Whistle Willow is a unique whistleblowing solution. It offers an unprecedented deployment speed and can be live within 5 minutes.

In order to achieve this, Whistle Willow utilizes Atlassian Jira, JSM or Confluence for managing submissions and storing the report data. It allows to use of Atlassian user management, security, and storage and ensures that sensitive data does not leave the company.

Whistle Willow also provides a public interface for submitting anonymous and protected tips from anywhere in the world - as a dedicated portal or via your company’s JSM

Is Whistle Willow a good fit for our organization?

Yes, if you already use Jira, JSM, or Confluence Cloud. You get the fully functional whistleblowing program integrated into Jira or Confluence, built on top of the security and stability of Atlassian products.

What are the main features?

• Unique ease of deployment and use while featuring a well-versed whistleblowing program

• Public submissions - whistleblowers do not need a license for Jira or Confluence to submit their tips. Public submissions can be done via JSM or through a dedicated external Portal hosted in EU or US.

• Private submissions - those with access to the company’s Jira or Confluence can easily submit anonymous and protected tips via these products.

• Admin dashboard and analytics - admins can manage reports, update statuses and communicate with reporters via the control panel integrated into Jira or Confluence.

• Encrypted reports - at rest and in transit

  • This includes asymmetric encryption of public submissions. This means, only the organization that the report is intended for can read it.

• Simple cost model that depends on a number of Jira or Confluence users (which essentially reflect the org size). No hidden charges or extras.

1. Install WW via the Atlassian marketplace.

2. Find the app in the “Apps” dropdown of the top bar:
   

   

3. Upon first use, click “Allow access on user’s behalf” button, review and accept the scopes.

4. By default, jira-admins-<your_instance_name>(for Whistle Willow for Jira), administrators (for Whistle Willow for Confluence), and site-admins security groups users are added to the app as admins.
   Ask them to add your Compliance team and other members responsible for whistle-blowing tips handling to the access list in the app (Access control tab).
   At this point, it is advisable to review the users added upon the installation and remove access for those who do not need to stay in the loop of reports and updates.

5. The App is ready to be used.

Whistle Willow supports several languages for its whistleblower pages. These include the whistleblower’s portal with instructions on how to submit tips, update tip statuses, communicate with the Compliance team, and answer Frequently Asked Questions.

Every whistleblower can pick the language from the dropdown in the “Submit tip” tab of the portal. This setting will affect the user interface in other application tabs.

Whistle Willow admins can set a default whistleblower portal language in the Program settings:

This will be the default interface language of the whistleblower portal - the users can change it for their session using the dropdown in the “Submit tip” tab.

Is your language not listed?

We want all our customers to be able to deliver the best whistleblower program experience to their employees. Drop us a support ticket and ask for the translation, will make sure to ship it in the next release!

Will the admin pages be translated?

We currently don’t have it in our plans. At the same time, we commit to offering full translations of whistleblower-facing pages in all requested languages on short notice.

Whistle Willow turns your Jira Service Management (JSM) into a whistleblowing portal. For all customers with a JSM, Whistle Willow adds a link at the bottom of the Help Center page. This link is available to ALL users, regardless of whether they have a Jira or JSM license or are completely anonymous.

Clicking the link opens a standard Whistle Willow submission portal and also allows whistleblowers to follow up on their recent submissions and update their status.

For customers who don’t have JSM in their Atlassian product suite, Whistle Willow offers a public anonymous submission channel through a dedicated portal.

Whistle Willow JSM settings and customizations

By default, Whistle Willow submission portal is enabled for the Help Center page of your JSM. It can be enabled or disabled also for all or particular Portal page(s). Navigate to Whistle Willow in Jira → Program Settings.

To start accepting public submissions via the public Whistle Willow site (https://whistle-eu.suprchrgd.com/), a Whistle Willow administrator needs to enable them and trigger the generation of the encryption keys.

This is a very simple automated procedure that creates a unique pair of keys for your organization - public and private, that are used to secure whistleblowing tip submissions. The generation and configuration of underlying cryptographic algorithms are done automatically. Each tip is encrypted with your organization’s public key - and can only be read using the private key, which never ever leaves secure storage in Jira or Confluence.

By default, Whistle Willow creates two unique public submission portals - one for the EU, one for the US, to support regulations. Your organization can choose to use both or either of them. The data and runtime of these portals are hosted in their respective region.

You can share the links to public portal on your website, under Trust and Security page, or a dedicated Whistleblowing instructions page.

To enable public submissions

• Navigate to Whistle Willow app as admin

• Open the “Program Settings” tab

• Switch the toggle “Enable public submissions” to the enabled state:
  

  

• Click “Save submission settings”

• Reload the app

• A new section will appear - click “Generate / Regenerate keys”

That’s it! Your public submission pages are good to go! You can also customize them or even embed as <iframe>.

Whistle Willow allows full customization of text on the direct submission page for the organization.

