EthicsPortal

Notable

• Single flat plan; pricing does not vary by employee count, report volume, or user count.
• Reporter and handler UI are available in English, Bulgarian, German, Greek, French, Croatian, Luxembourgish, Polish, and Romanian (9 locales total; 8 EU official languages plus Luxembourgish).
• Vendor publishes an article-by-article mapping of features to EU Directive 2019/1937, plus a dedicated public page at /whistleblower-laws/<country>/ for each of the 27 EU member-state transpositions, citing official law text and external authorities.
• File uploads are stripped of EXIF, GPS, and author metadata before storage.
• No reporter IP addresses are stored; rate limiting uses one-way hashes.
• End-to-end encryption of all personal data claimed on the vendor compliance page; sensitive fields (report descriptions, reporter contact, message bodies) are additionally encrypted at rest using non-deterministic encryption.
• Append-only audit trail (PostgreSQL trigger blocks UPDATE on semantic fields and TRUNCATE) logs every action with timestamp, actor, and action type; complete audit log of submissions, status changes, messages, assignments, and report views is now visible to handlers as a Turbo Frame tab on each report.
• Two-factor authentication available for handler and admin accounts, with onboarding step prompting setup.
• Reporter access uses two factors: a Case reference (format WB-XXXX-XXXX) plus a 6-digit passcode chosen by the reporter at submission. The passcode is stored only as a bcrypt digest and cannot be recovered. The follow-up inbox and message-posting are gated on the passcode check; no account creation required. Reporters can also download a PDF copy of their own report from the follow-up portal (audit-logged).
• Configurable data retention: 12, 24, 36, or 60 months, with automatic deletion of expired closed reports.
• 7-day acknowledgement and 3-month feedback deadlines tracked automatically with overdue notifications and a lifecycle stepper UI.
• Closure reason captured as a structured enum (action_taken, no_action_needed, outside_reporting_scope, sent_to_external_authority, withdrawn_by_reporting_person) aligned with Directive Art 9(1)(c) feedback obligations.
• Admins can export an organisation-level compliance report PDF directly from the dashboard.
• Handlers can manually log reports received by phone, email, or in person.
• No public API or third-party integrations published.
• Hosted in Hetzner’s Nuremberg data-centre park, which holds ISO/IEC 27001:2022 certification (audited by SOCOTEC) covering infrastructure, operation, and customer support. EthicsPortal itself is not separately ISO 27001 certified.
• Published DPA grants the Controller explicit right to object to subprocessor changes (§6.4, 30-day notice + termination remedy) and commits to 72-hour breach notification (§6.6).
• Zero-AI commitment codified in DPA §6.10 and on the public subprocessor list: no LLM or AI inference provider is in the data chain.
• Accessibility statement at /accessibility/ declares WCAG 2.2 Level AA and EN 301 549 V3.2.3 conformance posture, with non-conformances enumerated and a detailed conformance table at /en-301-549-conformance/.
• Users can review and revoke their own active sessions; each session records last_seen_at so stale devices are identifiable.

Verification notes - 2026-05-15

• Source-level verification confirms 9 live product locales: config/application.rb now exposes en bg de el fr hr lb pl ro (Croatian added since the 2026-04-23 review); Croatian translation files exist at config/locales/hr.yml, config/locales/whistleblower.hr.yml, and config/locales/compliance_templates.hr.yml.
• All 27 EU member states have dedicated public legal-reference pages under website/content/en/whistleblower-laws/, each naming the national act, citing its official source, and identifying the external reporting authority. /compliance/ links out to this index from its country-law paragraph.
• DPA §6.4 (Sub-processors): “The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to the change; if no resolution is reached, the Controller may terminate the agreement.”
• DPA §6.6 (Data breach notification) commits to 72-hour notification with required content (nature, consequences, measures).
• DPA §6.10 codifies the zero-AI commitment as a material contractual term, naming OpenAI, Anthropic, Google, and Mistral as not-sub-processors.
• Audit log surfaced to handlers as the third Turbo Frame tab on app/views/organizations/whistleblower/reports/show.html.erb (commit 858ee3a6); audit log actor field is now polymorphic with snapshotted metadata (commits 62aa48b7, 66dd30a8).
• Report lifecycle refactored from a single status enum to milestone timestamps + closure_outcome enum (acknowledged_at, feedback_given_at, closed_at, closure_outcome). Compliance behaviour preserved; closure_outcome enum is now Directive Art 9(1)(c)-aligned.
• Membership now supports deactivation as well as deletion: scope :deactivated, -> { where.not(deactivated_at: nil) } preserves audit history; deactivated members are auto-unassigned from open reports.
• Pricing updated 2026-05-25: Monthly €60 /month, Yearly €41.67 /month billed as €500/year, 30-day money-back guarantee.

