Whistle Willow is a unique whistleblowing solution. It offers an unprecedented deployment speed and can be live within 5 minutes.

In order to achieve this, Whistle Willow utilizes Atlassian Jira, JSM or Confluence for managing submissions and storing the report data. It allows to use of Atlassian user management, security, and storage and ensures that sensitive data does not leave the company.

Whistle Willow also provides a public interface for submitting anonymous and protected tips from anywhere in the world - as a dedicated portal or via your company’s JSM

Is Whistle Willow a good fit for our organization?

Yes, if you already use Jira, JSM, or Confluence Cloud. You get the fully functional whistleblowing program integrated into Jira or Confluence, built on top of the security and stability of Atlassian products.

What are the main features?

• Unique ease of deployment and use while featuring a well-versed whistleblowing program

• Public submissions - whistleblowers do not need a license for Jira or Confluence to submit their tips. Public submissions can be done via JSM or through a dedicated external Portal hosted in EU or US.

• Private submissions - those with access to the company’s Jira or Confluence can easily submit anonymous and protected tips via these products.

• Admin dashboard and analytics - admins can manage reports, update statuses and communicate with reporters via the control panel integrated into Jira or Confluence.

• Encrypted reports - at rest and in transit

  • This includes asymmetric encryption of public submissions. This means, only the organization that the report is intended for can read it.

• Simple cost model that depends on a number of Jira or Confluence users (which essentially reflect the org size). No hidden charges or extras.

1. Install WW via the Atlassian marketplace.

2. Find the app in the “Apps” dropdown of the top bar:
   

   

3. Upon first use, click “Allow access on user’s behalf” button, review and accept the scopes.

4. By default, jira-admins-<your_instance_name>(for Whistle Willow for Jira), administrators (for Whistle Willow for Confluence), and site-admins security groups users are added to the app as admins.
   Ask them to add your Compliance team and other members responsible for whistle-blowing tips handling to the access list in the app (Access control tab).
   At this point, it is advisable to review the users added upon the installation and remove access for those who do not need to stay in the loop of reports and updates.

5. The App is ready to be used.

Whistle Willow allows full customization of text on the direct submission page for the organization.

Modify the fields under “Program Settings” → “Customizations for public submission pages”. They can be used to localize the page, add custom instructions or modify the default logo with a company one.

It is also possible to disable the report types dropdown on the submission page. In this case, all reports will be submitted as “General” type.

To save the customizations, scroll down to the “Save submission settings” button.

Submitting a public tip

Public tips can be submitted via Jira Service Management or External portal available at https://whistle-eu.suprchrgd.com/

Submissions require the organization’s PIN - which is a long string made public by each Whistle Willow customer via their own Trust and Security pages, websites, or other means of communication. Alternatively, a link to your company-branded page is generated when enabling the External portal - this link can be shared with whistleblowers.

To submit a tip with PIN, navigate to https://whistle-eu.suprchrgd.com/, enter the tip information, PIN and select the tip type. After pressing “Submit”, the tip is processed and a unique ID is generated.

This ID is the only identifier that connects a whistleblower with a report - make sure to store it securely and keep it private. No other information about the user - including location, IP address, browser string is never submitted to the organization.

Use this ID to follow up on the tip status via the “Check status” menu of Whistle Willow public site:

Submitting a private tip

One can simply write your anonymous tip in Jira, JSM or Confluence.

For Jira or Confluence:

First, navigate to the app page via the top menu bar: Apps → Whistle Willow.

For JSM:

Navigate to you your company’s JSM Help Center page.

The Whistle Willow portal will open. Enter your tip into the text box, pick a report type, and click “Submit” - and it will be on its way to your organization’s Compliance team. They will only see it after a random number of minutes and hours have passed.

Even though the tip is submitted via Jira or Confluence, Whistle Willow completely ignores any user-related details of the request. This means it does not store any user-related information in addition to the tip content.

Once the report is submitted, do not forget to store the ID (in yellow) securely - you will need it to follow up on the report:

Follow up on your report

Navigate to the “Check report status” tab and enter the saved report ID to retrieve the status updates:

This page replicates the one in the app - we believe the built-in documentation is the future

How are reporter privacy and anonymity protected?

Whistle Willow is an independent product that your organization procured for the whistle-blowing program. The product is designed to record, store or manage no personal information upon a submission - while a reporter uses their Jira account, the product purposefully records no identity data. The time of submission is programmatically and securely modified with a random number of minutes and hours added to it. Only after this time passes, the organization can see the report. This is done to make it not possible to trace the time of submission to any work-related activity or information outside of Whistle Willow or Jira.

The data-at-rest is encrypted with the industry-recognized AES-256 algorithm and stored securely in the backend storage on the Jira Forge platform. The encryption is performed with a key that is unique to each organization. The backend storage is not directly accessible to your organization. Whistle Willow decrypts the report content on the go only when rendering reports to Compliance group users.

Is there a public site for submitting reports to my organization?

If your organization has JSM, open the Help Center and click on the “Submit anonymous whistleblowing report” button.

For organizations without JSM, we created https://whistle-eu.suprchrgd.com/ - the External Portal which can be used to submit a tip to your organization without Jira or Confluence access. The organizations that enabled public submissions share their unique org PIN or a link to the customer-branded page in their whistleblowing policy or instruction. Use it on the public submissions site for sending your anonymous and protected tip.⠀

What happens next after I submit the report?

First, the report won't be visible to the organization until the randomized amount of time added to the submission time passes. Then, the Compliance group would receive the report and acknowledge it, by setting the corresponding status and commenting on the submission. Any future updates will be reflected in the status and reasoning or comments to the update.

How can I follow up on my tip?

To reduce the risks to the reporter's anonymity, the only way to retrieve updates on the report is to save the report ID that is displayed once after the initial submission and enter it in the corresponding tab of the product. Make sure to store this ID securely - as this is the only item that, upon discovery, can link a reporter to a report. The retrieved information will also include comments on status changes made by your organization’s Compliance team. We recommend submitting a new report with type "INTERNAL: Response to status change" and communicate your feedback, if any to the organization - for instance, accepting the communicated mitigations or requesting additional actions.

Can I submit evidence such as images, photos, documents?

Yes, only via the public submission portal - it allows submitting a single evidence file or a compressed archive containing multiple files.

What my company Compliance group can see?

The information is limited to:

• Report day, month and year.

• Report type - one of the types chosen upon submission.

• Report current status (Submitted, Acknowledged, Mitigating, Resolved, Dismissed).

What else can I do to bring attention to the problem?

If reporting a problem to the organization is not sufficient to mitigate it, consider contacting appropriate authorities based on the problem type discovered. Consult with EU directive on the Protection of Whistleblowers on the reporter's rights and protection or contact a lawyer from a trusted party.

As a compliance representative, how can I get access to the Whistle Willow reports?

After enabling, users from jira-administrators (Whistle Willow for Jira) and administrators (Whislte Willow for Confluence) group only have access to reports and Whistle Willow administrative tabs. These users must update the access list and include compliance group users, and potentially remove themselves from the list.

⠀