The whistleblowing law made simple. We guide you all the way & with our comprehensive offering you can have a full-fledged whistleblowing solution in no time.
We don't need more complicated systems to maintain or expensive lawyers to pay.
Visslan offers simplicity, clarity and efficiency with an intuitive and user-friendly whistleblower system, a whistleblower policy according to the EU Directive and, if desired, cost-efficient case management by lawyers.
Visslan is a simple & flexible way to solve the new whistleblower law.
Communication with Visslan worked great and we felt that they were always quick to respond and focused on solving our challenge in the best way.
With a supplier who is experienced, knowledgeable and available, it is much easier to get a complete whistleblower solution in place than it may initially seem. In the end, the choice of Visslan as a supplier was quite simple for us.
I want to encourage companies that do not already use a whistleblowing system to do so. It is so much easier and much more serious than coming up with your own solution.
From the first contact to contract writing and onboarding of the system, Visslan has been a great help. We have received quick responses to calls and emails and the information we’ve received has always been clear.
Keep it to a flexible, smooth and GDPR-secured digital solution, which I feel Visslan delivers. It was one of the smoothest implementations we’ve done – don’t complicate it!
The implementation was very simple and Visslan's solution feels safe considering that it is encrypted, penetration tested and completely anonymous.
We got started quickly and were guided through learning the platform to how we could launch the function internally. It was all very simple!
Visslan enabled us to provide the anonymity & security whistleblowers often need to feel comfortable springing into action when they witness wrongdoing
We know your problems because we have been there ourselves. Whistleblowing should be simple, it shouldn't create headaches and be an administrative nightmare. Simple and efficient whistling. No hassle.
The base for our system has been developed by the Italian organization Globaleaks. They have a high level of expertise within whistleblowing and their system is used by multiple EU-authorities.
The whistleblower law often refers to the EU Whistleblower Directive and imposes a number of requirements on companies, including the establishment of whistleblowing channels for all companies with more than 50 employees. Strict confidentiality applies and there are requirements to be able to follow up with the whistleblower within certain time frames. As a company, you also need to inform, for example, about the channel, how to report and the whistleblower's rights and freedoms. Many companies choose to enable anonymous reporting, but this is not a legal requirement in itself.
You decide for yourself who should be the case manager(s), but the case manager(s) should be independent and autonomous. This can be someone within your company, but also someone external, such as a lawyer or accountant. The case manager receives cases in the whistleblower system, follows up with the whistleblower and possibly appoints an investigation. In Visslan's system, you can receive cases internally, but also via one of our partners' external recipient functions.
Through Visslan's whistleblower system, those who report can choose whether they want to be anonymous or confidential. If they choose to disclose their identity, only case managers (one or more designated by the company as independent) may access the information. The person who reports can always choose to remain anonymous at first and reveal their identity later instead.
The benefit compared to a mailbox or email function is that the whistleblower can be both anonymous and with the possibility of follow-up in the anonymous chat.
Visslan enables both written and verbal whistleblowing. Verbal can be done for example by uploading an audio file as an attachment to the report. That follows the "best practices" that exist in whistleblowing and is preferable to reporting via a telephone hotline. According to the whistleblowing laws, whistleblowers should also be able to report by scheduling a physical meeting, which can for example be asked for by submitting a report in Visslan's whistleblower system. At a physical meeting, we recommend that a report is still set up regarding the case where documentation can be collected securely.
All this type of information is described in our standardized whistleblower policy. Most likely, written reporting will be most common.
In the case of Standard, you get access to the platform directly and you can set up your system directly with a 14-day free trial period, while Enterprise customizations can take a couple of days to set up, subject to the risk of bottlenecks. You get access to the whistleblower policy and other onboarding information directly.
We always offer an onboarding of the reporting channel with the person or persons who will be the case manager (others are also welcome to participate if desired), which usually takes about 30 minutes. You also get access to onboarding materials such as user manuals, FAQs, videos and more. In addition to this, we are personally available to answer any questions. Completely free of course!
Visslan has built-in support for many of the world's languages and the vast majority within the EU. Our team is constantly working to expand and improve our language library.
The whistleblower is completely anonymous to both Visslan and you and instead he/she receives a code as a login to their case. Once logged in, the whistleblower can still be anonymous and chat with the case manager. All communication can thus be handled and documented via the platform in a legally compliant manner.
You get a company-unique link, for example https://name.visslan-report.se/, which you give out to your employees. There, the whistleblower can easily make a whistleblower report.
Everyone who has access to your company's unique reporting link can submit a report through the reporting channel.
No, you can get an unlimited number of cases through Visslan. However, the system has a spam protection that can act as a limitation in special cases where spam is suspected.
