Common questions

This page replicates the one in the app - we believe the built-in documentation is the future

How are reporter privacy and anonymity protected?

Whistle Willow is an independent product that your organization procured for the whistle-blowing program. The product is designed to record, store or manage no personal information upon a submission - while a reporter uses their Jira account, the product purposefully records no identity data. The time of submission is programmatically and securely modified with a random number of minutes and hours added to it. Only after this time passes, the organization can see the report. This is done to make it not possible to trace the time of submission to any work-related activity or information outside of Whistle Willow or Jira.

The data-at-rest is encrypted with the industry-recognized AES-256 algorithm and stored securely in the backend storage on the Jira Forge platform. The encryption is performed with a key that is unique to each organization. The backend storage is not directly accessible to your organization. Whistle Willow decrypts the report content on the go only when rendering reports to Compliance group users.

Is there a public site for submitting reports to my organization?

If your organization has JSM, open the Help Center and click on the “Submit anonymous whistleblowing report” button.

For organizations without JSM, we created https://whistle-eu.suprchrgd.com/ - the External Portal which can be used to submit a tip to your organization without Jira or Confluence access. The organizations that enabled public submissions share their unique org PIN or a link to the customer-branded page in their whistleblowing policy or instruction. Use it on the public submissions site for sending your anonymous and protected tip.⠀

What happens next after I submit the report?

First, the report won't be visible to the organization until the randomized amount of time added to the submission time passes. Then, the Compliance group would receive the report and acknowledge it, by setting the corresponding status and commenting on the submission. Any future updates will be reflected in the status and reasoning or comments to the update.

How can I follow up on my tip?

To reduce the risks to the reporter's anonymity, the only way to retrieve updates on the report is to save the report ID that is displayed once after the initial submission and enter it in the corresponding tab of the product. Make sure to store this ID securely - as this is the only item that, upon discovery, can link a reporter to a report. The retrieved information will also include comments on status changes made by your organization’s Compliance team. We recommend submitting a new report with type "INTERNAL: Response to status change" and communicate your feedback, if any to the organization - for instance, accepting the communicated mitigations or requesting additional actions.

Can I submit evidence such as images, photos, documents?

Yes, only via the public submission portal - it allows submitting a single evidence file or a compressed archive containing multiple files.

What my company Compliance group can see?

The information is limited to:

  • Report day, month and year.

  • Report type - one of the types chosen upon submission.

  • Report current status (Submitted, Acknowledged, Mitigating, Resolved, Dismissed).

What else can I do to bring attention to the problem?

If reporting a problem to the organization is not sufficient to mitigate it, consider contacting appropriate authorities based on the problem type discovered. Consult with EU directive on the Protection of Whistleblowers on the reporter's rights and protection or contact a lawyer from a trusted party.

As a compliance representative, how can I get access to the Whistle Willow reports?

After enabling, users from jira-administrators (Whistle Willow for Jira) and administrators (Whislte Willow for Confluence) group only have access to reports and Whistle Willow administrative tabs. These users must update the access list and include compliance group users, and potentially remove themselves from the list.