← Back to Home
Whistles Logo Whistles

Whistleblowing Platform Documentation

Complete guide to understanding and using the whistleblowing platform

Overview

This whistleblowing platform is designed to provide a secure, anonymous way for individuals to report misconduct, violations, or ethical concerns within an organization. The platform prioritizes anonymity, security, and transparency throughout the reporting and investigation process.

Features for Whistleblowers

1. Anonymous Submission

Submit reports without any login or registration. The system automatically removes:

  • IP addresses and browser fingerprints
  • Device information
  • Metadata from uploaded files (EXIF, location data, etc.)
  • Personally identifiable information from text (emails, phone numbers, SSNs)

2. Reference Code System

Upon submission, you receive a unique reference code (format: WB-YYYY-XXXXXX). This code allows you to:

  • Track your report status
  • View updates from investigators
  • Communicate securely without revealing identity

3. Encrypted Communication

All messages between you and investigators are end-to-end encrypted using AES encryption. No one can intercept or read your communications.

4. Report Categories

Available categories include:

  • Financial Misconduct
  • HR Issues
  • Compliance Violations
  • Harassment
  • Discrimination
  • Safety Concerns
  • Data Breach
  • Conflict of Interest
  • Other
Features for Administrators

1. Dashboard & Analytics

Real-time overview of all reports with:

  • Status breakdown (Open, Under Review, In Progress, Resolved, Closed)
  • Category distribution
  • Recent submissions
  • Quick access to pending reports

2. Case Management

Comprehensive tools for managing reports:

  • Update report status
  • Set priority levels (Low, Medium, High, Urgent)
  • Assign cases to investigators
  • Add tags for organization
  • View full report details and attachments

3. Secure Messaging

Communicate with whistleblowers while maintaining their anonymity. All messages are encrypted and cannot be traced back to the reporter.

4. Audit Trail

Every admin action is logged including:

  • Login/logout events
  • Report views
  • Status changes
  • Case assignments
  • Messages sent
  • Data exports

5. Export Functionality

Export reports to CSV format for analysis, compliance reviews, or record-keeping. Exports respect current filters and include all relevant metadata.

6. Role-Based Access Control

Three user roles with different permissions:

  • Admin: Full access to all features and system settings
  • Investigator: Can view and manage assigned cases
  • Auditor: Read-only access for oversight and compliance
Security & Privacy Measures

Data Protection

  • PII Removal: Automatic sanitization of personally identifiable information
  • Metadata Stripping: All EXIF and location data removed from images
  • No IP Logging: IP addresses are never stored with reports
  • End-to-End Encryption: Messages encrypted at rest and in transit

Authentication Security

  • Bcrypt password hashing with salt rounds
  • JWT tokens with expiration
  • HTTP-only cookies to prevent XSS attacks
  • Secure session management

Database Security

  • PostgreSQL with parameterized queries (SQL injection prevention)
  • Prisma ORM for type-safe database operations
  • No direct storage of decrypted messages
  • Foreign key constraints and data integrity checks
Best Practices & Recommendations

For Organizations

  • Display a clear privacy policy explaining anonymity guarantees
  • Regularly review and respond to reports in a timely manner
  • Train investigators on proper handling of sensitive information
  • Periodically audit the audit logs for suspicious activity
  • Keep the platform updated with security patches
  • Consider multi-factor authentication for admin accounts in production

For Whistleblowers

  • Save your reference code immediately - there's no way to recover it
  • Use the messaging system for follow-up questions instead of including identifiable details
  • Be as specific as possible in your report to help investigators
  • Check back regularly for updates using your reference code

Security Hardening for Production

  • Change default admin passwords immediately
  • Use strong, unique values for JWT_SECRET and ENCRYPTION_KEY
  • Enable HTTPS and HSTS headers
  • Configure rate limiting to prevent abuse
  • Set up regular database backups
  • Use environment-specific configurations
  • Monitor audit logs for suspicious activity
Support & Maintenance

Troubleshooting

Common issues and solutions:

  • Database connection errors: Check DATABASE_URL in .env
  • Authentication issues: Verify JWT_SECRET is set correctly
  • File upload failures: Ensure uploads/ directory exists and is writable
  • Encryption errors: Confirm ENCRYPTION_KEY is configured

Database Maintenance

# Generate Prisma client after schema changes
npx prisma generate

# Create a new migration
npx prisma migrate dev --name migration_name

# Reset database (WARNING: deletes all data)
npx prisma migrate reset

# View database in Prisma Studio
npx prisma studio
Back to Platform