Skip to main content
EU Whistleblower Directory
EthicsPortal logo

EthicsPortal

Whistleblower reporting portal hosted on Hetzner in Germany. Flat €60/month plan.

EthicsPortal homepage screenshot
Typical buyer

EU SMEs (50+ employees) wanting flat-rate, EU-hosted reporting without enterprise sales engagement.

Distinctive features

  • Flat €60/month regardless of headcount, users, or report volume
  • EXIF, GPS, and author metadata stripped from uploads automatically
  • Article-by-article mapping of features to Directive 2019/1937, plus a dedicated public page for each of the 27 EU member-state transpositions
  • In-portal oral reporting (Art 9(2)(b)) with automatic voice anonymization — the reporter's raw voice is pitch-shifted and the original audio purged, never persisted past processing

Notable

  • Single flat plan; pricing does not vary by employee count, report volume, or user count.
  • Reporter and handler UI are available in English, Bulgarian, German, Greek, Spanish, French, Croatian, Italian, Dutch, Polish, Portuguese, Romanian, and Luxembourgish (13 locales total; 12 EU official languages plus Luxembourgish).
  • Vendor publishes an article-by-article mapping of features to EU Directive 2019/1937, plus a dedicated public page at /whistleblower-laws/<country>/ for each of the 27 EU member-state transpositions, citing official law text and external authorities.
  • File uploads are stripped of EXIF, GPS, and author metadata before storage.
  • No reporter IP addresses are stored; rate limiting uses one-way hashes.
  • Personal data is encrypted in transit (TLS); sensitive fields — report descriptions, reporter contact details, and message bodies — are encrypted at rest.
  • Append-only audit trail logs every action with timestamp, actor, and action type; the complete audit log of submissions, status changes, messages, assignments, and report views is visible to handlers on each report.
  • Two-factor authentication available for handler and admin accounts, with an onboarding step prompting setup.
  • Reporter access uses two factors: a case reference (format WB-XXXX-XXXX) plus a 6-digit passcode chosen by the reporter at submission. The passcode is stored only as a hashed digest and cannot be recovered. The follow-up inbox and message-posting are gated on the passcode check; no account creation required. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged).
  • Configurable data retention: 12, 24, 36, 48, or 60 months, with automatic deletion of expired closed reports.
  • 7-day acknowledgement and 3-month feedback deadlines tracked automatically with overdue notifications and a lifecycle stepper UI.
  • Closure reason captured as a structured outcome (action taken, no action needed, outside reporting scope, referred to external authority, withdrawn) aligned with Directive Art 9(1)(c) feedback obligations.
  • Oral reporting (Directive Art 9(2)(b)) is supported directly in the portal: reporters can record a voice message at submission. Anonymization is always-on and irreversible — the audio is pitch-shifted, only the altered clip is attached, and the original is purged, so the reporter’s true voice never persists past processing. The pipeline fails closed: until conversion succeeds the recording is hidden from handlers, and on permanent failure the raw audio is purged rather than retained.
  • Handlers can set a case priority (low, normal, high, urgent) during assessment; the priority shows as a badge on the report list, every change is audit-logged, and the compliance report includes a breakdown of reports by priority.
  • Admins can export an organisation-level compliance report PDF directly from the dashboard.
  • Handlers can manually log reports received by phone, email, or in person.
  • Report categories are mapped to the Directive’s Art 2(1) Union-law domains: each category carries a directive (with article reference) or national tag, the article surfaces as a badge on the handler-facing report detail, and reporters continue to choose from plain-language groups.
  • Structured intake questionnaire: five optional, Directive-aligned questions — relationship to the organization (Art 4 personal scope), how the reporter knows, when/how often it happened, whether it was reported before, and whether the reporter fears or faces retaliation (Art 19) — presented as a skippable guided step on the reporter form so anonymity is never compromised by a required answer. Answers are encrypted at rest, shown to handlers and in the PDF export, and a retaliation concern is surfaced as a prominent urgency badge. The same questions are available when a handler logs an offline (phone/in-person) report.
  • Three membership role tiers: member (handler), admin, and viewer — a read-only seat for auditors and external legal counsel that can see every report and the full audit trail but cannot act on a case or manage the organisation.
  • Organization-level GDPR Art 20 data export: an admin can request a ZIP of the full tenant dataset (reports, messages, attachments, with encrypted fields decrypted for portability); the request and the download are both audit-logged, access is admin-only, and the ZIP auto-purges after 7 days.
  • Deleting an organisation that holds reports is a retention-aware soft-delete, not an instant wipe: the org disappears for users immediately while its reports ride out their per-portal retention windows and are auto-purged afterward, preserving the Directive’s retention obligation. Orgs with no reports still hard-delete immediately.
  • SCIM 2.0 user provisioning: an organization can connect its identity provider (e.g. Okta, Microsoft Entra ID) to provision case handlers and automatically deprovision them when they are removed from the directory. Admins generate, rotate, and enable or disable a per-organization token and choose the default role for provisioned users.
  • SAML 2.0 single sign-on: an organization can connect its identity provider (e.g. Okta, Microsoft Entra ID) so its team signs in through it. SSO is configured per organization and can cover one or more email domains; enforcement (requiring SSO for those domains) and just-in-time provisioning of accounts on first sign-in are both optional. Magic-link sign-in remains available when SSO is not enforced. SSO authenticates logins while SCIM provisions accounts — the two together are the standard enterprise-identity pairing.
  • No public reporting API or third-party integrations published; the SAML SSO and SCIM endpoints are scoped to authentication and identity provisioning respectively.
  • Hosted in Hetzner’s Nuremberg data-centre park, which holds ISO/IEC 27001:2022 certification (audited by SOCOTEC) covering infrastructure, operation, and customer support. EthicsPortal itself is not separately ISO 27001 certified.
  • Publishes an ISO 37002:2021 guidance-alignment map (/iso-37002/) mapping the standard’s operating clauses to shipped features, plus an ISO 27001 Annex A self-assessment. ISO 37002 is a guidelines standard, so this is alignment, not certification.
  • Published DPA grants the Controller an explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6).
  • Zero-AI commitment codified in DPA §6.10 and on the public subprocessor list: no LLM or AI inference provider is in the data chain.
  • Accessibility statement at /accessibility/ declares WCAG 2.2 Level AA and EN 301 549 V3.2.3 conformance posture, with non-conformances enumerated and a detailed conformance table at /en-301-549-conformance/.
  • Users can review and revoke their own active sessions; each session records when it was last seen so stale devices are identifiable.

