Whistleblowing doesn't have to be complicated.

The whistleblowing law made simple. We guide you all the way & with our comprehensive offering you can have a full-fledged whistleblowing solution in no time.

Explore how
Visslan whistleblowing system
SesolLindahlAdvokatfirman VICI logoASUS logo
SesolLindahlAdvokatfirman VICI logoASUS logo

Is this really the right way to work with the EU whistleblowing law?

Many people believe that email is simple and that advanced functionality is good. That's not always true. There is no need to spend more time on administration or to have more systems in an organization. A new way is needed. A golden mean.
Email is complicated for a whistleblowing solution
Email or Microsoft-forms aren't enough anymore when it comes to whistleblowing.
  • Unnecessarily much administration
  • Major security & compliance risks
  • Waste of valuable time & money

Too advanced system

Too advanced system for whistleblowing
Whistleblowing doesn't have to be complicated and advanced systems helps no one.
  • High fees & start-up costs
  • More systems to administer
  • Unnecessary work & long processes

Get more time for other things. Be ready in

999 minutes.
Nothing meaningful gets done in 5 minutes, but by eliminating unnecessary work and complexity, we have shortened the time it takes as far as possible.
*Estimated total time to comply with the EU Whistleblowing Directive with Visslan

Whistleblowing has
never been easier.

We don't need more complicated systems to maintain or expensive lawyers to pay.

Visslan offers simplicity, clarity and efficiency with an intuitive and user-friendly whistleblower system, a whistleblower policy according to the EU Directive and, if desired, cost-efficient case management by lawyers.

EU Whistleblowing Directive compliant
ISO 27001-icon
ISO 37002-icon
GDPR icon
EU Whistleblowing Directive
ISO 27001-hosting
According to ISO 37002
GDPR-secured

What our customers say.

Listen to our customers. They have experienced the simplicity.
"
ASUS logo

Visslan is a simple & flexible way to solve the new whistleblower law.

HR Manager Nordic
Tobias Bodlander
"

Communication with Visslan worked great and we felt that they were always quick to respond and focused on solving our challenge in the best way.

Maria Bjerner
HR Manager
Hemtex uses Visslan's whistleblowing software
"

With a supplier who is experienced, knowledgeable and available, it is much easier to get a complete whistleblower solution in place than it may initially seem. In the end, the choice of Visslan as a supplier was quite simple for us.

Erik Ax
Legal Counsel
Stockholms Auktionsverk logo
"

I want to encourage companies that do not already use a whistleblowing system to do so. It is so much easier and much more serious than coming up with your own solution.

Nicole Bellman
HR Manager
Stockholms Auktionsverk logo
"

From the first contact to contract writing and onboarding of the system, Visslan has been a great help. We have received quick responses to calls and emails and the information we’ve received has always been clear.

Ebba Lindholm
HR Generalist
BRA använder Visslan
"

Keep it to a flexible, smooth and GDPR-secured digital solution, which I feel Visslan delivers. It was one of the smoothest implementations we’ve done – don’t complicate it!

Amanda Bitici Högberg
HR Manager
BRA använder Visslan
"

The implementation was very simple and Visslan's solution feels safe considering that it is encrypted, penetration tested and completely anonymous.

Åsa Söderström
IT Manager
Eurocon logo
"

We got started quickly and were guided through learning the platform to how we could launch the function internally. It was all very simple!

Li Pamp
CEO
Stockholms Auktionsverk logo
"

Visslan enabled us to provide the anonymity & security whistleblowers often need to feel comfortable springing into action when they witness wrongdoing

James Davidson
President
FBI Integrity Project logo
Jollyroom använder VisslanHolygreens in 9x9 gridRosenssons använder Visslan
Rosenssons använder VisslanKungliga Hovstaterna använder VisslanMQ MarQet använder Visslans visselblåsarsystem
Customer - Akavia logoAkademikernasRosenssons använder Visslan

These companies are already experiencing the simplicity, when will you?

We help companies on three continents in all industries and sizes, from the local staffing company to the world-leading computer manufacturer ASUS, multinational and listed companies and all the way to FBI agents and the Royal Court of Sweden.
  • Everything you need
  • No implementation fees
  • We help you all the way
Discover the new way - risk free
Get started for free
Girl meditating

Got 60 seconds? Experience the simplicity:

searching for solution

Not sure if we are right for you?

We know your problems because we have been there ourselves. Whistleblowing should be simple, it shouldn't create headaches and be an administrative nightmare. Simple and efficient whistling. No hassle.

FAQ.

The base for our system has been developed by the Italian organization Globaleaks. They have a high level of expertise within whistleblowing and their system is used by multiple EU-authorities.

What does the whistleblower law say?

The EU Whistleblower Directive, often referred to as the whistleblower law, and imposes a number of requirements on companies, including the establishment of whistleblowing channels for all companies with more than 50 employees. Strict confidentiality applies and there are requirements to be able to follow up with the whistleblower within certain time frames. As a company, you also need to inform, for example, about the channel, how to report and the whistleblower's rights and freedoms. Many companies choose to enable anonymous reporting, but this is not a legal requirement in itself.

Who receives the cases?

You decide for yourself who should be the case manager(s), but the case manager(s) should be independent and autonomous. This can be someone within your company, but also someone external, such as a lawyer or accountant. The case manager receives cases in the whistleblower system, follows up with the whistleblower and possibly appoints an investigation. In Visslan's system, you can receive cases internally, but also via one of our partners' external recipient functions.

Can you report anonymously? If so, how does follow-up work?

Through Visslan's whistleblower system, those who report can choose whether they want to be anonymous or confidential. If they choose to disclose their identity, only case managers (one or more designated by the company as independent) may access the information. The person who reports can always choose to remain anonymous at first and reveal their identity later instead.

The benefit compared to a mailbox or email function is that the whistleblower can be both anonymous and with the possibility of follow-up in the anonymous chat.

How can whistleblowers make reports via the system?

Visslan enables both written and verbal whistleblowing. Verbal can be done for example by uploading an audio file as an attachment to the report. That follows the "best practices" that exist in whistleblowing and is preferable to reporting via a telephone hotline. According to the whistleblowing laws, whistleblowers should also be able to report by scheduling a physical meeting, which can for example be asked for by submitting a report in Visslan's whistleblower system. At a physical meeting, we recommend that a report is still set up regarding the case where documentation can be collected securely.