For most organizations, Standard is sufficient. There, you get everything you need for smooth and efficient reporting, handling and investigation. We recommend Enterprise for multinational organizations or for groups where one of the companies has more than 250 employees, since you may need more advanced functionality such as more and customized questionnaires, advanced case allocation and so on.
After 14 days, your subscription according to the agreement begins. You will receive a reminder e-mail before the trial period expires and if you had forgotten to cancel the trial period, we are usually forgiving.
You are invoiced annually at the beginning of the subscription period. The invoice has an expiration date after 30 days.
Visslan has no notice period. You can cancel the subscription at any time, even during the trial period.
Enterprise functionality can not be tried or tested via the website. You will need to contact us.
No one can guarantee the security of a system. As we have seen recently, authorities as well as banks and other "secure" systems have proven to have shortcomings. Visslan works actively to prevent and remedy any deficiencies by following modern safety standards while protecting the whistleblower's anonymity. An important part of our security work is the platform's continuous security audits and penetration tests.
If you are promised an impenetrable system, you are most probably being lied to.
We help you all the way, both with intuitive guides, instructions and videos, but also personally. If you are a customer of Visslan and need help, do not hesitate to contact us if you have questions, concerns or want any tips. We have seen most things and are happy to share our experiences or contacts.
For larger support matters at your request and which are not necessary for the use of the platform, such as adaptations of it, a small service fee is charged. Should this be the case, we always inform about this in advance
The Swedish company The Whistle Compliance Solutions AB with organisational number 559327-2999 and VAT-number SE559327299901 is behind Visslan.
Lawyers with one of our partners who specialize in whistleblowing, labor law, data protection and other relevant areas. They act as receivers in your Visslan's whistleblower system. Our partners' offers may differ slightly, both in layout and price. You are completely free to choose which of our partners you want to get help from, but a peer review must first be carried out.
Normally, no, but you can wish to have it if you want. We always create an account for you in the system but without access to the cases that come in. The lawyers can then give you access to cases, for example if they are personnel matters or if you are to carry out an investigation internally.
Our partners are often bound by special rules such as law firms, including reviewing clients for conflict of interests before they can offer services to a new client. This is done to ensure that the lawyers can help you without ending up in a conflict situation themselves, for example against an existing client. The risk of the conflict of interest review resulting in a declining of services is generally small. The conflict of interest review does not mean any work for you.
Although this may differ slightly between our different partners, the basics are always the same. First and foremost, an unlimited number of cases are received by most of our partners (not all), where the lawyers make an initial assessment of whether the case may be a whistleblower or rather a personnel matter. In the event that it is a whistleblowing, special processes are required by law, but if it is a personnel matter, it is in principle handed over directly to you.
Dialogue with the whistleblower for any initial follow-up questions and additional information is included in the fixed price. In addition, a recommendation is included about the next step, for example if an investigation should be made or if the case should be taken directly to the relevant authority.
Some of our partners have a scheme where you pay per case, but unless otherwise stated, that is not the case.
The short answer is that further investigation of the case is not included. If you choose to hire the same lawyer that is the recipient also for the investigation of the case, it will be an hourly fee and you will get a custom proposal.
No, it is always up to you if you choose to hire this party for the potential investigation, another external party or if you choose to carry out the investigation yourself internally if a whistleblowing case should be received.
No. Visslan is not responsible for the external reception function. However, we have great confidence that you will be well treated by all our partners and in normal cases you do not need to sign another agreement but the partner then sends an assignment confirmation to you.
We work closely with our partners to provide such a seamless workflow as possible.
The external recipients are experts on the Whistleblower Act and will adhere strictly to various rules, processes and time frames to ensure compliance with the Whistleblower Act. You will also receive a recommendation about the next step, and that you will not have to worry about the recipient not being sufficiently independent and autonomous.
Many organizations lack the competence for whistleblowing and investigation internally. In many cases, especially in smaller organizations, it can thus be more cost-effective to hire an external recipient than having to familiarize yourself with what is a whistleblower and not, how whistleblower reports should be processed and so on every time a new notification is received.
You can thus save valuable working time by letting an experienced expert do the job instead.
Visslan will not receive compensation if you choose one of our partners as a case manager. We have organized the offer only because we see that it can be of great benefit to you.
With Visslan, your data is safe. Our whistleblower system is built by the Italian non-profit organisation, Globaleaks, with long experience from delevoping anti-corruption systems. This is so that whistleblowers can be sure that the data reaches the case manager without anyone else being able to see it on the way. No system can promise that it is impenetrable, in which case they are lying, but through penetration testing, encryption and modern security mechanisms, you do not have to worry that your data might not be secure with Visslan. Your data is sent and stored encrypted.
