A multinational employer with EU operations and US public-company exposure has to satisfy three whistleblowing regimes from a single platform: EU Directive 2019/1937, Sarbanes-Oxley Section 806, and Dodd-Frank Section 922. The engineering rule of thumb, verified against the three statutes as of April 2026, is to default every workflow to the strictest regime (the EU directive’s 7-day acknowledgement and 3-month feedback timers), then layer SOX-specific audit-committee routing and Dodd-Frank’s “anonymous via counsel” carve-out as overlays on top. Configure once to the EU baseline and the US obligations fall into place as additive routing rules, not as competing pipelines.

A whistleblowing platform is built from seven cooperating components: an intake layer that accepts reports over web, Tor, hotline, voice, and mobile channels; a triage and routing engine that classifies and assigns each case; a case management subsystem that owns the investigation lifecycle; an investigator workspace where authorised staff decrypt evidence and write findings; a two-way messaging channel that lets the platform talk back to anonymous reporters via a 16-digit receipt; an audit trail and reporting subsystem that records every action; and an admin and configuration plane that controls retention, encryption, and access policies. The reference architecture used here is grounded in publicly available application-security documentation from mature open-source whistleblowing software (verified April 2026) and the four lifecycle stages defined in ISO 37002:2021. The data flow is intake into encrypted submission storage, then routing to a recipient or audit committee, then case work over the receipt channel, then closure with a structured outcome and an audit trail that survives the reporting record after retention deletion.