All this type of information is described in our standardized whistleblower policy. Most likely, written reporting will be most common.

How quickly can we access the whistleblower system?

In the case of Standard, you get access to the platform directly and you can set up your system directly, while Enterprise customizations can take a couple of days to set up, subject to the risk of bottlenecks. You get access to the whistleblower policy and other onboarding information directly.

How is onboarding of the whistleblower system conducted?

We always offer an onboarding of the reporting channel with the person or persons who will be the case manager (others are also welcome to participate if desired), which usually takes about 30 minutes. You also get access to onboarding materials such as user manuals, FAQs, videos and more. In addition to this, we are personally available to answer any questions. Completely free of course!

Which languages are available?

Visslan has built-in support for many of the world's languages and the vast majority within the EU. Our team is constantly working to expand and improve our language library. Please contact us for an up-to-date list of available languages.

How is the dialogue between case manager and whistleblower handled?

The whistleblower is completely anonymous to both Visslan and you and instead he/she receives a code as a login to their case. Once logged in, the whistleblower can still be anonymous and chat with the case manager. All communication can thus be handled and documented via the platform in a legally compliant manner.

How does the whistleblower access the reporting channel?

You get a company-unique link, for example https://name.visslan-report.se/, which you give out to your employees. There, the whistleblower can easily make a whistleblower report.

Who can blow the whistle?

Everyone who has access to your company's unique reporting link can submit a report through the reporting channel.

Is there a limit to the number of cases we can get through the whistleblower function?

No, you can get an unlimited number of cases through Visslan. However, the system has a spam protection that can act as a limitation in special cases where spam is suspected.

What happens after the 14-day free trial?

After 14 days, your subscription according to the agreement begins. You will receive a reminder e-mail before the trial period expires and if you had forgotten to cancel the trial period, we are usually forgiving.

What are the payment terms after the trial period?

You are invoiced annually at the beginning of the subscription period. The invoice has an expiration date after 30 days.

What is the notice period?

Visslan has no notice period. You can cancel the subscription at any time, even during the trial period.

What do I do if I need customizations to the system?

Please contact us for any custom requirements.

Can Visslan guarantee system security?

No one can guarantee the security of a system. As we have seen recently, authorities as well as banks and other "secure" systems have proven to have shortcomings. Visslan works actively to prevent and remedy any deficiencies by following modern safety standards while protecting the whistleblower's anonymity. An important part of our security work is the platform's continuous security audits and penetration tests.

If you are promised an impenetrable system, you are most probably being lied to.

What support are we entitled to?

We help you all the way, both with intuitive guides, instructions and videos, but also personally. If you are a customer of Visslan and need help, do not hesitate to contact us if you have questions, concerns or want any tips. We have seen most things and are happy to share our experiences or contacts.

For larger support matters at your request and which are not necessary for the use of the platform, such as adaptations of it, a small service fee is charged. Should this be the case, we always inform about this in advance

Who is behind Visslan?

The Swedish company The Whistle Compliance Solutions AB with organisational number 559327-2999 and VAT-number SE559327299901 is behind Visslan.

Who receives the whistleblowing cases?

Lawyers with one of our partners who specialize in whistleblowing, labor law, data protection and other relevant areas. They act as receivers in your Visslan's whistleblower system. Our partners' offers may differ slightly, both in layout and price. You are completely free to choose which of our partners you want to get help from, but a peer review must first be carried out.

Can we see the report ourselves?

Normally, no, but you can wish to have it if you want. We always create an account for you in the system but without access to the cases that come in. The lawyers can then give you access to cases, for example if they are personnel matters or if you are to carry out an investigation internally.

What does conflict of interest review mean to us?

Our partners are often bound by special rules such as law firms, including reviewing clients for conflict of interests before they can offer services to a new client. This is done to ensure that the lawyers can help you without ending up in a conflict situation themselves, for example against an existing client. The risk of the conflict of interest review resulting in a declining of services is generally small. The conflict of interest review does not mean any work for you.

What do you really get with external handling of whistleblower cases?

Although this may differ slightly between our different partners, the basics are always the same. First and foremost, an unlimited number of cases are received by most of our partners (not all), where the lawyers make an initial assessment of whether the case may be a whistleblower or rather a personnel matter. In the event that it is a whistleblowing, special processes are required by law, but if it is a personnel matter, it is in principle handed over directly to you.

Dialogue with the whistleblower for any initial follow-up questions and additional information is included in the fixed price. In addition, a recommendation is included about the next step, for example if an investigation should be made or if the case should be taken directly to the relevant authority.

Some of our partners have a scheme where you pay per case, but unless otherwise stated, that is not the case.

What is not included in the external case management?

The short answer is that further investigation of the case is not included. If you choose to hire the same lawyer that is the recipient also for the investigation of the case, it will be an hourly fee and you will get a custom proposal.

Do we have to hire the external recipient for investigation?

No, it is always up to you if you choose to hire this party for the potential investigation, another external party or if you choose to carry out the investigation yourself internally if a whistleblowing case should be received.

Are the conditions for the external reception function regulated through our agreement with Visslan?

No. Visslan is not responsible for the external reception function. However, we have great confidence that you will be well treated by all our partners and in normal cases you do not need to sign another agreement but the partner then sends an assignment confirmation to you.

We work closely with our partners to provide such a seamless workflow as possible.

How does the external reception function help us to follow the whistleblower law?

The external recipients are experts on the Whistleblower Act and will adhere strictly to various rules, processes and time frames to ensure compliance with the Whistleblower Act. You will also receive a recommendation about the next step, and that you will not have to worry about the recipient not being sufficiently independent and autonomous.

How can it be cheaper for us to outsource case management of whistleblower reports?

Many organizations lack the competence for whistleblowing and investigation internally. In many cases, especially in smaller organizations, it can thus be more cost-effective to hire an external recipient than having to familiarize yourself with what is a whistleblower and not, how whistleblower reports should be processed and so on every time a new notification is received.

You can thus save valuable working time by letting an experienced expert do the job instead.