Visslan's servers are based in Sweden. Your data is never transported outside the EU.
Visslan uses AWS (Amazon Web Services) for their high security standards and good capabilities to maintain the data within the EU, in accordance with Schrems II and GDPR. Our hosting is certified with, among other things, ISO 27001. Visslan has close contact with AWS regarding data protection in relation to, for example, Schrems II and has actively chosen not to participate in AWS AI programs, which could then have sent data temporarily to the US.
Visslan also has an agreement in place with AWS which gives us full control over the data. AWS does not copy data from the EU to the US.
No, Visslan can never see your whistleblower cases.
The data is encrypted "End to End", both in transport and at rest. Visslan implements an encryption protocol specifically designed for anonymous whistleblowing applications.
The protocol has been developed and validated in collaboration with the Open Technology Fund to be user-friendly for whistleblowers with security from attackers who could have seized the backend and attempted a so-called brute-force decryption.
Every report is encrypted and protects the questionnaire's responses, comments, attachments and metadata involved. The keys involved in the encryption are per user and per submission and only users to whom the data was sent can access the data.
1. User chooses a personal secure password at the first login;
2. The system creates a personal user key pair and stores it asymmetrically encrypted with a secret derived from the personal user password;
3. The whistleblower makes a report;
4. The system assigns personal access data to the whistleblower;
5. The system generates a symmetric key for encrypting the report, the attachments and comments and the metadata involved, and starts encrypting the data;
6. The system generates an asymmetric key pair and stores it symmetrically encrypted using a secret derived from the whistleblower's access data;
7. The system gives each recipient and whistleblower involved access to the report's symmetric encryption key by assigning each user an asymmetrically encrypted copy of the key;
8. Users continue to exchange information about the report by using their personal access information and unlocking their own personal asymmetric keys and symmetric keys for the opened report.
Encryption keys are always encrypted at rest (when stored on disk) and are only decrypted in RAM when the whistleblower / receivers are logged in to the system. Visslan does not have an interface that can allow direct access to the encryption keys in any situation (at runtime or at rest).
Visslan, like all other web-based whistleblower systems as far as we know (and which offers the necessary usability and a wide range of security measures related to protection against leaks of "forensic traces") can not technically implement a perfect end-to-end encryption mechanism that encrypts data from the whistleblower terminal to the case manager's terminal, but it needs to use the server as a reliable party that performs encryption and decryption on behalf of the system's users.
Such a function is only offered when it is possible to get users to install a software, which we do not consider acceptable in a whistleblowing context, both for usability but also for security reasons (for example when proof is submitted for submission of a report on the user's device).
In the whistleblower system today, the administrator (we) can decide if we want to reset the case manager password to simply support users in the event of a password loss, which acts as a "key escrow" mechanism. This is usually accepted in commercial contexts where we must be able to do our utmost to ensure that no data is lost (even when the customer loses access to the data in the event of a forgotten password). In future system updates however, we plan to make it possible for the customer to specifically opt out of this option and at their own risk accept that data in the event of a password loss will be completely lost.
In any case, the system maintains an audit log and tracks actions to try to prevent as well as support the detection of abuses performed by administrators.
In other words, from a technical perspective, Visslan can have access to encryption keys and data (which, as described, becomes a requirement for a web-based application where Visslan cannot install anything locally, which would also have created other more serious risks). We therefore also refer to our customer agreement and the appendices DPA and Confidentiality Agreement, where it is clearly stated that we may not have access to your whistleblower cases or related data.
Yes, you can. Please contact us if you would like to get access.
The whistleblower policy is an important part of your whistleblower function, not least because you as an employer must provide easily accessible and clear information about your reporting channel, routines, how whistleblower matters should be reported, etc. The legal requirement thus does not apply to having a whistleblower policy in itself, but that information fits best in a whistleblower policy as it can easily become over 5 pages long.
Your whistleblower policy should include information not only about whistleblowers' rights and obligations (such as that reports must be made in the belief that they are true), but also your routines for handling whistleblower reports and how your employees can whistleblow. This includes descriptions of how to report orally or in writing, or how to book a physical meeting, as well as the routines for, for example, a physical meeting or oral report where the case manager should ask the whistleblower if he / she can record the conversation, and otherwise that the case manager has the right to document it in a lasting way.
Amongst other things, it includes: Complete policy with instructions and alternative wording or additions, reporting routines, simplified versions of the whistleblower policy for, for example, launch, step-by-step guide, paths for external reporting, checklist before launch and so on.
Yes, of course you can. We even encourage you to. You get the whistleblower policy as a Word document and can thus edit, change, add or delete parts.