A compliant voice hotline intake under France’s Loi Waserman, the act that modernised Sapin II to transpose EU Directive 2019/1937, is one pipeline, not three. Capture audio in the browser via the MediaRecorder API, encrypt and upload it into the same report bundle as the text fields using libsodium SealedBox to the recipient’s Curve25519 public key, produce a draft transcript on the recipient side using a self-hosted STT model, and let the reporter verify, rectify, and approve through an anonymous one-time receipt code (never an email or phone re-prompt). The same five-stage pipeline satisfies Article 9(2) and Article 18 of the directive, France’s verify/rectify/approve cycle, and Italy’s D.lgs. 24/2023 oral-report rule. The only deltas across regimes are the consent UX wording and the retention period.

A whistleblower report needs a complete encryption protocol, not a checkbox that says “AES-256”. A reference design that has converged across mature open-source whistleblowing platforms pairs three primitives in a way every serious system should recognise: a 16-digit random receipt code (stored on the server only as a SHA-256 hash, shaped like a phone number so the reporter can hide it among contacts), libsodium SealedBox (Curve25519 + XSalsa20 + Poly1305) to wrap a per-submission data key to each authorised recipient’s public key, and libsodium SecretBox (XSalsa20 + Poly1305) to encrypt the submission body and attachments under that data key. Each recipient’s Curve25519 private key sits on the server encrypted under a symmetric key derived from the recipient’s password via Argon2ID tuned to 128 MB of memory and roughly one second of computation per login. As of April 2026, this is the protocol that production deployments serving anti-corruption activists, corporate compliance teams, and investigative newsrooms actually run.