Edition I, 2026 · Tested April 2026

Whistleblowing software ranking — Romania

Independent scored ranking of whistleblower-reporting tools for Romania under Law 361/2022, the local transposition of EU Directive 2019/1937. 25-criterion rubric fixed before scoring; every score carries evidence.

Tools scored: 7
Base max: 50
Romania bonus max: 6
Rubric version: v2

Romania is not just a local-vendor market. Local-law posture still matters, but several imported tools now maintain Romanian-language commercial surfaces, public pricing, partner motions, or local case studies. The result is a market with thin domestic software depth, but more real cross-border competition than a first pass suggests.

This edition therefore uses two layers:

the 50-point base rubric, which stays country-agnostic and scores the product itself: legal workflow depth, reporter experience, handler workflow, security posture, and commercial clarity;
the 6-point Romania modifier, which rewards explicit Law 361/2022 framing, a named Romania-acceptable hosting posture, and a real Romanian-language reporter / handler surface.

That combination penalises the three most common Romania-market failure modes: local vendors with strong legal copy but weak product disclosure; foreign tools with Romanian-language marketing but no Romania-law posture; and service-led compliance offers whose underlying product is not independently reviewable.

This ranking is software-only and includes both Romania-native vendors and foreign tools with concrete Romania-market go-to-market signal. Advisory or investigations-led service firms are excluded unless the underlying whistleblowing product is identifiable and independently reviewable.

TOP 7 — summary

#	Tool	Tier	Base / 50	Romania bonus / 6	Total	Last reviewed
1	EthicsPortal	P+R+H	46	6	52	2026-06-14
2	Whistlelink	H	39	6	45	2026-05-24
3	WeMoral	P	29	3	32	2026-05-24
4	Whistleblow.ro / avertizori.eu	P	23	5	28	2026-05-24
5	Phoenix	H	23	1	24	2026-05-24
6	WIBSO	P	21	3	24	2026-05-24
7	Whistle UP	P	19	4	23	2026-05-24

Criterion-by-criterion matrix

● fully meets ◐ partially meets ○ does not meet / not verifiable

Criterion	EthicsPortal	Whistlelink	WeMoral	Whistleblow.ro / avertizori.eu	Phoenix	WIBSO	Whistle UP
Legal compliance · 16 pts max
A1 Local transposition law referenced with article numbers	●	◐	◐	◐	○	●	◐
A2 Directive 2019/1937 Article 2(1) categories in intake	●	◐	○	○	○	◐	○
A3 Anonymous reporting default-on or equal-status	●	●	●	●	●	●	●
A4 7-day acknowledgment + 3-month feedback deadline tracking	●	●	○	○	○	●	◐
A5 Configurable retention with automatic deletion	●	●	●	○	○	◐	○
A6 Report register / log	●	◐	◐	◐	◐	●	○
A7 Append-only handler audit trail	●	◐	◐	◐	◐	○	◐
A8 DPA + DPIA support documented	◐	◐	◐	◐	○	○	○
Reporter experience · 10 pts max
B9 Web form, mobile-responsive, with file upload	●	●	●	◐	◐	◐	◐
B10 Two-factor reporter access (Case ID + passcode)	●	○	◐	○	◐	○	○
B11 Two-way anonymous communication	●	●	●	◐	●	●	◐
B12 Structured intake aligned to Article 2(1)	●	◐	◐	○	◐	○	◐
B13 Reporter form in local language	●	●	●	●	●	◐	●
Handler experience · 10 pts max
C14 Case management dashboard with status workflow	●	●	◐	◐	●	◐	◐
C15 Assign cases to handlers (rotation or multi-handler)	●	●	◐	◐	◐	○	◐
C16 Deadline reminder notifications	●	◐	○	○	○	●	○
C17 Internal notes (not visible to reporter)	●	●	◐	○	◐	○	○
C18 Role-based access control (≥3 roles)	●	●	◐	◐	●	○	◐
Security and trust · 8 pts max
D19 ISO 27001 certified	○	●	○	●	○	●	○
D20 No EOL software components	●	●	●	●	○	●	●
D21 EU data residency with country disclosed	●	●	●	●	○	○	○
D22 Sub-processor list + right to object	●	●	○	◐	○	○	○
Commercial · 6 pts max
E23 Published pricing	●	●	●	●	●	○	●
E24 Free trial available (self-serve)	◐	●	●	◐	●	○	○
E25 Monthly contract option	●	○	●	○	●	○	●
Romania bonus · 6 pts max · modifier, not in base
RO·LAW Law 361/2022 referenced	●	●	◐	◐	○	●	●
RO·RESIDENCY Romania or named EU residency	●	●	○	●	○	○	○
RO·UI Romanian-language UI	●	●	●	●	◐	◐	●
Total	52	45	32	28	24	24	23

Per-tool reviews

EthicsPortal

Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €60/month plan.

