Independent scored ranking of whistleblower-reporting tools for Spain under Ley 2/2023, the local transposition of EU Directive 2019/1937. 25-criterion rubric fixed before scoring; every score carries evidence.
Tools scored
5
Base max
50
Spain bonus max
6
Rubric version
v2
Spain has the harshest non-compliance regime in the EU: failing to maintain a Sistema interno de información is a muy grave infraction under Ley 2/2023, carrying fines up to €1,000,000 for legal entities, and the national authority (AIPI) only began operating in September 2025 — so this is a market where the obligation is both severe on paper and starting to be enforced in practice.
That raises the bar for software. This edition uses two layers:
the 50-point base rubric, which stays country-agnostic and scores the product itself: legal workflow depth, reporter experience, handler workflow, security posture, and commercial clarity;
the 6-point Spain modifier, which rewards explicit Ley 2/2023 framing, a named Spain-acceptable hosting posture, and a real Spanish-language reporter / handler surface.
That combination penalises the three most common Spain-market failure modes: local vendors with strong legal copy but weak product disclosure; foreign tools with Spanish-language marketing but no Spain-law posture; and service-led compliance offers whose underlying product is not independently reviewable.
This ranking is software-only and includes both Spain-native vendors and foreign tools with concrete Spain-market go-to-market signal. Advisory or investigations-led service firms are excluded unless the underlying whistleblowing product is identifiable and independently reviewable. The Catalan authority (Oficina Antifrau de Catalunya) holds parallel competence for Catalonia-scoped matters; that is a jurisdictional nuance, not a product criterion.
Poland · Whistleblower reporting portal hosted on Hetzner in Germany. Flat €60/month plan.
49 / 56
Base 46 · Bonus 3 · Tier P+R+H
Legal
15/16
Reporter
0/10
Handler
10/10
Security
6/8
Commercial
5/6
Strengths
Best article-level legal framing of any tool reviewed: /compliance/ enumerates Art 4, 6, 8, 9, 16, 18, 19–21 and links to a dedicated page for each of the 27 EU transpositions
All 27 EU national whistleblower laws are named on public /whistleblower-laws/<country>/ pages with official source citations, closing the BG/GR/RO legal-posture gap from the 2026-04-23 review
Oral reporting (Art 9(2)(b)) is built into the portal as in-browser voice recording, and is privacy-engineered rather than bolted on: the raw audio is automatically pitch-shifted, only the anonymized MP3 is ever served, and the original recording is purged after processing (fail-closed — no ffmpeg, no playback, raw never persists)
Report categories are tagged to specific Directive Art 2(1) Union-law domains (CATEGORY_TAXONOMY), with the article reference surfaced as a handler-side badge; reporters still pick plain-language categories
Structured intake: five optional, Directive-aligned questions (relationship to org per Art 4, source of knowledge, incident timing, prior reporting, retaliation concern per Art 19) presented as a skippable guided step, surfaced to handlers + PDF with retaliation flagged as an urgency badge — a built-in default set where competitors leave these to per-org custom-field configuration
Three role tiers (member / admin / viewer): viewer is a read-only seat for auditors and external counsel that sees every report plus the full audit trail without any write or management path, enforced at the Pundit layer
GDPR Art 20 portability: admins can export the full organization dataset (reports, messages, attachments, decrypted PII) as a ZIP; export and download are audit-logged and the ZIP auto-purges after 7 days
Deadline tracking is real, not marketing: code has eu_acknowledgment_deadline + feedback_due_at + overdue/due_soon scopes; lifecycle stepper UI surfaces SLA timing in both reporter and handler views
Retention is configurable AND auto-purged: RETENTION_MONTHS_OPTIONS [12,24,36,60] + RetentionCleanupJob
Two-factor reporter access: Case reference (WB-XXXX-XXXX) + reporter-chosen 6-digit passcode (bcrypt digest), session-gated inbox. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged)
Audit log surfaced to handlers as the third Turbo Frame tab on reports#show; append-only at DB level via PostgreSQL trigger blocking mutation of semantic fields
Modern stack with no EOL liabilities: Rails 8.1 + Turbo + Tailwind 4 + daisyUI 5; no CKEditor or jQuery
Transparent monthly pricing (€60/mo) with 9 live product locales (8 EU official languages — bg, de, el, en, fr, hr, pl, ro — plus Luxembourgish)
Multi-handler case assignment: per-report assigned_to FK on Membership, Pundit scope enforces admin-sees-all / member-sees-only-assigned, assignment changes are audit-logged, deactivated members auto-unassigned from open reports
Published DPA grants Controller explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6); /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle
Zero-AI commitment codified contractually: DPA §6.10 prohibits transmission of personal data to any LLM or AI inference provider; /subprocessors/ lists no AI sub-processor
Weaknesses
Audit log is append-only (DB trigger blocks UPDATE on semantic fields + TRUNCATE) but not hash-chained
Only 9 portal-facing languages (8 EU official languages + Luxembourgish) against 24 EU official languages
No ISO 27001 certification of EthicsPortal itself (only Hetzner infrastructure is certified)
Pay-first with 30-day money-back rather than upfront self-serve free trial
Role tiers are org-scoped, not per-case ACLs: the viewer role added the auditor seat the rubric wanted, but a handler's report visibility is still governed by assignment/participant scoping rather than a per-case permission model
DPIA template not yet published as a customer-facing artifact on the public site
Standout
Article-level Directive framing paired with a 27-page country-law reference and privacy-engineered oral reporting, all backed by code that actually runs the deadline, retention, two-factor passcode, audit-log, voice-anonymization, and subprocessor-notification flows.
25 criteria across 5 categories, weighted by criterion count. Each criterion scores 0, 1, or 2 — rendered as ○ / ◐ / ●. Maximum base score is 50. Spain-specific bonuses add up to 6 on top (modifier, not part of base).
Access tiers
Each tool carries an access tier reflecting what was testable:
P — public pages only (marketing, pricing, security, reporter URL).
P + R — above plus a test report submission.
P + R + H — above plus handler / admin dashboard (via free trial or demo).
Criteria that cannot be verified at the current tier score 0 with the evidence line "Requires handler tier" or "Not documented publicly". Scores depressed by tier, not by product quality, are explicitly flagged on each tool's profile.
Integrity guarantees
The rubric was fixed before scoring. No criterion was added mid-test to favour or punish a specific tool.
Every score carries evidence — a URL, a quote, or a file path — visible in each tool's profile.
Tools operated by the publisher are scored by the same rubric. Placement is by score, not by construction.
Each tool carries a Last reviewed date and is re-tested at least annually.
Vendors can dispute a score or submit evidence of a shipped fix using the contact address in the site footer. Disputes and updates appear as dated addenda on the respective tool profile.
Law applied
Ley 2/2023, de 20 de febrero (the Spain transposition of EU Directive 2019/1937). Tools are scored against the Directive first and against the local law's specifics second.
Coverage note
This ranking covers 5 tools with a scoring block published. Additional tools are being added as scoring completes. Unscored tools will appear in the ranking once they have a published scoring block.