Does Visslan receive a commission if we choose external case management?

Visslan will not receive compensation if you choose one of our partners as a case manager. We have organized the offer only because we see that it can be of great benefit to you.

How secure is my data?

With Visslan, your data is safe. Our whistleblower system is built by the Italian non-profit organisation, Globaleaks, with long experience from delevoping anti-corruption systems. This is so that whistleblowers can be sure that the data reaches the case manager without anyone else being able to see it on the way. No system can promise that it is impenetrable, in which case they are lying, but through penetration testing, encryption and modern security mechanisms, you do not have to worry that your data might not be secure with Visslan. Your data is sent and stored encrypted.

Where is the whistleblower system data stored?

Visslan's servers are based in Sweden. Your data is never transported outside the EU.

Which cloud service platform is used for the whistleblower system?

Visslan uses Amazon Web Services (AWS) for their high security standards and good capabilities to maintain the data within the EU, in accordance with Schrems II and GDPR. Our hosting is certified with, among other things, ISO 27001. Visslan has close contact with AWS regarding data protection in relation to, for example, Schrems II and has actively chosen not to participate in AWS AI programs, which could then have sent data temporarily to the US.

Visslan also has an agreement in place with AWS which gives us full control over the data. AWS does not copy data from the EU to the US.

Can Visslan see our whistleblower cases?

No, Visslan can never see your whistleblower cases.

How is my data encrypted?

The data is encrypted "End to End", both in transport and at rest. Visslan implements an encryption protocol specifically designed for anonymous whistleblowing applications.

The protocol has been developed and validated in collaboration with the Open Technology Fund to be user-friendly for whistleblowers with security from attackers who could have seized the backend and attempted a so-called brute-force decryption.

Every report is encrypted and protects the questionnaire's responses, comments, attachments and metadata involved. The keys involved in the encryption are per user and per submission and only users to whom the data was sent can access the data.

What does the encryption workflow look like?

1. User chooses a personal secure password at the first login;
2. The system creates a personal user key pair and stores it asymmetrically encrypted with a secret derived from the personal user password;
3. The whistleblower makes a report;
4. The system assigns personal access data to the whistleblower;
5. The system generates a symmetric key for encrypting the report, the attachments and comments and the metadata involved, and starts encrypting the data;
6. The system generates an asymmetric key pair and stores it symmetrically encrypted using a secret derived from the whistleblower's access data;
7. The system gives each recipient and whistleblower involved access to the report's symmetric encryption key by assigning each user an asymmetrically encrypted copy of the key;
8. Users continue to exchange information about the report by using their personal access information and unlocking their own personal asymmetric keys and symmetric keys for the opened report.

How is it guaranteed that the data is encrypted and that Visslan does not have access to the data?

Encryption keys are always encrypted at rest (when stored on disk) and are only decrypted in RAM when the whistleblower / receivers are logged in to the system. Visslan does not have an interface that can allow direct access to the encryption keys in any situation (at runtime or at rest).

Visslan, like all other web-based whistleblower systems as far as we know (and which offers the necessary usability and a wide range of security measures related to protection against leaks of "forensic traces") can not technically implement a perfect end-to-end encryption mechanism that encrypts data from the whistleblower terminal to the case manager's terminal, but it needs to use the server as a reliable party that performs encryption and decryption on behalf of the system's users.

Such a function is only offered when it is possible to get users to install a software, which we do not consider acceptable in a whistleblowing context, both for usability but also for security reasons (for example when proof is submitted for submission of a report on the user's device).

In the whistleblower system today, the administrator (we) can decide if we want to reset the case manager password to simply support users in the event of a password loss, which acts as a "key escrow" mechanism. This is usually accepted in commercial contexts where we must be able to do our utmost to ensure that no data is lost (even when the customer loses access to the data in the event of a forgotten password). In future system updates however, we plan to make it possible for the customer to specifically opt out of this option and at their own risk accept that data in the event of a password loss will be completely lost.

In any case, the system maintains an audit log and tracks actions to try to prevent as well as support the detection of abuses performed by administrators.

In other words, from a technical perspective, Visslan can have access to encryption keys and data (which, as described, becomes a requirement for a web-based application where Visslan cannot install anything locally, which would also have created other more serious risks). We therefore also refer to our customer agreement and the appendices DPA and Confidentiality Agreement, where it is clearly stated that we may not have access to your whistleblower cases or related data. Contact us for more information.

Can we get access to Visslan's Security Documentation?

Yes, you can. Please contact us if you would like to get access.

Is it a legal requirement to have a whistleblower policy?

The whistleblower policy is an important part of your whistleblower function, not least because you as an employer must provide easily accessible and clear information about your reporting channel, routines, how whistleblower matters should be reported, etc. The legal requirement thus does not apply to having a whistleblower policy in itself, but that information fits best in a whistleblower policy as it can easily become over 5 pages long.

What do we actually need to inform about?

Your whistleblower policy should include information not only about whistleblowers' rights and obligations (such as that reports must be made in the belief that they are true), but also your routines for handling whistleblower reports and how your employees can whistleblow. This includes descriptions of how to report orally or in writing, or how to book a physical meeting, as well as the routines for, for example, a physical meeting or oral report where the case manager should ask the whistleblower if he / she can record the conversation, and otherwise that the case manager has the right to document it in a lasting way.

What is included in Visslan's whistleblowing policy

Amongst other things, it includes: Complete policy with instructions and alternative wording or additions, reporting routines, simplified versions of the whistleblower policy for, for example, launch, step-by-step guide, paths for external reporting, checklist before launch and so on.

Can we adapt the whistleblowing policy?

Yes, of course you can. We even encourage you to. You get the whistleblower policy as a Word document and can thus edit, change, add or delete parts.

The base for our system has been developed by the Italian organization Globaleaks. They have a high level of expertise within whistleblowing and their system is used by multiple EU-authorities.

What does the whistleblower law say?

The EU Whistleblower Directive, often referred to as the whistleblower law, and imposes a number of requirements on companies, including the establishment of whistleblowing channels for all companies with more than 50 employees. Strict confidentiality applies and there are requirements to be able to follow up with the whistleblower within certain time frames. As a company, you also need to inform, for example, about the channel, how to report and the whistleblower's rights and freedoms. Many companies choose to enable anonymous reporting, but this is not a legal requirement in itself.

