Key Concepts - Disclosurely Whistleblowing Platform
Master essential whistleblowing concepts including anonymous reporting, case workflows, encryption, compliance, and audit trails. Complete guide for effective compliance.
Key Concepts
Understanding these key concepts will help you get the most out of Disclosurely and implement an effective whistleblowing and compliance program.
Reports & Cases
What is a Report?
A report is a submission made through your organization's secure reporting channel. Reports can contain:
- Description of the incident or concern
- Date and time information
- Location or department details
- Witness information (optional)
- Supporting evidence and documents
- Category classification
Report Types
Disclosurely supports two types of reports:
Anonymous Reports
- No personal information collected
- Fully encrypted end-to-end
- Tracking ID provided for status checks
- Two-way messaging available while maintaining anonymity
- Cannot be traced back to the reporter
Confidential Reports
- Reporter identity known to organization
- Higher level of trust
- Easier follow-up communication
- Still encrypted and secure
- Identity protected from unauthorized access
Report Lifecycle
Reports move through a standard investigation lifecycle:
- New - Just submitted, awaiting review
- In Review - Initial assessment underway
- Investigating - Active investigation in progress
- Resolved - Investigation complete, resolution implemented
- Closed - Case closed with outcome documented
- Archived - Historical record, no longer active
Learn more about case status management.
Tracking IDs
Every report receives a unique tracking ID in the format DIS-XXXXXXXX. This tracking ID allows anonymous reporters to:
- Check the status of their report
- Receive updates and messages
- Provide additional information
- See resolution outcomes
Important: Tracking IDs should be kept secure by the reporter. Anyone with the tracking ID can access that report's status and messages.
Users & Roles
User Roles
Disclosurely uses role-based access control with four primary roles:
Admin
Full system access including:
- All reports and cases
- Team management (add/remove users)
- Organization settings
- Billing and subscription
- Custom domain configuration
- All compliance modules
- System configuration
Org Admin
Organization-level administration:
- View and manage all reports
- Team management (invite/remove team members)
- Organization settings
- Custom branding
- Compliance management
- Analytics and reporting
- Cannot modify billing
Case Handler
Day-to-day case management:
- View assigned reports
- Update report status
- Add case notes
- Send messages to whistleblowers
- Assign reports to team members
- Access analytics
- Cannot modify organization settings
Reviewer
Read-only access:
- View assigned reports
- Read messages and notes
- Access analytics
- Cannot modify cases or settings
- Useful for oversight roles or auditors
Team Invitations
Adding team members requires sending an invitation:
- Admin or Org Admin sends invitation by email
- Invitation includes unique token and expires in 7 days
- Recipient creates account using invitation link
- Role is automatically assigned upon account creation
Encryption & Security
Zero-Knowledge Architecture
Disclosurely is built on zero-knowledge security principles:
- Client-Side Encryption: All sensitive report content is encrypted in the user's browser before transmission
- Server Cannot Decrypt: Our servers never have access to encryption keys
- True Anonymity: We cannot read report content or identify reporters
- You Control Keys: Only users with proper access can decrypt reports
How Encryption Works
-
Report Submission:
- Reporter writes their report in the web form
- Content is encrypted in browser using AES-256
- Encrypted data is sent to our servers
- Encryption key is hashed and stored separately
-
Report Access:
- Authorized team member requests report
- System verifies permissions
- Encrypted content is sent to user's browser
- Decryption happens client-side
- Plaintext never stored on servers
-
Message Exchange:
- Each message is individually encrypted
- Encryption maintains anonymity
- Message threading preserved
- Full conversation history secured
Access Keys
Access keys are cryptographic keys that allow decryption of reports. When you:
- Submit a report: An access key is generated and stored with your tracking ID
- View a report as a case handler: Your permission grants temporary access to the encryption key
- Share a tracking ID: The holder can decrypt and view report contents
Compliance Management
Policies
Compliance Policies are formal documents governing organizational behavior:
- Policy Types: Data Privacy, HR, Financial, Security, Operational, Environmental, Legal, Ethics
- Version Control: Track policy changes over time
- Status Tracking: Draft, Under Review, Active, Archived
- Acknowledgment: Require employees to read and acknowledge
- Review Cycles: Set next review dates and reminders
- Ownership: Assign policy owners responsible for maintenance
Risks
Compliance Risks are identified threats to organizational compliance:
- Risk Assessment: Evaluate likelihood and impact
- Risk Scoring: Quantitative risk prioritization
- Mitigation Plans: Document risk mitigation strategies
- Status Tracking: Monitor mitigation progress
- Risk Owners: Assign responsibility for risk management
- Regular Review: Periodic reassessment of risks
Compliance Calendar
The Compliance Calendar tracks important deadlines and obligations:
- Event Types: Deadlines, Reviews, Audits, Certifications, Training
- Due Dates: Track upcoming and overdue obligations
- Status: Pending, Completed, Overdue
- Reminders: Automated notifications before due dates
- Ownership: Assign responsibility for completion
- Notes: Document completion details
GDPR & Data Rights
Data Subject Rights
Under GDPR, individuals have specific rights regarding their data:
Right of Access
- Users can request export of all their personal data
- Includes report content, messages, and profile information
- Provided in machine-readable format (JSON)