Modify the fields under “Program Settings” → “Customizations for public submission pages”. They can be used to localize the page, add custom instructions or modify the default logo with a company one.

It is also possible to disable the report types dropdown on the submission page. In this case, all reports will be submitted as “General” type.

To save the customizations, scroll down to the “Save submission settings” button.

Submitting a public tip

Public tips can be submitted via Jira Service Management or External portal available at https://whistle-eu.suprchrgd.com/

Submissions require the organization’s PIN - which is a long string made public by each Whistle Willow customer via their own Trust and Security pages, websites, or other means of communication. Alternatively, a link to your company-branded page is generated when enabling the External portal - this link can be shared with whistleblowers.

To submit a tip with PIN, navigate to https://whistle-eu.suprchrgd.com/, enter the tip information, PIN and select the tip type. After pressing “Submit”, the tip is processed and a unique ID is generated.

This ID is the only identifier that connects a whistleblower with a report - make sure to store it securely and keep it private. No other information about the user - including location, IP address, browser string is never submitted to the organization.

Use this ID to follow up on the tip status via the “Check status” menu of Whistle Willow public site:

Submitting a private tip

One can simply write your anonymous tip in Jira, JSM or Confluence.

For Jira or Confluence:

First, navigate to the app page via the top menu bar: Apps → Whistle Willow.

For JSM:

Navigate to you your company’s JSM Help Center page.

The Whistle Willow portal will open. Enter your tip into the text box, pick a report type, and click “Submit” - and it will be on its way to your organization’s Compliance team. They will only see it after a random number of minutes and hours have passed.

Even though the tip is submitted via Jira or Confluence, Whistle Willow completely ignores any user-related details of the request. This means it does not store any user-related information in addition to the tip content.

Once the report is submitted, do not forget to store the ID (in yellow) securely - you will need it to follow up on the report:

Follow up on your report

Navigate to the “Check report status” tab and enter the saved report ID to retrieve the status updates:

The public submission portal allows whistleblowers to attach a single file of evidence to their report. The file submission field is at the bottom of the report form:

The evidence is kept for 90 days. The compliance team can find the evidence file in the “Manage report” window. If there’s such file, a tab “Download evidence” will appear for this report:

To download evidence, follow the instructions - simply enter the evidence file name and the customer download key in the respective form of the Download portal. The file download will begin shortly.

Note: the Jira, Confluence and JSM report submission forms do not support attaching evidence to the reports (due to the architecture restrictions of Atlassian products). We recommend directing people to the public submission portal that allows file evidence uploads.

Whistle Willow has the ability to notify your compliance team when new reports are received or when compliance alerts are triggered.

To get notifications from Whistle Willow add a group or mailing list address in the “Program Settings” tab as a Whistle Willow admin.

The report notification emails only inform your compliance team about receiving a new report but provide no details on its content, type or other information. This is one to make sure all report-specific data stays in your organization’s Atlassian instance.

Compliance alerts

This type of alert is triggered when your program has reports that are under risk or already breach compliance requirements of the EU regulations for whistleblowing.

All reports in the “Submitted” state should be moved to “Acknowledged” within 7 days after submission.

All reports in the “Acknowledged” state should be moved to further states (responded to) within 90 days after submission.

When these deadlines are approaching or are exceeded Whistle Willow sends an email summarizing the total count of reports that are under risk or breach the compliance requirements. No other details about the report's content or type are provided.

These alerts are enabled by default but can be disabled in the same Notification settings page of the Program settings tab.

Deleted reports

The Compliance team can delete reports from the system by changing their status to “Deleted”. Such reports won’t be shown in the main reports table but it's still possible to access such reports by filtering the report table by Status → Retrieve values → Deleted.

This will let the Compliance team access Deleted reports and their content. However, it won’t be possible to change the report status or reply to the whistleblower anymore.

Retention policy for completed reports

Once reports reaches one of the statuses - “Resolved” , “Dismissed”, or “Deleted”, a retention policy can be set to clean such report from the system. Activating such policy allows a company to better protect any personal or sensitive information submitted with a report and stay compliant with local data laws and regulations.

To activate the retention policy, navigate to Program settings → Submissions settings. In a dropdown “Completed reports retention policy” choose a desired retention period and click “Save submission settings”.

The retention cutover is calculated starting from the last status update date (not the original report submission date). I.e. if your team closed a report on June 1st, and your retention policy is set to 30 days, the report will be deleted on July 1st.

Note: the deletion is automated and permanent, reports can’t be recovered after they were purged from the app.

EU Whistleblower directive came into force in December 2019 and outlined the key requirements for organizations when it comes to handling whistleblowing reports.

Whistle Willow is a platform that makes complying with the Directive simple. At the same time, as for any compliance goal, it can only be achieved when tools, processes, and organizational commitment are set up to work together on achieving the desired compliance state.

The Directive outlines a few key compliance requirements, and Whistle Willow is here to help your team meet them.