Who receives the cases?

You decide for yourself who should be the case manager(s), but the case manager(s) should be independent and autonomous. This can be someone within your company, but also someone external, such as a lawyer or accountant. The case manager receives cases in the whistleblower system, follows up with the whistleblower and possibly appoints an investigation. In Visslan's system, you can receive cases internally, but also via one of our partners' external recipient functions.

Can you report anonymously? If so, how does follow-up work?

Through Visslan's whistleblower system, those who report can choose whether they want to be anonymous or confidential. If they choose to disclose their identity, only case managers (one or more designated by the company as independent) may access the information. The person who reports can always choose to remain anonymous at first and reveal their identity later instead.

The benefit compared to a mailbox or email function is that the whistleblower can be both anonymous and with the possibility of follow-up in the anonymous chat.

How can whistleblowers make reports via the system?

Visslan enables both written and verbal whistleblowing. Verbal can be done for example by uploading an audio file as an attachment to the report. That follows the "best practices" that exist in whistleblowing and is preferable to reporting via a telephone hotline. According to the whistleblowing laws, whistleblowers should also be able to report by scheduling a physical meeting, which can for example be asked for by submitting a report in Visslan's whistleblower system. At a physical meeting, we recommend that a report is still set up regarding the case where documentation can be collected securely.

All this type of information is described in our standardized whistleblower policy. Most likely, written reporting will be most common.

How quickly can we access the whistleblower system?

In the case of Standard, you get access to the platform directly and you can set up your system directly, while Enterprise customizations can take a couple of days to set up, subject to the risk of bottlenecks. You get access to the whistleblower policy and other onboarding information directly.

How is onboarding of the whistleblower system conducted?

We always offer an onboarding of the reporting channel with the person or persons who will be the case manager (others are also welcome to participate if desired), which usually takes about 30 minutes. You also get access to onboarding materials such as user manuals, FAQs, videos and more. In addition to this, we are personally available to answer any questions. Completely free of course!

Which languages are available?

Visslan has built-in support for many of the world's languages and the vast majority within the EU. Our team is constantly working to expand and improve our language library. Please contact us for an up-to-date list of available languages.

How is the dialogue between case manager and whistleblower handled?

The whistleblower is completely anonymous to both Visslan and you and instead he/she receives a code as a login to their case. Once logged in, the whistleblower can still be anonymous and chat with the case manager. All communication can thus be handled and documented via the platform in a legally compliant manner.

How does the whistleblower access the reporting channel?

You get a company-unique link, for example https://name.visslan-report.se/, which you give out to your employees. There, the whistleblower can easily make a whistleblower report.

Who can blow the whistle?

Everyone who has access to your company's unique reporting link can submit a report through the reporting channel.

Is there a limit to the number of cases we can get through the whistleblower function?

No, you can get an unlimited number of cases through Visslan. However, the system has a spam protection that can act as a limitation in special cases where spam is suspected.

Who receives the whistleblowing cases?

Lawyers with one of our partners who specialize in whistleblowing, labor law, data protection and other relevant areas. They act as receivers in your Visslan's whistleblower system. Our partners' offers may differ slightly, both in layout and price. You are completely free to choose which of our partners you want to get help from, but a peer review must first be carried out.

Can we see the report ourselves?

Normally, no, but you can wish to have it if you want. We always create an account for you in the system but without access to the cases that come in. The lawyers can then give you access to cases, for example if they are personnel matters or if you are to carry out an investigation internally.

What does conflict of interest review mean to us?

Our partners are often bound by special rules such as law firms, including reviewing clients for conflict of interests before they can offer services to a new client. This is done to ensure that the lawyers can help you without ending up in a conflict situation themselves, for example against an existing client. The risk of the conflict of interest review resulting in a declining of services is generally small. The conflict of interest review does not mean any work for you.

What do you really get with external handling of whistleblower cases?

Although this may differ slightly between our different partners, the basics are always the same. First and foremost, an unlimited number of cases are received by most of our partners (not all), where the lawyers make an initial assessment of whether the case may be a whistleblower or rather a personnel matter. In the event that it is a whistleblowing, special processes are required by law, but if it is a personnel matter, it is in principle handed over directly to you.

Dialogue with the whistleblower for any initial follow-up questions and additional information is included in the fixed price. In addition, a recommendation is included about the next step, for example if an investigation should be made or if the case should be taken directly to the relevant authority.

Some of our partners have a scheme where you pay per case, but unless otherwise stated, that is not the case.

What is not included in the external case management?

The short answer is that further investigation of the case is not included. If you choose to hire the same lawyer that is the recipient also for the investigation of the case, it will be an hourly fee and you will get a custom proposal.

Do we have to hire the external recipient for investigation?

No, it is always up to you if you choose to hire this party for the potential investigation, another external party or if you choose to carry out the investigation yourself internally if a whistleblowing case should be received.

Are the conditions for the external reception function regulated through our agreement with Visslan?

No. Visslan is not responsible for the external reception function. However, we have great confidence that you will be well treated by all our partners and in normal cases you do not need to sign another agreement but the partner then sends an assignment confirmation to you.

We work closely with our partners to provide such a seamless workflow as possible.

How does the external reception function help us to follow the whistleblower law?

The external recipients are experts on the Whistleblower Act and will adhere strictly to various rules, processes and time frames to ensure compliance with the Whistleblower Act. You will also receive a recommendation about the next step, and that you will not have to worry about the recipient not being sufficiently independent and autonomous.

How can it be cheaper for us to outsource case management of whistleblower reports?

Many organizations lack the competence for whistleblowing and investigation internally. In many cases, especially in smaller organizations, it can thus be more cost-effective to hire an external recipient than having to familiarize yourself with what is a whistleblower and not, how whistleblower reports should be processed and so on every time a new notification is received.

You can thus save valuable working time by letting an experienced expert do the job instead.

Does Visslan receive a commission if we choose external case management?

Visslan will not receive compensation if you choose one of our partners as a case manager. We have organized the offer only because we see that it can be of great benefit to you.

