Encryption is one of the first things buyers ask about in whistleblowing software, and rightly so. Reports often contain allegations, supporting files, and details that should not circulate beyond the people handling the case.
But encryption is easy to oversimplify.
What encryption helps with
At a practical level, encryption helps protect data:
- in transit between the browser and the service
- at rest in storage systems
- during backup and infrastructure operations
That matters because sensitive case material should not be readable as plain text if lower-level systems are inspected or mishandled.
What encryption does not solve
Encryption does not fix weak permissions, poor workflow design, or careless operational habits. A system can encrypt data well and still create unnecessary exposure if:
- too many people can access a case
- anonymous follow-up reveals more than intended
- audit history is incomplete
- exports are uncontrolled
This is why security reviews should test the full handling path, not just a single storage claim.
The better buyer questions
Instead of asking only "is it encrypted?", ask:
- Which data is encrypted in storage?
- How is access scoped by organisation and role?
- Can anonymous reporters continue safely without creating an account?
- Are case actions recorded for later review?
- What operational providers support the service?
Those questions create a much clearer trust picture than a generic encryption badge.
What good looks like
Strong reporting platforms combine encryption with controlled access, auditable actions, and straightforward case workflows. That is what makes the system usable during real investigations, not just defensible in a checklist.
If your next step is policy and jurisdiction fit rather than infrastructure detail, read EU Whistleblowing Directive by Country.

