Witik

Notable

• Founded 2020; positions itself as a “100% French-made” GRC platform.
• Modules: GDPR/RGPD, Sapin II (anti-corruption, including internal alerts), and EU AI Act compliance.
• Sapin II module bundles four components: internal alerts (whistleblowing), anti-corruption controls, gifts & invitations, and conflicts of interest.
• Whistleblowing features: ready-to-use alert form, anonymous reporting, secure two-way communication, private access portal, dashboard, and automated assignment/tracking claims.
• Public API with webhook engine; integrations advertised via these hooks rather than a marketplace.
• Certifications: ISO 27001, HDS (French health-data hosting accreditation), plus EcoVadis Bronze (sustainability rating, non-security).
• Hosting: France / EU positioning is public; the privacy policy names OVH SAS for the platform and public forms, while commercial/prospecting tooling may involve international transfers.
• Site UI available in 7 languages; the EU-language-coverage breakdown for the reporting form itself is not enumerated on public pages.
• Starter (free) tier exists on both GDPR and Sapin II modules with sharp limits; Premium subscription is the production tier.
• Fits the module-based pattern also represented in the directory by Clym (privacy suite) and osapiens (ESG suite).

Vendor-page evidence - 2026-05-24

• Current pricing page shows Sapin II Starter at 0€ HT/mois, Premium from 100€ HT/mois, a 14-day trial claim, and a 36-month annual-payment default with monthly payment available at surcharge.
• The whistleblowing feature page claims a ready-to-use alert form, anonymous reporting, confidential chat box, private access portal, dashboard, automatic assignment, timestamped documentation, and audit history.
• Current homepage markets Witik as AI-native and states product data is not used to train Witik or third-party AI models; the privacy policy separately names an OpenAI-backed meeting/prospecting tool, not the whistleblowing module itself.
• The privacy policy names multiple infrastructure/tooling providers; this improves the old sub-processor evidence, but no public objection workflow or DPA pack was found.
• Witik’s public pages reviewed did not show a Directive 2019/1937 article-level taxonomy.

Scoring review - 2026-05-24

Scored under the 25-criterion rubric v2 at access tier P (public pages only; demo is sales-gated, no self-serve trial).

Base score: 20 / 50. France country bonus: 7 / 8.

Unverified from public pages: public Art 2(1) taxonomy in intake, public 7-day / 3-month automation proof, and documented two-factor reporter access. Public whistleblowing copy is framed primarily through Sapin II, and the standard commercial model is anchored in a 36-month commitment even if shorter monthly billing is available at a surcharge.

Evidence supporting the score: French OVH/HDS hosting, ISO 27001 / HDS claims, a public Sapin II pricing page, a 14-day-trial mention, and surcharge-based monthly billing.

Buyer fit: French organisations already using Witik for RGPD that want to add Sapin II whistleblowing coverage. Buyers seeking a dedicated Directive-first whistleblower tool should confirm legal mapping and workflow evidence directly.