- Fulfilled within 30 days
Right to Erasure
- Users can request complete data deletion
- 24-hour safety period before deletion executes
- All associated data removed including reports and messages
- Cannot be undone after safety period
- Audit log entry created for compliance
Right to Rectification
- Users can update their personal information
- Profile data can be modified anytime
- Changes reflected immediately across platform
GDPR Request Types
Data Export Requests:
- Full Export: All user data
- Report Data: Just whistleblower reports
- Personal Data: Profile and account information
Data Erasure Requests:
- Full Erasure: Complete account and data deletion
- Anonymize Reports: Remove personal data but keep reports
- Delete Personal Data: Remove profile, keep anonymous reports
Automated GDPR Processing
Disclosurely automates GDPR compliance:
- Requests automatically queued for processing
- Safety periods prevent accidental deletion
- Notification emails sent at each stage
- Audit logs maintain compliance record
- Status dashboard for tracking requests
AI & Automation
AI Case Helper
The AI Case Helper is your intelligent assistant for case analysis:
- Case Summarization: Automatic summary generation from case details
- Insight Generation: AI identifies key issues and concerns
- Recommendation Engine: Suggests next steps and actions
- Pattern Recognition: Identifies similarities with other cases
- Risk Scoring: AI-powered risk assessment
- Document Analysis: Upload company documents for context
Pattern Detection
Pattern Detection automatically identifies:
- Recurring themes across multiple reports
- Common departments or locations mentioned
- Similar types of incidents
- Potential systemic issues
- Trends over time
- Correlation between cases
Patterns help organizations:
- Identify root causes
- Prevent future incidents
- Target training and education
- Measure effectiveness of interventions
AI Document Upload
Upload company documents to provide context:
- Policies and procedures
- Code of conduct
- Employee handbooks
- Previous investigation reports
- Training materials
- Regulatory guidance
AI uses these documents to:
- Understand organizational context
- Reference relevant policies
- Compare against previous cases
- Provide more accurate recommendations
Audit Trails & Accountability
Tamper-Evident Logs
All actions in Disclosurely are logged with:
- Timestamp: Exact time of action
- User: Who performed the action
- Action Type: What was done (create, update, delete, etc.)
- Resource: What was affected (report, message, policy, etc.)
- Details: Specific changes made
- IP Address: Location of action
- User Agent: Browser/device information
- Hash Chain: Cryptographic proof of integrity
Hash Chain Integrity
Audit logs use blockchain-like hash chaining:
- Each log entry is hashed
- Hash includes previous entry's hash
- Creates unbreakable chain
- Any modification breaks the chain
- Provides proof logs weren't tampered with
This ensures:
- Audit logs are trustworthy
- Compliance evidence is valid
- Investigations are defensible
- Regulatory requirements are met
Audit Log Uses
Organizations use audit logs for:
- Compliance Audits: Demonstrate compliance with regulations
- Security Investigations: Track security incidents
- Performance Review: Analyze response times and handling
- Process Improvement: Identify bottlenecks and inefficiencies
- Legal Defense: Provide evidence in legal proceedings
Custom Branding & Domains
Custom Branding
Customize your reporting portal to match your brand:
- Logo: Upload your organization's logo (max 2MB)
- Brand Color: Choose your primary brand color
- Organization Name: Display your organization name
- Custom Messaging: Personalize welcome and confirmation messages
Branding appears on:
- Public reporting form
- Email notifications
- Status lookup page
- Thank you pages
Custom Domains
Pro and Enterprise plans can use custom domains:
Benefits:
- Professional appearance (reports.yourcompany.com)
- Increased trust from employees
- Brand consistency
- SEO benefits
Setup Process:
- Add domain in dashboard
- Create CNAME record with your DNS provider
- Verify domain ownership
- SSL certificate automatically provisioned
- Domain goes live
Requirements:
- You must own the domain
- Access to DNS settings
- Pro or Enterprise subscription
Notifications & Alerts
Email Notifications
Configurable email notifications for:
- New Reports: Notify team when reports arrive
- Status Changes: Alert reporters of status updates
- New Messages: Notify of new messages in cases
- Assignment: Alert when assigned to a case
- Due Dates: Remind of upcoming compliance deadlines
- Policy Changes: Notify of new or updated policies
- GDPR Requests: Alert of data requests
Weekly Roundup
Automated weekly email with:
- New reports this week
- Status changes
- Pending assignments
- Upcoming deadlines
- Key metrics and statistics
Helps teams stay informed without constant monitoring.
In-App Notifications
Real-time in-app notifications for:
- New reports
- Messages
- Assignments
- Status changes
- System alerts
Best Practices
For Administrators
- Regular Review: Check platform weekly at minimum
- Prompt Response: Acknowledge reports within 24 hours
- Keep Updated: Maintain current policies and procedures
- Train Team: Ensure all users understand their roles
- Monitor Metrics: Track key performance indicators
- Audit Regularly: Review audit logs for compliance
For Case Handlers
- Document Everything: Add detailed case notes
- Communicate Clearly: Keep reporters informed of progress
- Follow Process: Adhere to established workflows
- Maintain Confidentiality: Never share case details inappropriately
- Use AI Tools: Leverage AI helper for insights
- Close Properly: Document resolution and outcomes
For Reporters
- Be Specific: Provide as much detail as possible
- Include Evidence: Attach relevant documents or files
- Save Tracking ID: Securely store your tracking ID
- Check Status: Monitor progress of your report
- Respond Promptly: Reply to questions from case handlers
- Stay Anonymous: Don't include identifying information if anonymous
Next Steps: