Security and data protection
Whistleblowing involves some of the most sensitive information an organisation handles. Report Securely is built from the ground up with security and privacy as foundational requirements — not afterthoughts.
GDPR compliance
Report Securely is designed for compliance with the General Data Protection Regulation (EU) 2016/679. As a data processor, we process personal data only on behalf of and under the instructions of our customers (data controllers).
We maintain Records of Processing Activities as required by Article 30, support data subject rights under Articles 15–22, and provide Data Processing Agreements compliant with Article 28.
European data residency
All data is stored and processed within the European Economic Area. We do not transfer personal data outside the EEA. This means your organisation's whistleblowing data is always subject to European data protection law — never exposed to foreign jurisdiction orders or surveillance frameworks.
Encryption
All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using industry-standard AES-256 encryption. Database connections, file storage, and backups are all encrypted.
Reporter anonymity
Report Securely supports both anonymous and confidential reporting modes. In anonymous mode, no identifying information is collected or stored. IP addresses are not logged. Browser fingerprinting is not used. Reporters receive a unique access code to communicate with case handlers without revealing their identity.
Additionally, our AI text rephrasing tool provides stylometric anonymisation — neutralising writing-style fingerprints that could otherwise identify a reporter through their distinctive phrasing, vocabulary, or sentence structure.
Access control
The platform enforces role-based access control. Only designated case handlers can access report contents. Handler assignments are tracked in the audit log. Partner law firm users have access only to reports explicitly routed to them. Internal messages between handlers are not visible to reporters.
Audit trail
Every significant action is logged: report submissions, status changes, handler assignments, message exchanges, reclassifications, and case closures. This audit trail supports both internal governance requirements and the Directive's Article 18 obligation to keep records of every report received.
Privacy by design
Consistent with GDPR Article 25, Report Securely implements data protection by design and by default. We collect only the data necessary for the whistleblowing process. We do not use tracking cookies, marketing analytics, or third-party advertising scripts. Our website analytics use a privacy-first, cookie-free solution.
Infrastructure
The platform runs on enterprise-grade infrastructure within the EEA. Regular security updates, automated backups, and monitoring are in place. We use HTTPS everywhere, enforce strict security headers (HSTS, X-Frame-Options, CSP), and follow OWASP security best practices.
Security questions?
If you have security or data protection questions, or need to report a vulnerability, contact us at: privacy@reportsecurely.com