Is it a legal requirement to have a whistleblower policy?

The whistleblower policy is an important part of your whistleblower function, not least because you as an employer must provide easily accessible and clear information about your reporting channel, routines, how whistleblower matters should be reported, etc. The legal requirement thus does not apply to having a whistleblower policy in itself, but that information fits best in a whistleblower policy as it can easily become over 5 pages long.

What do we actually need to inform about?

Your whistleblower policy should include information not only about whistleblowers' rights and obligations (such as that reports must be made in the belief that they are true), but also your routines for handling whistleblower reports and how your employees can whistleblow. This includes descriptions of how to report orally or in writing, or how to book a physical meeting, as well as the routines for, for example, a physical meeting or oral report where the case manager should ask the whistleblower if he / she can record the conversation, and otherwise that the case manager has the right to document it in a lasting way.

What is included in Visslan's whistleblowing policy

Amongst other things, it includes: Complete policy with instructions and alternative wording or additions, reporting routines, simplified versions of the whistleblower policy for, for example, launch, step-by-step guide, paths for external reporting, checklist before launch and so on.

Can we adapt the whistleblowing policy?

Yes, of course you can. We even encourage you to. You get the whistleblower policy as a Word document and can thus edit, change, add or delete parts.

How secure is my data?

With Visslan, your data is safe. Our whistleblower system is built by the Italian non-profit organisation, Globaleaks, with long experience from delevoping anti-corruption systems. This is so that whistleblowers can be sure that the data reaches the case manager without anyone else being able to see it on the way. No system can promise that it is impenetrable, in which case they are lying, but through penetration testing, encryption and modern security mechanisms, you do not have to worry that your data might not be secure with Visslan. Your data is sent and stored encrypted.

Where is the whistleblower system data stored?

Visslan's servers are based in Sweden. Your data is never transported outside the EU.

Which cloud service platform is used for the whistleblower system?

Visslan uses Amazon Web Services (AWS) for their high security standards and good capabilities to maintain the data within the EU, in accordance with Schrems II and GDPR. Our hosting is certified with, among other things, ISO 27001. Visslan has close contact with AWS regarding data protection in relation to, for example, Schrems II and has actively chosen not to participate in AWS AI programs, which could then have sent data temporarily to the US.

Visslan also has an agreement in place with AWS which gives us full control over the data. AWS does not copy data from the EU to the US.

Can Visslan see our whistleblower cases?

No, Visslan can never see your whistleblower cases.

How is my data encrypted?

The data is encrypted "End to End", both in transport and at rest. Visslan implements an encryption protocol specifically designed for anonymous whistleblowing applications.

The protocol has been developed and validated in collaboration with the Open Technology Fund to be user-friendly for whistleblowers with security from attackers who could have seized the backend and attempted a so-called brute-force decryption.

Every report is encrypted and protects the questionnaire's responses, comments, attachments and metadata involved. The keys involved in the encryption are per user and per submission and only users to whom the data was sent can access the data.

What does the encryption workflow look like?

1. User chooses a personal secure password at the first login;
2. The system creates a personal user key pair and stores it asymmetrically encrypted with a secret derived from the personal user password;
3. The whistleblower makes a report;
4. The system assigns personal access data to the whistleblower;
5. The system generates a symmetric key for encrypting the report, the attachments and comments and the metadata involved, and starts encrypting the data;
6. The system generates an asymmetric key pair and stores it symmetrically encrypted using a secret derived from the whistleblower's access data;
7. The system gives each recipient and whistleblower involved access to the report's symmetric encryption key by assigning each user an asymmetrically encrypted copy of the key;
8. Users continue to exchange information about the report by using their personal access information and unlocking their own personal asymmetric keys and symmetric keys for the opened report.

How is it guaranteed that the data is encrypted and that Visslan does not have access to the data?

Encryption keys are always encrypted at rest (when stored on disk) and are only decrypted in RAM when the whistleblower / receivers are logged in to the system. Visslan does not have an interface that can allow direct access to the encryption keys in any situation (at runtime or at rest).

Visslan, like all other web-based whistleblower systems as far as we know (and which offers the necessary usability and a wide range of security measures related to protection against leaks of "forensic traces") can not technically implement a perfect end-to-end encryption mechanism that encrypts data from the whistleblower terminal to the case manager's terminal, but it needs to use the server as a reliable party that performs encryption and decryption on behalf of the system's users.

Such a function is only offered when it is possible to get users to install a software, which we do not consider acceptable in a whistleblowing context, both for usability but also for security reasons (for example when proof is submitted for submission of a report on the user's device).

In the whistleblower system today, the administrator (we) can decide if we want to reset the case manager password to simply support users in the event of a password loss, which acts as a "key escrow" mechanism. This is usually accepted in commercial contexts where we must be able to do our utmost to ensure that no data is lost (even when the customer loses access to the data in the event of a forgotten password). In future system updates however, we plan to make it possible for the customer to specifically opt out of this option and at their own risk accept that data in the event of a password loss will be completely lost.

In any case, the system maintains an audit log and tracks actions to try to prevent as well as support the detection of abuses performed by administrators.

In other words, from a technical perspective, Visslan can have access to encryption keys and data (which, as described, becomes a requirement for a web-based application where Visslan cannot install anything locally, which would also have created other more serious risks). We therefore also refer to our customer agreement and the appendices DPA and Confidentiality Agreement, where it is clearly stated that we may not have access to your whistleblower cases or related data. Contact us for more information.

Can we get access to Visslan's Security Documentation?

Yes, you can. Please contact us if you would like to get access.

What are the payment terms after the trial period?

You are invoiced annually at the beginning of the subscription period. The invoice has an expiration date after 30 days.

What is the notice period?

Visslan has no notice period. You can cancel the subscription at any time, even during the trial period.

What do I do if I need customizations to the system?

Please contact us for any custom requirements.

Can Visslan guarantee system security?

No one can guarantee the security of a system. As we have seen recently, authorities as well as banks and other "secure" systems have proven to have shortcomings. Visslan works actively to prevent and remedy any deficiencies by following modern safety standards while protecting the whistleblower's anonymity. An important part of our security work is the platform's continuous security audits and penetration tests.

If you are promised an impenetrable system, you are most probably being lied to.

What support are we entitled to?

We help you all the way, both with intuitive guides, instructions and videos, but also personally. If you are a customer of Visslan and need help, do not hesitate to contact us if you have questions, concerns or want any tips. We have seen most things and are happy to share our experiences or contacts.

For larger support matters at your request and which are not necessary for the use of the platform, such as adaptations of it, a small service fee is charged. Should this be the case, we always inform about this in advance

Who is behind Visslan?

The Swedish company The Whistle Compliance Solutions AB with organisational number 559327-2999 and VAT-number SE559327299901 is behind Visslan.

The base for our system has been developed by the Italian organization Globaleaks. They have a high level of expertise within whistleblowing and their system is used by multiple EU-authorities.

What does the whistleblower law say?

The EU Whistleblower Directive, often referred to as the whistleblower law, and imposes a number of requirements on companies, including the establishment of whistleblowing channels for all companies with more than 50 employees. Strict confidentiality applies and there are requirements to be able to follow up with the whistleblower within certain time frames. As a company, you also need to inform, for example, about the channel, how to report and the whistleblower's rights and freedoms. Many companies choose to enable anonymous reporting, but this is not a legal requirement in itself.

Who receives the cases?

You decide for yourself who should be the case manager(s), but the case manager(s) should be independent and autonomous. This can be someone within your company, but also someone external, such as a lawyer or accountant. The case manager receives cases in the whistleblower system, follows up with the whistleblower and possibly appoints an investigation. In Visslan's system, you can receive cases internally, but also via one of our partners' external recipient functions.

Can you report anonymously? If so, how does follow-up work?

Through Visslan's whistleblower system, those who report can choose whether they want to be anonymous or confidential. If they choose to disclose their identity, only case managers (one or more designated by the company as independent) may access the information. The person who reports can always choose to remain anonymous at first and reveal their identity later instead.

The benefit compared to a mailbox or email function is that the whistleblower can be both anonymous and with the possibility of follow-up in the anonymous chat.

How can whistleblowers make reports via the system?

Visslan enables both written and verbal whistleblowing. Verbal can be done for example by uploading an audio file as an attachment to the report. That follows the "best practices" that exist in whistleblowing and is preferable to reporting via a telephone hotline. According to the whistleblowing laws, whistleblowers should also be able to report by scheduling a physical meeting, which can for example be asked for by submitting a report in Visslan's whistleblower system. At a physical meeting, we recommend that a report is still set up regarding the case where documentation can be collected securely.

All this type of information is described in our standardized whistleblower policy. Most likely, written reporting will be most common.

How quickly can we access the whistleblower system?

In the case of Standard, you get access to the platform directly and you can set up your system directly, while Enterprise customizations can take a couple of days to set up, subject to the risk of bottlenecks. You get access to the whistleblower policy and other onboarding information directly.

How is onboarding of the whistleblower system conducted?

We always offer an onboarding of the reporting channel with the person or persons who will be the case manager (others are also welcome to participate if desired), which usually takes about 30 minutes. You also get access to onboarding materials such as user manuals, FAQs, videos and more. In addition to this, we are personally available to answer any questions. Completely free of course!

Which languages are available?

Visslan has built-in support for many of the world's languages and the vast majority within the EU. Our team is constantly working to expand and improve our language library. Please contact us for an up-to-date list of available languages.

How is the dialogue between case manager and whistleblower handled?

The whistleblower is completely anonymous to both Visslan and you and instead he/she receives a code as a login to their case. Once logged in, the whistleblower can still be anonymous and chat with the case manager. All communication can thus be handled and documented via the platform in a legally compliant manner.

How does the whistleblower access the reporting channel?

You get a company-unique link, for example https://name.visslan-report.se/, which you give out to your employees. There, the whistleblower can easily make a whistleblower report.

Who can blow the whistle?

Everyone who has access to your company's unique reporting link can submit a report through the reporting channel.

Is there a limit to the number of cases we can get through the whistleblower function?

No, you can get an unlimited number of cases through Visslan. However, the system has a spam protection that can act as a limitation in special cases where spam is suspected.

Vad händer efter 14-dagars provperioden?

Efter 14 dagar börjar din prenumeration enligt avtalet. Du kommer få påminnelse-mail före provperioden går ut och i det fall att du inte vill fortsätta och ändå skulle glömma att säga upp provperioden brukar vi oftast vara snälla.

Vilka är betalningsvillkoren efter provperioden?

Ni faktureras årligen vid ingången av prenumerationsperioden. Fakturan har förfallodatum efter 30 dagar.

Vad är uppsägningstiden?

Visslan har ingen uppsägningstid. Ni kan säga upp prenumerationen när som helst, även under provperioden.

Vad gör vi om vi behöver anpassningar av systemet?

Visslan är flexibla och kan möta era behov. Vi erbjuder tilläggstjänster såsom avancerade frågeformulär, sub-kanaler (för koncerner) och anpassad design. Har ni ytterligare behov är det bara att kontakta oss.

Kan Visslan garantera systemets säkerhet?

Ingen kan garantera ett systems säkerhet. Som vi på senare tid sett har myndigheter, banker och andra “säkra” system visat sig ha brister. Visslan arbetar aktivt för att förebygga och åtgärda eventuella brister genom att följa moderna säkerhetsstandarder och avancerade säkerhetsmekanismer samtidigt som vi värnar om visselblåsarens anonymitet. En viktig del i vårt säkerhetsarbete är plattformens kontinuerliga säkerhetsrevisioner och penetrationstester

Vilken support ingår med Visslan?

Vi hjälper er hela vägen, både med intuitiva guider men även personligen. Ni når våra experter på både telefon och mail, med en genomsnittlig svarstid på under två timmar.

Om ni är kund hos Visslan och behöver hjälp, tveka inte att kontakta oss om ni har frågor, funderingar eller vill ha tips. Vi har sett det mesta och delar gärna med oss av våra erfarenheter eller kontakter.

För större supportärenden på er begäran och som inte är nödvändiga för användandet av plattformen, såsom större anpassningar eller omstruktureringar (exempelvis om ni önskar specialbyggda funktioner), utgår ett mindre servicearvode. Skulle det vara fallet informerar vi alltid om detta i förhand

Vem ligger bakom Visslan?