52 / 56

Base 46 · Bonus 6 · Tier P+R+H

Legal

15/16

Reporter

10/10

Handler

10/10

Security

6/8

Commercial

5/6

Strengths

Best article-level legal framing of any tool reviewed: /compliance/ enumerates Art 4, 6, 8, 9, 16, 18, 19–21 and links to a dedicated page for each of the 27 EU transpositions
All 27 EU national whistleblower laws are named on public /whistleblower-laws/<country>/ pages with official source citations, closing the BG/GR/RO legal-posture gap from the 2026-04-23 review
Oral reporting (Art 9(2)(b)) is built into the portal as in-browser voice recording, and is privacy-engineered rather than bolted on: the raw audio is automatically pitch-shifted, only the anonymized MP3 is ever served, and the original recording is purged after processing (fail-closed — no ffmpeg, no playback, raw never persists)
Report categories are tagged to specific Directive Art 2(1) Union-law domains (CATEGORY_TAXONOMY), with the article reference surfaced as a handler-side badge; reporters still pick plain-language categories
Structured intake: five optional, Directive-aligned questions (relationship to org per Art 4, source of knowledge, incident timing, prior reporting, retaliation concern per Art 19) presented as a skippable guided step, surfaced to handlers + PDF with retaliation flagged as an urgency badge — a built-in default set where competitors leave these to per-org custom-field configuration
Three role tiers (member / admin / viewer): viewer is a read-only seat for auditors and external counsel that sees every report plus the full audit trail without any write or management path, enforced at the Pundit layer
GDPR Art 20 portability: admins can export the full organization dataset (reports, messages, attachments, decrypted PII) as a ZIP; export and download are audit-logged and the ZIP auto-purges after 7 days
Deadline tracking is real, not marketing: code has eu_acknowledgment_deadline + feedback_due_at + overdue/due_soon scopes; lifecycle stepper UI surfaces SLA timing in both reporter and handler views
Retention is configurable AND auto-purged: RETENTION_MONTHS_OPTIONS [12,24,36,60] + RetentionCleanupJob
Two-factor reporter access: Case reference (WB-XXXX-XXXX) + reporter-chosen 6-digit passcode (bcrypt digest), session-gated inbox. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged)
Audit log surfaced to handlers as the third Turbo Frame tab on reports#show; append-only at DB level via PostgreSQL trigger blocking mutation of semantic fields
Modern stack with no EOL liabilities: Rails 8.1 + Turbo + Tailwind 4 + daisyUI 5; no CKEditor or jQuery
Transparent monthly pricing (€60/mo) with 9 live product locales (8 EU official languages — bg, de, el, en, fr, hr, pl, ro — plus Luxembourgish)
Multi-handler case assignment: per-report assigned_to FK on Membership, Pundit scope enforces admin-sees-all / member-sees-only-assigned, assignment changes are audit-logged, deactivated members auto-unassigned from open reports
Published DPA grants Controller explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6); /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle
Zero-AI commitment codified contractually: DPA §6.10 prohibits transmission of personal data to any LLM or AI inference provider; /subprocessors/ lists no AI sub-processor

Weaknesses

Audit log is append-only (DB trigger blocks UPDATE on semantic fields + TRUNCATE) but not hash-chained
Only 9 portal-facing languages (8 EU official languages + Luxembourgish) against 24 EU official languages
No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
Pay-first with 30-day money-back rather than upfront self-serve free trial
Role tiers are org-scoped, not per-case ACLs: the viewer role added the auditor seat the rubric wanted, but a handler's report visibility is still governed by assignment/participant scoping rather than a per-case permission model
DPIA template not yet published as a customer-facing artifact on the public site

Standout

Article-level Directive framing paired with a 27-page country-law reference and privacy-engineered oral reporting, all backed by code that actually runs the deadline, retention, two-factor passcode, audit-log, voice-anonymization, and subprocessor-notification flows.

