Data privacy and security are key for a trustworthy whistleblowing service. WhistleB offers industry-leading security to protect customer data and anonymous whistleblowers, built on four pillars.
1. Adherence to ISO 27001 to systematically protect customer information
2. High data privacy and security settings
3. Reliable and flexible service platform
4. Commitment to legal compliance globally, including the GDPR
Adherence to ISO 27001 to systematically protect customer information
Systematic protection and management of customer information. The WhistleB Information Security Management System (ISMS) complies with ISO/IEC 27001:2013 », the latest international information security standard. It has been designed to ensure that information security, including personal data management, is considered in all decisions during development and throughout the life cycle of the service.
WhistleB Information Security Management System
The Information Security Management System (ISMS) governs WhistleB’s internal processes and our relationships with customers, partners and suppliers. We ensure the confidentiality, integrity and availability of customer data. All applicable controls in ISO/IEC 27002 » are implemented per good practice standards such as the Information Security Forum » and customer specific requirements, including personal data (PII) requirements.
Highest data privacy and security settings
WhistleB’s security solutions protect sensitive data
The top priority of the WhistleB service is to safeguard the anonymity of a whistleblower and to protect sensitive customer data. Building trust in the service and protecting sensitive data is paramount for all WhistleB customers, which is why the principles of security by default and by design are embedded in the WhistleB service. Data security is the basis for all functions in the service.
To ensure the anonymity of the whistleblower, WhistleB does not:
- track metadata related to the whistleblower, including IP addresses
- ask the whistleblower for his or her identity at any stage
Protection of customer data
- Encryption. Customer data is encrypted in communication and storage. WhistleB does not have access to sensitive customer data such as messages, if not authorised by the customer.
- Multi-factor authentication. Access to the WhistleB service includes multi-factor authentication for secure access.
- Intrusion detection and prevention. WhistleB is protected against online attacks for all authentications in the service.
- Secure data. Real-time replication is combined with back-ups utilising primary and secondary data centres.
- Availability of data. The WhistleB service is available to its users from anywhere, at any time. Performance and security of the WhistleB service is monitored 24/7/365 by an external party.
- Vulnerability assessments and penetration testing. The service is continuously monitored to mitigate vulnerabilities and risks. In addition to regular internal testing, the WhistleB service is regularly tested by external IT security experts.
Reliable and flexible service platform
Your data is stored securely
A truly global whistleblowing service requires the highest levels of reliability and flexibility. The WhistleB service platform has been designed to allow high scalability and flexibility, offering a future-proof service to our customers. WhistleB has chosen Microsoft Azure » which offers the most comprehensive set of compliance offerings of any other cloud service provider, as its hosting and development platform.
Platform services are delivered to customers through data centres, each designed to run 24/7/365, and each employing various measures to protect operations from power failure, physical intrusion and network outages.
Microsoft Azure is committed to annual renewal of its ISO/IEC 27001 (international standard for information security management) and ISO/IEC 27018(international standard for protecting personal data in the cloud) certifications. Management Security and compliance statements for Microsoft Azure are available at Microsoft’s Trust Center portal ». “A whistleblowing service deals with sensitive data, and individuals who sound the alarm must be able to feel confident that they are and remain anonymous. Microsoft Azure’s platform enables WhistleB’s service to support security, both in terms of the employee and the information, in accordance with the requirements stipulated in the GDPR, for example. Microsoft offers the most comprehensive and secure cloud solution globally”. Daniel Akenine, Security Manager at Microsoft Sweden, 2017
Commitment to legal compliance globally, including the GDPR
The WhistleB system conforms to the strictest data protection laws in the world. We enable customers to manage their data in compliance with data protection regulations for example through data retention and deletion as well as user logs for follow-up of case management.When using the WhistleB service, our customers benefit from the WhistleB General Data Protection Regulation (the GDPR) customer assessment to assure compliance with the GDPR. The WhistleB service has been externally assessed for compliance with the GDPR.Compliance with national regulations on whistleblowing: The WhistleB service includes support for correct management and communication in compliance with national regulations on whistleblowing. National instructions are updated on a yearly basis to make sure that your service is compliant wherever it is offered.
How WhistleB meets key GDPR requirements
- Data is stored within the EU.
- Personal data is secured; data is encrypted in storage, transmission and back-ups.
- User logs are created for follow-up and audits.
- Data can be extracted, corrected and deleted.
WhistleB – Whistleblowing made trustworthy
We help our customers to protect their sensitive data, using industry leading data security standards. Guidance on legal compliance is available, and is continuously being updated.
- ISO 27001 compliance.
- Regular external vulnerability and penetration tests.
- Access to legal guidance on personal data protection regulations governing whistleblowing.
EU: General Data Protection Regulation (GDPR) compliant. Data Protection Impact Assessment (DPIA) available.