Bakom Visslan ligger The Whistle Compliance Solutions AB med organisationsnummer 559327-2999. Visslan ägs av oss som jobbar på Visslan.

Vem är mottagare av visselblåsarärendena?

Jurister hos någon av våra partners som är specialiserade inom visselblåsning, arbetsrätt, dataskydd och andra relevanta områden. De sitter då som mottagare i ert Visslans visselblåsarsystem. Våra partners erbjudanden kan skilja sig åt en aning, både till upplägg och pris. Ni är helt fria att välja vem av våra partners ni vill ta hjälp av, men en jävsprövning behöver först genomföras.

Kan vi själva se visselblåsarrapporterna?

I vanliga fall, nej, men ni kan önska få det om ni vill. Vi skapar alltid ett konto till er i systemet men utan tillgång till de ärenden som kommer in. Juristerna kan sedan ge er åtkomst till ärenden, exempelvis om de är personalärenden eller om ni ska genomföra en utredning internt.

Ni utelämnas aldrig från ett ärende utan förr eller senare hamnar ärendet hos er oavsett.

Vad innebär jävsprövning?

Vissa av våra partners är bundna till särskilda regler som advokatbyråer, däribland att jävspröva klienter före de kan erbjuda tjänster till en ny klient. Detta görs för att säkerställa att juristerna kan hjälpa er utan att hamna själva hamna i en jävsituation där deras oberoende kan påverkas negativt, exempelvis mot en befintlig klient. Risken för att jävsprövningen landar i ett negativt besked är generellt små. Jävsprövningen innebär inget arbete för er del.

Vad ingår i extern hantering av visselblåsarärenden?

Även om det kan skilja sig en aning mellan våra olika partners är grunderna alltid lika. Först och främst ingår ett obegränsat antal inkomna ärenden hos de flesta av våra partners där juristerna gör en initial bedömning om ärendet kan vara en visselblåsning eller snarare ett personalärende. I fallet att det är en visselblåsning krävs enligt lag särskilda processer men är det ett personalärende lämnas det i princip direkt över till er.

Dialog med visselblåsaren för eventuella följdfrågor och kompletterande information ingår i det fasta priset. Dessutom ingår en rekommendation om nästa steg, exempelvis om utredning bör göras eller om ärendet exempelvis bör tas direkt till relevant myndighet.

Några av våra partners har ett upplägg där ni betalar per ärende, men om inget annat sägs gäller ett obegränsat antal ärenden.

Vad ingår inte i extern hantering av visselblåsarärenden?

Det korta svaret är att vidare utredning av ärendet inte ingår. Om ni väljer att anlita samma firma som är mottagare även för utredning av ärendet blir det till ett timarvode.

Måste vi anlita den externa mottagaren för utredningen av en visselblåsarrapport?

Nej, det är alltid upp till er om ni väljer att anlita denna part för utredning, någon annan extern part eller om ni väljer att genomföra utredning själva internt om det skulle komma in en visselblåsning.

Regleras villkoren för den externa mottagandefunktionen genom Visslan?

Nej. Visslan ansvarar inte för den externa mottagandefunktionen. Vi har dock stort förtroende för att ni kommer bli väl behandlade av alla våra partners och i vanliga fall behöver ni inte ingå ännu ett avtal utan partnern skickar då en uppdragsbekräftelse till er.

Vi har ett nära samarbete med våra partners för att tillhandahålla en så sömlös upplevelse för er som möjligt.

Hur hjälper extern mottagandefunktion oss att följa visselblåsarlagen?

De externa mottagarna är experter på visselblåsarlagen och kommer hålla hårt på olika regler, processer och tidsramar för att säkerställa efterlevnad med visselblåsarlagen. Ni får även rekommendation om nästa steg, samt att ni slipper oroa er för att mottagaren inte är tillräckligt oberoende och självständig.

Hur kan det vara billigare för oss att outsourca ärendehantering av visselblåsarrapporter?

Många organisationer saknar kompetens för visselblåsning och utredning internt. I många fall, särskilt i mindre organisationer, kan det således vara mer kostnadseffektivt att anlita en extern mottagare än att behöva sätta sig in i vad som är en visselblåsning och inte, hur visselblåsarrapporter ska behandlas och så vidare varje gång det kommer in en ny anmälan. 

Ni kan således spara värdefull arbetstid på att istället låta en rutinerad expert göra jobbet.

Får Visslan provision om vi väljer extern ärendehantering?

Visslan får ingen ersättning om ni väljer någon av våra partners som ärendehanterare. Vi har organiserat erbjudandet endast för att vi ser att det kan vara er till stor nytta.

Hur säker är min data i visselblåsarsystemet?

Med Visslan är din data trygg. Visselblåsarsystemet är byggt för att visselblåsare ska vara säkra på att datan når fram till ärendehanterare utan att någon annan kan se den på vägen. Inget system kan lova att det är ogenomträngligt, isåfall ljuger de, men genom penetrationstestning, kryptering och moderna säkerhetsmekanismer behöver du inte vara orolig. Din data skickas och lagras krypterat.

Var lagras visselblåsarsystemets data?

Visslans servrar är baserade i Sverige. Din data transporteras eller lagras aldrig utanför EU. 

Vilken molntjänstplattform används för visselblåsarsystemet?

Visslan använder Amazon Web Services (AWS) på grund av deras höga säkerhetsstandarder och goda möjligheter att behålla datan inom EU, i enlighet med Schrems II och GDPR. Vår hosting är certifierad med bland annat ISO 27001. Visslan har kontinuerlig kontakt med AWS gällande skydd av datan i förhållande till exempelvis Schrems II och har aktivt valt att inte delta i AWS AI-program, som då hade kunnat skicka data temporärt till USA. 

Visslan har även avtal på plats med AWS som ger oss full kontroll över datan. AWS kopierar ingen data från EU till USA.

Kan Visslan se våra visselblåsarärenden?

Nej, Visslan får aldrig och kan aldrig se era visselblåsarärenden.

På vilket sätt krypteras min data?