Scoring review - 2026-05-15

Re-scored 2026-05-15 under the same 25-criterion rubric at access tier P + R + H with source-code-level access permitted by the vendor. Rubric unchanged from 2026-04-23. Items tracked on the vendor roadmap are scored as gaps, not skipped.

Base score: 42 / 50 in France, Bulgaria, Greece, and Romania contexts (+1 from 2026-04-23, driven by D22). France country bonus: 5 / 8 (unchanged). Bulgaria country bonus: 6 / 6 (+2). Greece country bonus: 4 / 6 (+2). Romania country bonus: 6 / 6 (+2).

What moved since 2026-04-23:

• D22 (subprocessor transparency) 1 → 2. DPA §6.4 now grants the Controller an explicit right to object to subprocessor changes with 30-day notice and termination remedy; /trust/ publishes contracting party, backups, RTO/RPO, and session lifecycle.
• bg_law / gr_law / ro_law all 0 → 2. /whistleblower-laws/ ships a dedicated public page for every EU member state, each naming the national act and linking to its official source.
• Croatian (hr) added as a 9th portal locale, fully localised across reporter and handler surfaces.
• Reporter PDF download added to the follow-up portal (audit-logged), strengthening B11.
• Lifecycle stepper UI replaces the simple status string in both reporter and handler views; underlying schema migrated from a status enum to milestone timestamps + a closure_outcome enum aligned with Directive Art 9(1)(c).
• Audit log surfaced to handlers as the third Turbo Frame tab on reports#show.
• Accessibility statement now public at /accessibility/ with detailed EN 301 549 conformance table at /en-301-549-conformance/.
• Trust + security pages consolidated and published, including contracting party, backups, RTO/RPO, session lifecycle, breach SLA, and zero-AI posture.

What still caps the base score:

• B12 — structured intake (still 0/2): schema remains Subject + Description + Files + optional category; the form does not yet ask relationship-to-org, source-of-info, prior reporting, or retaliation-concern questions.
• C18 — role tiers (still 1/2): membership is still enum :role, %w[member admin]; rubric wants ≥3 case-scoped role tiers. Deactivation lifecycle was added but does not change the role count.
• D19 — ISO 27001 of EthicsPortal itself (still 0/2): only Hetzner infrastructure is certified.
• A7 — hash-chained audit log (still 2/2 but with room): append-only at DB level via PostgreSQL trigger blocking mutation of semantic fields; not hash-chained.
• A8 — DPIA template (still 1/2): DPA, breach SLA, and trust runbook are published — but a customer-facing DPIA template is not yet a public artifact.
• E24 — free trial (still 1/2): pay-first with 30-day money-back; no upfront self-serve trial.

Buyer fit:

• Bulgaria: closes the previous Bulgaria-specific legal-posture gap. The Bulgarian whistleblowing act is now cited publicly at /whistleblower-laws/bulgaria/, with the CPDP’s dual role (external authority + data protection authority) flagged. Bulgarian UI, named EU hosting, and the new explicit legal-act citation now all line up. Bulgaria total: 48 / 56.
• France: top of the Edition I, 2026 rubric. Loi Waserman is cited on /compliance/ and on /whistleblower-laws/france/ with a Légifrance link. Sapin II is not claimed as product scope and is largely a separate anti-corruption regime. FR-local data residency remains the open item — Germany-hosted on Hetzner Nuremberg rather than a Paris or Gravelines option. France total: 47 / 58.
• Greece: now a defensible Greece-market leader. /whistleblower-laws/greece/ cites Law 4990/2022 with the official gazette PDF and the National Transparency Authority as external channel; full Greek reporter and handler UI is live. The remaining delta is hosting fit (Germany-only, no GR option). Greece total: 46 / 56.
• Romania: closes the previous Romania-specific gap. /whistleblower-laws/romania/ cites Legea nr. 361/2022 with the official text PDF and identifies ANI as both external authority and practical guidance body; Romanian UI and named EU hosting were already in place. Romania total: 48 / 56.