Full profile Visit EthicsPortal

Whistlelink

Sweden · Swedish whistleblowing platform with Romanian-language pages, public Romanian pricing, and Romania-law positioning.

45 / 56

Base 39 · Bonus 6 · Tier H

Legal

11/16

Reporter

7/10

Handler

9/10

Security

8/8

Commercial

4/6

Strengths

Hands-on trial confirmed the full compliance toolkit: configurable retention, configurable case deadline, dashboard tiles for near-deadline and to-be-deleted cases, an action log, rule-based auto-assignment, and a five-role RBAC grid with org-wide 2FA enforcement
Sub-processor transparency goes past marketing: the in-app consent text explicitly names DeepL (Germany) for auto-translation and Mistral (France) for AI case summaries, and both AI features are opt-in rather than default-on
Romania public materials remain substantial: Romanian-language product/pricing pages, Law 361/2022 positioning, Romania case-study content, and local territory-manager contact details

Weaknesses

Annual subscription only; no monthly cancellation option
Action log captures user, timestamp, and before-after values but is not claimed as append-only or hash-chained
Legal surface still stops short of article-by-article Law 361/2022 mapping inside the app

Standout

The H-tier pass recorded configurable retention, configurable case deadline, rule-based auto-assignment, and opt-in sub-processor disclosure for AI/translation features.

Full profile Visit Whistlelink

WeMoral

Poland · Whistleblowing platform with public monthly pricing, self-serve trial, and 25-language product coverage, legally seated in Poland.

32 / 56

Base 29 · Bonus 3 · Tier P

Legal

8/16

Reporter

7/10

Handler

4/10

Security

4/8

Commercial

6/6

Strengths

Transparent pricing with public monthly billing, self-serve trial, and no cancellation fees
French-language marketing path is live, alongside 25-language product coverage claims
Custom forms, encrypted two-way communication, and task / action workflows are all surfaced publicly

Weaknesses

France-law positioning is limited; no public Waserman or Sapin II framing was found
Named sub-processors remain under-documented publicly
Reporter return-access mechanism is not documented publicly

Standout

Public pages show monthly pricing, self-serve trial access, and a feature page without requiring sales contact first.

Full profile Visit WeMoral

Whistleblow.ro / avertizori.eu

Bucharest, Romania · Romanian whistleblowing software marketed via Whistleblow.ro and sold through avertizori.eu, with a live public demo at app.whistleblow.ro.

28 / 56

Base 23 · Bonus 5 · Tier P

Legal

6/16

Reporter

4/10

Handler

3/10

Security

7/8

Commercial

3/6

Strengths

Most complete Romania-native commercial package reviewed: public pricing, public signup, and a 14-day self-serve trial
Public pages disclose named EU hosting, 2FA, audit logs, encryption, DPA/subprocessor disclosure, and certification claims
Whistleblow.ro shows pricing, avertizori.eu handles the self-serve product flow, and app.whistleblow.ro exposes a live demo endpoint

Weaknesses

The 14-day free trial is advertised publicly, but provisioning was not re-tested in this pass
Two separate brand / pricing surfaces create avoidable confusion for buyers
Reporter follow-up access still appears to rely on a single system-issued 16-digit identifier rather than a two-factor model
Workflow depth is limited publicly: deadlines, status transitions, structured intake, and note-taking are not clearly documented

Standout

The split public surface includes pricing on Whistleblow.ro, self-serve commerce on avertizori.eu, and a live demo endpoint on app.whistleblow.ro.

Full profile Visit Whistleblow.ro / avertizori.eu

Phoenix

Switzerland · Swiss whistleblowing SaaS with Bulgarian and Romanian language pages, public pricing, and a free starter tier.

24 / 56

Base 23 · Bonus 1 · Tier H

Legal

4/16

Reporter

7/10

Handler

6/10

Security

0/8

Commercial

6/6

Strengths

Public pricing now shows a free Starter tier, Basic at $65/month or $650/year, Premium at $110/month or $995/year, and Enterprise custom pricing
Prior self-serve review provisioned a dedicated per-tenant subdomain and a working handler admin in minutes; public pages still describe the same setup shape
Public materials describe multi-channel intake, secure inbox communication, case management, pipelines, triage, roles, and dashboard reporting
Starter is published as a free plan with no credit card and no hidden fees; no time-limited free trial was found on public pages reviewed

Weaknesses

Starter setup page lists Switzerland, Singapore, and Indonesia as server-location options; no EU residency option was found on public pages reviewed
No public Bulgaria-law or Romania-law positioning was found on public pages reviewed
No ISO 27001 certification, public DPA, public sub-processor list, API documentation, or AI documentation was found on public pages reviewed
The Starter tier public feature list includes one Manager account only; Operator and Agent accounts are listed on the Premium tier

Standout

Public pages show self-serve pricing, a free Starter tier, BG/RO language surfaces, and published product features; DPA/sub-processor documentation and EU-only hosting were not found.