Datan är krypterad “End to end”, både i transport och i vila. Visslan implementerar ett krypteringsprotokoll speciellt utformat för anonyma visselblåsningsapplikationer.

Protokollet har utvecklats och validerats i samarbete med Open Technology Fund för att vara användarvänlig för visselblåsare med säkerhet från angripare som hade kunnat beslagtar backend och försöker en så kallad brute-force-dekryptering.

Kryptering implementeras för varje rapport som skyddar frågeformulärets svar, kommentarer, bilagor och involverad metadata. Nycklarna som är involverade i krypteringen är per användare och per inlämning och endast användare som datan skickades till kan komma åt datan.

Hur ser krypteringsflödet ut?

1. Användare väljer ett personligt säkert lösenord vid första inloggningen;
2. Systemet skapar ett personligt användarnyckelpar och lagrar det asymmetriskt krypterat med en hemlighet som härrör från det personliga användarlösenordet;
3. Visselblåsaren gör en anmälan;
4. Systemet tilldelar personliga åtkomstuppgifter till visselblåsaren;
5. Systemet genererar en symmetrisk nyckel för kryptering av rapporten, de bifogade filerna och kommentarerna och inblandade metadata och börjar kryptera datan;
6. Systemet genererar ett asymmetriskt nyckelpar och lagrar det symmetriskt krypterat med hjälp av en hemlighet som härrör från visselblåsarens åtkomstuppgifter;
7. Systemet ger varje inblandad mottagare och visselblåsaren åtkomst till rapportens symmetriska krypteringsnyckel genom att tilldela var och en av användarna en asymmetriskt krypterad kopia av nyckeln;
8. Användare fortsätter att utbyta information om rapporten genom att använda sina personliga åtkomstuppgifter och låsa upp sina egna personliga asymmetriska nycklar och symmetriska nycklar för den öppnade rapporten.

Hur garanteras att datan krypteras och att Visslan ej har tillgång till datan?

Krypteringsnycklar är alltid krypterade i vila (när de lagras på disken) och avkrypteras endast i RAM-minnet när visselblåsaren/mottagarna är inloggade i systemet. Vi har inte något gränssnitt som kan möjliggöra direkt åtkomst till krypteringsnycklarna i någon som helst situation (i runtime eller i vila). 

Visslan, som alla andra webbaserade visselblåsarsystem vi känner till (och som erbjuder den nödvändiga användbarheten samt en bred uppsättning säkerhetsåtgärder relaterade till skydd mot läckor av "forensic traces") kan inte tekniskt implementera en perfekt end-to-end krypteringsmekanism som krypterar data från visselblåsarens terminal till ärendehanterarens terminal, utan behöver använda servern som en pålitlig part som utför kryptering och dekryptering på uppdrag av systemets användare. 

En sådan funktion erbjuds endast när man har möjlighet att få användare att installera en programvara, vilket vi inte anser acceptabelt i en visselblåsningskontext, både av användbarhetsskäl men även av säkerhetsskäl (exempelvis då det lämnas bevis för inlämning av rapport på användarens enhet). 

I visselblåsarsystemet idag kan administratören (vi) besluta om vi vill återställa ärendehanterares lösenord för att helt enkelt stödja användare vid förlust av lösenord, vilket fungerar som en "key escrow"-mekanism. Detta accepteras vanligtvis i kommersiella sammanhang där vi ska kunna göra vårt absolut yttersta för att ingen data ska gå förlorad (även när kunden förlorar åtkomst till datan vid ex glömt lösenord). I framtida systemuppdateringar planerar vi dock göra det möjligt för kunden att specifikt välja bort denna möjlighet och på eget ansvar acceptera att data i händelse av lösenordsförlust kommer gå helt förlorad. 

I vilket fall som helst upprätthåller systemet en revisionslogg och spårar åtgärder för att försöka förhindra samt stödja upptäckt av missbruk som utförs av administratörer. 

Med andra ord kan Visslan ur ett tekniskt perspektiv ha tillgång till krypteringsnycklar och data (vilket, som beskrivet, blir ett krav vid en webbaserad applikation där Visslan inte kan installera något lokalt, vilket dessutom hade skapat andra allvarligare risker). Vi hänvisar därför även till vårt kundavtal samt bilagorna DPA och Confidentiality Agreement. Kontakta oss för att ta del av dessa dokument.

Kan vi få tillgång till Visslans säkerhetsdokumentation?

Ja, det kan ni. Kontakta oss för att få tillgång till denna.

Är det lagkrav att ha en visselblåsarpolicy?

Visselblåsarpolicyn är en viktig del av er visselblåsarfunktion, inte minst för att ni som arbetsgivare måste tillhandahålla lättillgänglig och tydlig information om er rapporteringskanal, rutiner, hur visselblåsarärenden ska rapporteras osv. Lagkravet gäller alltså inte att ha en visselblåsarpolicy i sig, men den informationen passar bäst i en visselblåsarpolicy då det med enkelhet kan bli över 5 sidor långt.

Vad måste vi som arbetsgivare egentligen informera om när det gäller visselblåsning?

I er visselblåsarpolicy ska det finnas information inte bara om visselblåsares rättigheter och skyldigheter (som att rapporter måste göras i tron om att de är sanna), utan även era rutiner för att hantera visselblåsarrapporter och hur era anställda kan visselblåsa. Detta innefattar beskrivningar kring hur man kan rapportera muntligt eller skriftligt, eller hur man kan boka ett fysiskt möte, samt rutinerna för exempelvis ett fysiskt möte eller muntlig rapport där ärendehanteraren bör fråga visselblåsaren om han/hon kan spela in samtalet, och annars att ärendehanteraren har rätt att dokumentera det på ett varaktigt sätt.

Vad ingår i Visslans visselblåsarpolicy?

Bland annat ingår: Komplett policy med instruktioner och alternativa formuleringar eller tillägg, rutiner för rapportering, förenklade versioner av visselblåsarpolicyn för exempelvis lansering, steg för steg-guide, vägar för extern rapportering, checklista inför lansering med mera.

Kan vi anpassa visselblåsarpolicyn?

Ja, självklart kan ni det. Ni får visselblåsarpolicyn som ett Word-dokument och kan således redigera, ändra, lägga till eller ta bort delar.