Security

Encryption in transit

All data is transmitted over HTTPS using TLS 1.2 or higher. This protects sensitive information during transmission between a user's device and our servers.

Encryption at rest

All data stored on our servers is protected using AES-256 encryption. Whistleblower reports receive an additional layer of encryption, with a unique key assigned to each report.

Even if our storage systems were compromised, report content would remain unreadable without the specific decryption key.

One-time decryption keys

Each report can only be accessed using a one-time decryption key sent to Authorised Persons. These keys are never stored on our servers and are inaccessible to Whistler staff — including developers and administrators.

This ensures that only explicitly authorised individuals can access reports, safeguarding whistleblower privacy at all times.

Secure infrastructure

Whistler is hosted on a modern cloud provider running on AWS infrastructure. This ensures strong physical and network security, including ISO 27001 and SOC 2 certified data centers.

We also apply hardening measures at the application level: secure deployments, regular updates, firewall protection, and strict access control to production systems.