A compliant voice hotline intake under France’s Loi Waserman, the act that modernised Sapin II to transpose EU Directive 2019/1937, is one pipeline, not three. Capture audio in the browser via the MediaRecorder API, encrypt and upload it into the same report bundle as the text fields using libsodium SealedBox to the recipient’s Curve25519 public key, produce a draft transcript on the recipient side using a self-hosted STT model, and let the reporter verify, rectify, and approve through an anonymous one-time receipt code (never an email or phone re-prompt). The same five-stage pipeline satisfies Article 9(2) and Article 18 of the directive, France’s verify/rectify/approve cycle, and Italy’s D.lgs. 24/2023 oral-report rule. The only deltas across regimes are the consent UX wording and the retention period.

Anonymity and confidentiality are two different security properties, and a whistleblowing platform that uses them as synonyms is selling a promise it cannot keep. Anonymity means the reporter’s identity stays unobservable to the platform, to intermediaries, and to recipients, which operationally requires a Tor onion service v3, the Tor Browser on the reporter’s side, and reporter-side discipline against forensic traces. Confidentiality means the reporter accesses the platform over a regular browser; the ISP, the employer network, or a CDN can log the connection, while the platform encrypts the content, restricts recipient access, and keeps logs honest. Both are valid, and the right default depends on context: corporate compliance programmes usually default to confidential with anonymous opt-in via Tor, whereas human-rights initiatives and investigative newsrooms default to anonymous.

A compliant whistleblowing operation runs two SLA clocks per case: 7 days from intake to acknowledgement, then up to 90 days from acknowledgement to substantive feedback. Both timers come straight from Articles 9 and 11 of EU Directive 2019/1937, and they are mirrored verbatim in every Member-State transposition: France’s Loi Waserman, Italy’s D.lgs. 24/2023, and Germany’s HinSchG. Lay them on top of the ISO 37002:2021 four-stage management cycle (Receive, Assess, Address, Conclude), add a parallel 12-month retaliation watch, and you have a workflow that satisfies the directive, the international standard, and the operational reality of running an investigation. A platform that does not surface both clocks per case as countdown badges (rather than as background retention settings) is non-compliant by design.

A multinational employer operating in Germany, France, and the United Kingdom can run secure whistleblowing software across all three regimes if the admin plane exposes five per-tenant switches: anonymous-acceptance, oral-record format, in-person-meeting SLA, headcount calculation rule, and per-artifact retention period. That five-switch model is the information-gain anchor of this post: each switch is driven by a specific section of HinSchG (Germany, in force 2 July 2023, with the late-2023 anonymous-reporting amendment), by the Sapin II decree of 3 October 2022 in France, or by the structure of PIDA 1998 in the UK. The trap most platforms fall into is treating PIDA as if it mandated a channel; PIDA only protects retaliation, it does not require the employer to operate one.

A whistleblowing platform handles allegations of wrongdoing, names identifiable third parties, and routinely captures special-category data such as harassment, discrimination, or criminal-conduct claims. It is inside GDPR scope, and three mistakes show up on almost every implementation review. Calling pseudonymous receipt-coded reports “anonymous” and assuming GDPR no longer applies; selecting consent as the lawful basis even though the freely-given test fails under the employer/employee power imbalance; and treating encryption as an exemption from breach notification when Article 33’s 72-hour clock keeps running regardless. This post walks each pitfall, ties it to a specific GDPR article, and shows what the platform must do in product terms.

A multinational employer with EU operations and US public-company exposure has to satisfy three whistleblowing regimes from a single platform: EU Directive 2019/1937, Sarbanes-Oxley Section 806, and Dodd-Frank Section 922. The engineering rule of thumb, verified against the three statutes as of April 2026, is to default every workflow to the strictest regime (the EU directive’s 7-day acknowledgement and 3-month feedback timers), then layer SOX-specific audit-committee routing and Dodd-Frank’s “anonymous via counsel” carve-out as overlays on top. Configure once to the EU baseline and the US obligations fall into place as additive routing rules, not as competing pipelines.

A whistleblower report needs a complete encryption protocol, not a checkbox that says “AES-256”. A reference design that has converged across mature open-source whistleblowing platforms pairs three primitives in a way every serious system should recognise: a 16-digit random receipt code (stored on the server only as a SHA-256 hash, shaped like a phone number so the reporter can hide it among contacts), libsodium SealedBox (Curve25519 + XSalsa20 + Poly1305) to wrap a per-submission data key to each authorised recipient’s public key, and libsodium SecretBox (XSalsa20 + Poly1305) to encrypt the submission body and attachments under that data key. Each recipient’s Curve25519 private key sits on the server encrypted under a symmetric key derived from the recipient’s password via Argon2ID tuned to 128 MB of memory and roughly one second of computation per login. As of April 2026, this is the protocol that production deployments serving anti-corruption activists, corporate compliance teams, and investigative newsrooms actually run.

A whistleblowing platform is built from seven cooperating components: an intake layer that accepts reports over web, Tor, hotline, voice, and mobile channels; a triage and routing engine that classifies and assigns each case; a case management subsystem that owns the investigation lifecycle; an investigator workspace where authorised staff decrypt evidence and write findings; a two-way messaging channel that lets the platform talk back to anonymous reporters via a 16-digit receipt; an audit trail and reporting subsystem that records every action; and an admin and configuration plane that controls retention, encryption, and access policies. The reference architecture used here is grounded in publicly available application-security documentation from mature open-source whistleblowing software (verified April 2026) and the four lifecycle stages defined in ISO 37002:2021. The data flow is intake into encrypted submission storage, then routing to a recipient or audit committee, then case work over the receipt channel, then closure with a structured outcome and an audit trail that survives the reporting record after retention deletion.

EU Directive 2019/1937 obliges every private legal entity with 50 or more workers, and most public-sector entities, to operate an internal reporting channel that accepts written and oral reports, acknowledges receipt within 7 days, and gives feedback on action taken within 3 months (extendable to 6 in duly justified cases). The channel must protect the identity of the reporter and any third party named in the report, allow third-party operation under the same safeguards, support an in-person meeting on the reporter’s request, and avoid any form of retaliation as defined in Article 19. Translating those legal obligations into product requirements yields a 12-row engineering checklist that any reporting platform must satisfy before it can be considered compliant. As of April 2026, every clause below is still load-bearing under the directive’s text on EUR-Lex and the European Commission’s transposition page.