EU transpositions
  • All 27 EU national whistleblower laws are named on public /whistleblower-laws/<country>/ pages with official source citations, closing the BG/GR/RO legal-posture gap from the 2026-04-23 review
  • Oral reporting (Art 9(2)(b)) is built into the portal as in-browser voice recording, and is privacy-engineered rather than bolted on: the raw audio is automatically pitch-shifted, only the anonymized MP3 is ever served, and the original recording is purged after processing (fail-closed — no ffmpeg, no playback, raw never persists)
  • Report categories are tagged to specific Directive Art 2(1) Union-law domains (CATEGORY_TAXONOMY), with the article reference surfaced as a handler-side badge; reporters still pick plain-language categories
  • Structured intake: five optional, Directive-aligned questions (relationship to org per Art 4, source of knowledge, incident timing, prior reporting, retaliation concern per Art 19) presented as a skippable guided step, surfaced to handlers + PDF with retaliation flagged as an urgency badge — a built-in default set where competitors leave these to per-org custom-field configuration
  • Three role tiers (member / admin / viewer): viewer is a read-only seat for auditors and external counsel that sees every report plus the full audit trail without any write or management path, enforced at the Pundit layer
  • GDPR Art 20 portability: admins can export the full organization dataset (reports, messages, attachments, decrypted PII) as a ZIP; export and download are audit-logged and the ZIP auto-purges after 7 days
  • Deadline tracking is real, not marketing: code has eu_acknowledgment_deadline + feedback_due_at + overdue/due_soon scopes; lifecycle stepper UI surfaces SLA timing in both reporter and handler views
  • Retention is configurable AND auto-purged: RETENTION_MONTHS_OPTIONS [12,24,36,60] + RetentionCleanupJob
  • Two-factor reporter access: Case reference (WB-XXXX-XXXX) + reporter-chosen 6-digit passcode (bcrypt digest), session-gated inbox. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged)
  • Audit log surfaced to handlers as the third Turbo Frame tab on reports#show; append-only at DB level via PostgreSQL trigger blocking mutation of semantic fields
  • Modern stack with no EOL liabilities: Rails 8.1 + Turbo + Tailwind 4 + daisyUI 5; no CKEditor or jQuery
  • Transparent monthly pricing (€60/mo) with 9 live product locales (8 EU official languages — bg, de, el, en, fr, hr, pl, ro — plus Luxembourgish)
  • Multi-handler case assignment: per-report assigned_to FK on Membership, Pundit scope enforces admin-sees-all / member-sees-only-assigned, assignment changes are audit-logged, deactivated members auto-unassigned from open reports
  • Published DPA grants Controller explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6); /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle
  • Zero-AI commitment codified contractually: DPA §6.10 prohibits transmission of personal data to any LLM or AI inference provider; /subprocessors/ lists no AI sub-processor

Weaknesses

  • Audit log is append-only (DB trigger blocks UPDATE on semantic fields + TRUNCATE) but not hash-chained
  • Only 9 portal-facing languages (8 EU official languages + Luxembourgish) against 24 EU official languages
  • No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
  • Pay-first with 30-day money-back rather than upfront self-serve free trial
  • Role tiers are org-scoped, not per-case ACLs: the viewer role added the auditor seat the rubric wanted, but a handler's report visibility is still governed by assignment/participant scoping rather than a per-case permission model
  • DPIA template not yet published as a customer-facing artifact on the public site

Standout

Article-level Directive framing paired with a 27-page country-law reference and privacy-engineered oral reporting, all backed by code that actually runs the deadline, retention, two-factor passcode, audit-log, voice-anonymization, and subprocessor-notification flows.

Full profile Visit EthicsPortal
#2
Whispli logo

Whispli

Sydney, Australia (Paris office) · Enterprise whistleblowing, disclosure, hotline, and investigation platform operating in 60+ countries.

31 / 56
Base 31 · Bonus 0 · Tier P
Legal
9/16
Reporter
9/10
Handler
7/10
Security
6/8
Commercial
0/6

Strengths

  • France-specific public content names Loi Waserman and compares it with Sapin 2.
  • Product pages support 70+ languages, Safe Inbox, web/mobile/email/QR/Voice AI intake, configurable workflows, SLAs, retention, routing, and audit logs.
  • Security page supports ISO 27001, SOC 2 Type II, customer-managed encryption keys, regional hosting/data residency, API/integrations, 2FA, SSO, and penetration testing.

Weaknesses

  • Pricing amounts, self-serve trial, exact EU official-language coverage, subprocessor objection mechanics, and article-by-article Directive mapping were not disclosed on public pages reviewed.
  • The previous /solutions/whistleblower/ and /whispli-pricing/ URLs were not usable current evidence.

Standout

Whispli publishes France-specific legal framing and security architecture for a sales-led enterprise product.

Full profile Visit Whispli
#4
EQS Integrity Line logo

EQS Integrity Line

Munich, Germany · Whistleblowing module of the EQS Compliance COCKPIT with Essential, Professional, and Enterprise packages.

27 / 56
Base 27 · Bonus 0 · Tier P
Legal
6/16
Reporter
6/10
Handler
5/10
Security
6/8
Commercial
4/6

Strengths

  • Packages page supports 80+ languages, anonymous dialogue, case management, deadline monitoring, telephone reporting on higher tiers, 2FA, and European hosting.
  • Security page supports ISO 27001, ISAE 3000 Type I/II, WACA Bronze, end-to-end encryption, no tracking, and Munich East data-centre disclosure.
  • Localized UK page publishes starting prices, so the prior fully quote-only claim was too broad.

Weaknesses

  • Customer-held PGP/RSA key custody, API access, public DPA, and subprocessor list were not disclosed on public pages reviewed.
  • France Waserman/Sapin II and Greece Law 4990/2022 were not found on public pages reviewed.

Standout

Integrity Line publishes package details and security/accessibility evidence; the earlier customer-held-key claim was not supported in current vendor pages reviewed.

Full profile Visit EQS Integrity Line
#5
NAVEX logo

NAVEX

Lake Oswego, Oregon, United States · EthicsPoint hotline and WhistleB whistleblowing products within the NAVEX One GRC suite.

27 / 56
Base 27 · Bonus 0 · Tier P
Legal
9/16
Reporter
5/10
Handler
5/10
Security
5/8
Commercial
3/6

Strengths

  • Current whistleblowing page supports web and phone reporting, case tracking, anonymous reporting, AI-powered whistleblowing, and 13,000+/88M+ vendor scale claims.
  • WhistleB pages support ISO 27001, SOC 2 Type II, EU data storage, customer-controlled encryption, MFA, activity logs, Microsoft Azure hosting, Microsoft Translator localization, and up to 150 languages.
  • EthicsPoint service-hosting provider page is public and lists hosting, translation, interpretation, analytics, and platform service providers.

Weaknesses

  • EthicsPoint pricing, trial, API access, DPA, retention configuration, and Directive article-level mapping were not disclosed on public pages reviewed.
  • The previous Goldman Sachs/Blackstone acquisition completion date and ISO date were not verified on vendor pages reviewed.

Standout

NAVEX publishes WhistleB starting-price and security evidence plus EthicsPoint service-provider disclosure, while EthicsPoint pricing and deeper package evidence remain sales-led.

Full profile Visit NAVEX
#6
FaceUp logo

FaceUp

Czech Republic · Whistleblowing, employee-relations, and workplace-compliance platform from the Czech Republic.

26 / 56
Base 26 · Bonus 0 · Tier P
Legal
7/16
Reporter
7/10
Handler
5/10
Security
6/8
Commercial
1/6

Strengths

  • Current public pricing page no longer exposes the previously captured EUR/GBP/USD/CZK employee-band amounts in the page output reviewed.
  • Public feature/pricing pages support 113 languages, anonymous reporting, two-way chat, online form, voice recording, automated/live/AI hotline add-ons, iOS/Android apps, multiple forms, webhooks, API, Zapier, and Make.
  • Security/DPA pages support ISO 27001:2022, SOC 2, E2EE, no IP storage, metadata removal, SSO, 2FA, penetration testing, selectable AWS regions, subprocessor details, and OpenAI use limited to the AI-powered hotline.

Weaknesses

  • Pricing amounts were not found on the current public pricing page output reviewed.
  • Exact EU official-language list, article-by-article Directive mapping, Loi Waserman, Sapin II, and Greece Law 4990/2022 were not disclosed on public pages reviewed.

Standout

FaceUp has public trial, security, DPA, and integration disclosure; the main correction is removing the stale public price matrix.

Full profile Visit FaceUp
#7
Whistleblower Software (Formalize) logo

Whistleblower Software (Formalize)

Copenhagen, Denmark · Whistleblower Software product from Formalize with public Core and Advanced annual pricing.

26 / 56
Base 26 · Bonus 0 · Tier P
Legal
7/16
Reporter
4/10
Handler
5/10
Security
6/8
Commercial
4/6

Strengths

  • Current pricing is public and materially different from the previous €70-€285 matrix.
  • Security page names ISO 27001:2022, ISAE 3000 Type 2, ENS, WCAG 2.1 AA, end-to-end encryption, and AWS Frankfurt hosting.
  • 80+ languages, anonymized reporting, case management, SSO/OAuth, SAML 2.0 and SCIM 2.0 are disclosed publicly.

Weaknesses

  • API access, DPA download, subprocessor list, retention configuration, and Directive article-level mapping were not disclosed on public pages reviewed.
  • Loi Waserman, Sapin II, and Greece Law 4990/2022 were not found on public pages reviewed.

Standout

Public pages show employee-band pricing and security claims; the previous pricing matrix and API claim were not supported by current pages.

Full profile Visit Whistleblower Software (Formalize)
#8
myETHOS logo

myETHOS

Chania, Crete, Greece · Greek corporate-compliance platform bundling whistleblowing with labour-dispute resolution, incident management, and background checks.

23 / 56
Base 19 · Bonus 4 · Tier P
Legal
5/16
Reporter
5/10
Handler
3/10
Security
1/8
Commercial
5/6

Strengths

  • Law 4990/2022 and EU Directive 2019/1937 are named on the public whistleblowing page
  • SME price is public at €120/month plus VAT, with a free-trial/demo route
  • Greek and English surfaces are live

Weaknesses

  • Hosting country/provider, certifications, DPA, subprocessor list, API access, and two-factor authentication are not disclosed on public pages reviewed
  • Advanced tier pricing and trial limits are not disclosed publicly
  • Public pages describe case management at a high level but do not document retention rules, audit-log semantics, role granularity, or deadline automation
  • The in-app report-link editor runs an end-of-life CKEditor 4.12.1 build that displays its own 'not secure' upgrade banner

Standout

A Greece-native compliance suite with public SME pricing and limited public trust / technical disclosure.

Full profile Visit myETHOS
#9
Fraud Line logo

Fraud Line

Greece (Athens) · Greek whistleblowing-services provider with ISO 27001, ISO 27701, and ISO 37002 certifications, deployed across multiple countries.

20 / 56
Base 16 · Bonus 4 · Tier P
Legal
5/16
Reporter
0/10
Handler
2/10
Security
5/8
Commercial
0/6

Strengths

  • Dedicated /bg/ commercial surface is live
  • Anonymous reporting plus an open communication channel are documented publicly
  • ISO 27001, ISO 27701, and ISO 37002 are claimed publicly
  • Microsoft Azure hosting in Western Europe is disclosed publicly

Weaknesses

  • Commercial surface is opaque: no pricing, no self-serve trial, and no monthly contract signal
  • Bulgaria-specific legal framing is limited; the page references whistleblower laws generically rather than the Bulgarian act itself
  • Handler workflow disclosure is limited at public-page tier: no explicit status workflow, reminders, or role model are documented

Standout

Fraud Line is presented as a managed software-plus-services operator, so public product evidence is more limited than for self-serve SaaS entries.

Full profile Visit Fraud Line
#10
Hellecon logo

Hellecon

Greece · Greek whistleblowing reporting platform for Law 4990/2022, from an Athens EHS/compliance firm.

20 / 56
Base 16 · Bonus 4 · Tier P
Legal
5/16
Reporter
7/10
Handler
3/10
Security
1/8
Commercial
0/6
Full profile Visit Hellecon

Methodology

Scoring rubric

25 criteria across 5 categories, weighted by criterion count. Each criterion scores 0, 1, or 2 — rendered as ○ / ◐ / ●. Maximum base score is 50. Greece-specific bonuses add up to 6 on top (modifier, not part of base).

Access tiers

Each tool carries an access tier reflecting what was testable:

  • P — public pages only (marketing, pricing, security, reporter URL).
  • P + R — above plus a test report submission.
  • P + R + H — above plus handler / admin dashboard (via free trial or demo).

Criteria that cannot be verified at the current tier score 0 with the evidence line "Requires handler tier" or "Not documented publicly". Scores depressed by tier, not by product quality, are explicitly flagged on each tool's profile.

Integrity guarantees

  1. The rubric was fixed before scoring. No criterion was added mid-test to favour or punish a specific tool.
  2. Every score carries evidence — a URL, a quote, or a file path — visible in each tool's profile.
  3. Tools operated by the publisher are scored by the same rubric. Placement is by score, not by construction.
  4. Each tool carries a Last reviewed date and is re-tested at least annually.
  5. Vendors can dispute a score or submit evidence of a shipped fix using the contact address in the site footer. Disputes and updates appear as dated addenda on the respective tool profile.

Law applied

Law 4990/2022 (Greek transposition of EU Directive 2019/1937) (the Greece transposition of EU Directive 2019/1937). Tools are scored against the Directive first and against the local law's specifics second.

Coverage note

This ranking covers 10 tools with a scoring block published. Additional tools are being added as scoring completes. Unscored tools will appear in the ranking once they have a published scoring block.

All tools Other country rankings