Security

Encryption in transit

All connections to Whistler are encrypted using HTTPS. We enforce strict transport security to ensure that your browser always connects over an encrypted channel, protecting data as it travels between your device and our servers.

Encryption at rest

Whistleblower report data is encrypted at the application level using industry-standard encryption. Each field within a report is encrypted individually, providing granular protection for all sensitive content, contact details, and file attachments.

Even in the unlikely event of unauthorised access to our database, report content would remain unreadable without the correct passkey.

Passkey-protected reports

Encrypted reports can only be decrypted using a passkey that is managed by your organisation. Whistler staff — including developers and administrators — cannot access your report content.

Access within your organisation is controlled through defined roles. Only users who have been explicitly authorised by your Primary Account Holder can view and manage reports.

Authentication and account security

Whistler enforces strong password requirements and stores passwords using an industry-standard one-way hashing algorithm. Passwords are never stored in plain text and cannot be retrieved — even by us.

Accounts are automatically locked after repeated failed login attempts, and sessions expire after a period of inactivity. We also detect and invalidate sessions that show signs of being compromised.

Application security

Whistler employs multiple layers of protection against common web-based attacks. This includes cross-site request forgery protection, strict content security policies, input validation and sanitisation, and comprehensive rate limiting to guard against abuse.

All user-uploaded files are validated for type and size before being accepted and encrypted.

Secure infrastructure

Whistler is hosted on Render, a cloud platform that runs on infrastructure with SOC 2 Type II certification. All database connections are encrypted, and access to production systems is strictly restricted.

Data handling and deletion

When reports are deleted, all encrypted content and attached files are permanently removed. When user accounts are deleted, personal information is anonymised. All deletions are recorded in an audit trail for accountability.

For more detail on how we handle your data, please see our Privacy Policy.

Responsible disclosure

If you believe you have found a security vulnerability in Whistler, please report it to us at security@whistlr.app. We take all reports seriously and will respond promptly.