Full profile Visit Phoenix

WIBSO

Bucharest, Romania · Romanian whistleblowing platform built by fraud and integrity specialists for private-sector compliance with Law 361/2022.

24 / 56

Base 21 · Bonus 3 · Tier P

Legal

10/16

Reporter

4/10

Handler

3/10

Security

4/8

Commercial

0/6

Strengths

Public Romania-law framing cites Law 361/2022, Article 9, and Annex 2 / Annex 3 references
Public feature claims name an electronic register, automatic acknowledgement, reminders, statistics, and 5-year retention
ISO 27001 is claimed prominently and the site runs a current public web stack without obvious EOL liabilities

Weaknesses

No public pricing, no public trial, and no live reporter or handler environment found
Hosting country is not disclosed publicly despite detailed Romania-law positioning
Structured intake, reporter access method, assignment logic, and RBAC depth are not verifiable at public tier

Standout

WIBSO publishes Romania-law and workflow claims, while key procurement checks still require vendor confirmation.

Full profile Visit WIBSO

Whistle UP

Bucharest, Romania · Romanian whistleblowing platform with public monthly pricing and Law 361/2022 / Directive 2019/1937 positioning.

23 / 56

Base 19 · Bonus 4 · Tier P

Legal

5/16

Reporter

5/10

Handler

3/10

Security

2/8

Commercial

4/6

Strengths

Public monthly pricing remains clear for a Romania-native product: €49/month for one legal entity and €99/month for groups up to five entities
Public pages directly cite Law 361/2022 and Directive 2019/1937 and describe anonymous reporting, QR/link intake, mobile/desktop access, and designated-person-only access
The public app shell exposes reporter-side status checking and a handler login surface

Weaknesses

Security and operations disclosures remain limited: no ISO claim, hosting country, DPA, sub-processor list, retention controls, or public audit-log guarantees were found
Free trial was not disclosed on public pages reviewed, so the prior trial-based claims were not retained
Reporter intake depth, handler register fields, retention automation, deadline reminders, internal notes, and RBAC granularity were not verifiable from public pages alone

Standout

Whistle UP is transparent on Romanian legal positioning and monthly price, but the 2026-05-24 review was public-page-only, so product-depth claims from prior authenticated testing were removed or downgraded.

Full profile Visit Whistle UP

Methodology

Scoring rubric

25 criteria across 5 categories, weighted by criterion count. Each criterion scores 0, 1, or 2 — rendered as ○ / ◐ / ●. Maximum base score is 50. Romania-specific bonuses add up to 6 on top (modifier, not part of base).

Access tiers

Each tool carries an access tier reflecting what was testable:

P — public pages only (marketing, pricing, security, reporter URL).
P + R — above plus a test report submission.
P + R + H — above plus handler / admin dashboard (via free trial or demo).

Criteria that cannot be verified at the current tier score 0 with the evidence line "Requires handler tier" or "Not documented publicly". Scores depressed by tier, not by product quality, are explicitly flagged on each tool's profile.

Integrity guarantees

The rubric was fixed before scoring. No criterion was added mid-test to favour or punish a specific tool.
Every score carries evidence — a URL, a quote, or a file path — visible in each tool's profile.
Tools operated by the publisher are scored by the same rubric. Placement is by score, not by construction.
Each tool carries a Last reviewed date and is re-tested at least annually.
Vendors can dispute a score or submit evidence of a shipped fix using the contact address in the site footer. Disputes and updates appear as dated addenda on the respective tool profile.

Law applied

Law 361/2022 (the Romania transposition of EU Directive 2019/1937). Tools are scored against the Directive first and against the local law's specifics second.

Coverage note

This ranking covers 7 tools with a scoring block published. Additional tools are being added as scoring completes. Unscored tools will appear in the ranking once they have a published scoring block.

All tools Other country rankings