Security & Trust

Disclosurely is designed to protect sensitive reports with strong encryption, controlled access, secure backups, and privacy-conscious case handling.

AES-256-GCM Encryption

AES-256-GCM encryption protects all data in transit and at rest.

Access-Controlled Case Management

Only authorised case handlers in your organisation can view submitted reports, according to your role and permission settings.

GDPR-Conscious Design

Designed to support GDPR compliance obligations for handling sensitive personal data.

Comprehensive Security Features

Security designed to protect sensitive whistleblowing reports and the people who submit them.

AES-256-GCM Encryption

AES-256-GCM encryption is applied to data at rest and in transit.

Encrypted Access Controls

Only authorised users in your organisation with the correct permissions can view submitted reports.

Secure Transmission and Handling

Reports are encrypted in transit and handled within your organisation's controlled account environment.

Multi-Factor Authentication

Multi-factor authentication is available for administrator accounts to reduce the risk of unauthorised access.

Role-Based Access Control

Granular permissions help ensure only appropriate team members can access specific reports, with access events recorded.

Secure Cloud Infrastructure

Hosted on reputable cloud infrastructure with automated monitoring and encrypted backups.

Encrypted Backups

Automated encrypted backups are stored across multiple regions. Disaster recovery procedures are tested periodically.

Audit Logs

Audit logs record key case and access events and are designed to support detection of unauthorised changes.

GDPR and Regional Handling

Designed to support GDPR obligations. Regional data handling options are available where the platform supports them.

Security & Compliance Status

A clear view of current controls and ongoing certification work.

GDPR-conscious design and framework

Data handling designed around GDPR obligations to protect your employees

In place

EU Whistleblowing Directive 2019/1937

Designed to support directive compliance requirements for eligible organisations

In place

Certification programme in progress

Structured work to align our information security management with ISO 27001 expectations.

In progress

Audit and control framework in progress

Building security, confidentiality and evidence practices aligned with SOC 2-type expectations.

In progress

Data Protection Practices

How we collect, store, and protect sensitive data

Data collection

  • We minimise data collection to what is needed to operate the reporting and case workflow.
  • Anonymous submissions are supported where your configuration allows.
  • Optional contact details can be kept separate from report content where the product supports it.
  • Public reporting forms avoid unnecessary marketing or behavioural tracking.

Data storage

  • Data is encrypted at rest using AES-256-GCM.
  • Encryption keys are managed using cloud provider key management practices.
  • Backups are encrypted and stored with geographic redundancy.
  • Regional hosting options may be available depending on configuration and provider capabilities.

Data access

  • Role-based access controls limit who can view and manage reports.
  • Multi-factor authentication can be enforced for administrator access.
  • Access to sensitive actions is logged to support accountability.
  • Session policies help reduce the risk of unattended access.

Retention

  • Retention settings can be configured according to your organisation's policy.
  • Data can be deleted when retention periods expire, subject to legal and contractual requirements.
  • Deletion practices aim to remove data from active systems within reasonable timeframes.
  • Data subject requests are handled in line with applicable timelines under GDPR where they apply.

Secure infrastructure

Built on reputable cloud infrastructure with automated monitoring, failover handling, and encrypted backups.

  • Global delivery
    Content is served efficiently and securely from edge locations.
  • Encrypted backups
    Automated encrypted backups are stored across multiple geographic regions.
  • Network protections
    Cloud-provider protections help mitigate common volumetric and network-layer attacks.
  • Security testing
    We run periodic security reviews and penetration tests to identify and remediate issues.

Operational safeguards

  • Encryption in transit (TLS) and at rest (AES-256-GCM)
  • Least-privilege access controls for systems and operations
  • Automated encrypted backups across multiple regions
  • DDoS and other network-level protections provided by the hosting environment
  • Infrastructure monitoring and alerting
  • Periodic security reviews and penetration testing

Responsible disclosure

If you believe you have found a security issue, please contact us at security@disclosurely.com. We aim to acknowledge reports promptly and will provide updates as we investigate.

Security built for sensitive reporting

Learn how Disclosurely helps protect whistleblowing reports with secure case handling and privacy-first design.

Start Free TrialView quick walkthrough
Security & Trust | Disclosurely