1. Whistle Willow provides a secure and anonymous channel for whistleblowers to report misconduct. For full compliance, a reporter should be able to upload the evidence to the app. We encourage both reports and orgs to use secure drop sites rather than directly upload the evidence - to avoid potential negative consequences, deanonymization and retaliation. One way to do so would be to set up a Secure Drop and instruct your reporters to use it and include the link to the drop in their report, as this would be the safest way to provide evidence to your team.

2. Some countries require organizations to set up a call center or a hotline to accept reports in audio format. For meeting this requirement, we recommend using the same Secure Drop and then to ask reporters to record and submit their tips as audio files. A link to the drop can be added to the Whistle Willow report.

3. Whistle Willos also allows for real-time communication between the whistleblower and the organization's compliance team, ensuring a swift and effective response to any reports. Make sure to add a notification email in settings to get an email alert on any new reports submitted to the program.

4. When a report is submitted, to meet the compliance requirements of the Directive, it needs to be acknowledged within 7 days and then responded to within the 90 days since the submission. Whistle Willow helps you by notifying your compliance team when a report first arrives; when the compliance deadlines are approaching or are breached.

5. The app also offers detailed reporting and analytics, including Compliance alerts on any reports that put your organization at risk of complying with the Directive. The analytics and reporting of Whistle Willow allow organizations to track and respond to reports in a timely manner, as well as identify any patterns or trends when it comes to whistleblowing program state.

6. Whistle Willow is user-friendly and easy to navigate, making it accessible to employees at all levels of an organization. It also offers a range of language options (which can be configured through the public submissions site), making it suitable for organizations with a diverse and distributed workforce.

Overall, when implementing your whistleblowing program, Whistle Willow can cover most of your compliance needs, but a few extra steps still need to be taken in order to be fully compliant. Our team constantly works on new functionality to minimize the overhead and deliver as close to the out-of-box. compliance as possible

This page replicates the one in the app - we believe the built-in documentation is the future

How are reporter privacy and anonymity protected?

Whistle Willow is an independent product that your organization procured for the whistle-blowing program. The product is designed to record, store or manage no personal information upon a submission - while a reporter uses their Jira account, the product purposefully records no identity data. The time of submission is programmatically and securely modified with a random number of minutes and hours added to it. Only after this time passes, the organization can see the report. This is done to make it not possible to trace the time of submission to any work-related activity or information outside of Whistle Willow or Jira.

The data-at-rest is encrypted with the industry-recognized AES-256 algorithm and stored securely in the backend storage on the Jira Forge platform. The encryption is performed with a key that is unique to each organization. The backend storage is not directly accessible to your organization. Whistle Willow decrypts the report content on the go only when rendering reports to Compliance group users.

Is there a public site for submitting reports to my organization?

If your organization has JSM, open the Help Center and click on the “Submit anonymous whistleblowing report” button.

For organizations without JSM, we created https://whistle-eu.suprchrgd.com/ - the External Portal which can be used to submit a tip to your organization without Jira or Confluence access. The organizations that enabled public submissions share their unique org PIN or a link to the customer-branded page in their whistleblowing policy or instruction. Use it on the public submissions site for sending your anonymous and protected tip.⠀

What happens next after I submit the report?

First, the report won't be visible to the organization until the randomized amount of time added to the submission time passes. Then, the Compliance group would receive the report and acknowledge it, by setting the corresponding status and commenting on the submission. Any future updates will be reflected in the status and reasoning or comments to the update.

How can I follow up on my tip?

To reduce the risks to the reporter's anonymity, the only way to retrieve updates on the report is to save the report ID that is displayed once after the initial submission and enter it in the corresponding tab of the product. Make sure to store this ID securely - as this is the only item that, upon discovery, can link a reporter to a report. The retrieved information will also include comments on status changes made by your organization’s Compliance team. We recommend submitting a new report with type "INTERNAL: Response to status change" and communicate your feedback, if any to the organization - for instance, accepting the communicated mitigations or requesting additional actions.

Can I submit evidence such as images, photos, documents?

Yes, only via the public submission portal - it allows submitting a single evidence file or a compressed archive containing multiple files.

What my company Compliance group can see?

The information is limited to:

• Report day, month and year.

• Report type - one of the types chosen upon submission.

• Report current status (Submitted, Acknowledged, Mitigating, Resolved, Dismissed).

What else can I do to bring attention to the problem?

If reporting a problem to the organization is not sufficient to mitigate it, consider contacting appropriate authorities based on the problem type discovered. Consult with EU directive on the Protection of Whistleblowers on the reporter's rights and protection or contact a lawyer from a trusted party.

As a compliance representative, how can I get access to the Whistle Willow reports?

After enabling, users from jira-administrators (Whistle Willow for Jira) and administrators (Whislte Willow for Confluence) group only have access to reports and Whistle Willow administrative tabs. These users must update the access list and include compliance group users, and potentially remove themselves from the list.

⠀