Scoring review - 2026-06-21

Reviewed across the public site plus the reporter and handler environments, under the 25-criterion rubric (v2_25_criteria).

Base score: 47 / 50 in the France, Bulgaria, Greece, and Romania contexts. Country bonuses: France 5 / 8, Bulgaria 6 / 6, Greece 4 / 6, Romania 6 / 6, Spain 5 / 6, Belgium 5 / 6.

CategoryScoreMax
A. Legal compliance1616
B. Reporter experience (BG/FR/GR/RO)1010
C. Handler experience1010
D. Security68
E. Commercial56

What caps the base score:

  • D19 — ISO 27001 of EthicsPortal itself: only Hetzner infrastructure is certified.
  • A7 — hash-chained audit log: append-only at the database level, but not hash-chained.
  • E24 — free trial: pay-first with 30-day money-back; no upfront self-serve trial.

Buyer fit: Bulgaria 53 / 56, France 52 / 58, Greece 51 / 56, Romania 53 / 56. Spain and Belgium each gain from the in-language reporter UI now live. Across markets the remaining deltas are data-residency fit (Germany-only hosting, no per-country region) and the three base-capping gaps above.

Similar to EthicsPortal

Other platforms in the directory with overlapping pricing model, certifications, or procurement path.

Frequently asked questions about EthicsPortal

Answers derived from vendor-published materials dated on this page.

Is EthicsPortal suitable for SMEs under 250 employees?
Yes — EthicsPortal's entry-tier pricing is published under €50/month, inside the range most 50–249-employee organisations budget for a reporting channel. €60/month, or €41.67/month billed annually (€500/year) EU SMEs (50+ employees) wanting flat-rate, EU-hosted reporting without enterprise sales engagement.
Which national whistleblower laws does EthicsPortal explicitly reference?
EthicsPortal explicitly cites the following national transpositions of Directive 2019/1937 in its public materials: Germany (HinSchG), France (Loi Waserman), Italy (D.Lgs. 24/2023), Spain (Ley 2/2023), Poland (Act of 14 June 2024), Bulgaria (Whistleblowing Act, in force 4 May 2023), Greece (Law 4990/2022), Romania (Legea nr. 361/2022), All 27 EU member states — a dedicated /whistleblower-laws/<country>/ page exists per state, citing the official law text. Absence from this list does not mean the platform can't be used in other EU jurisdictions — all 27 member states have transposed the Directive. Verify jurisdictional fit with the vendor directly.
Does EthicsPortal process whistleblower report content with AI?
No — EthicsPortal does not process report content with AI or machine translation per its vendor materials. Verify the vendor's subprocessor list to confirm no downstream AI processing occurs.

Compare EthicsPortal with another platform

Direct side-by-side comparisons against other tools in this directory.