Whistleblowing System Security & Anonymity by Design

Enterprise-Grade Protection for Whistleblowers

Safecall’s whistleblowing system is built with security and anonymity by design at its core. Our multi-layered security architecture combines encryption, tokenisation, advanced access controls, and strict data protection protocols to ensure complete anonymity and legal defensibility.

Security & Anonymity by Design: Core Principles

Anonymity by design means that privacy and security are not added as afterthoughts—they are fundamental to how our system operates. Every technical decision, from platform architecture to data handling, prioritises whistleblower protection.

Three Pillars of Our Security Architecture

  1. Technical Security – Encryption, secure infrastructure, and certified systems
  2. Anonymity Protection – Tokenisation, zero IP collection, and identity safeguards
  3. Compliance & Auditability – Certifications, testing, and legal defensibility

Technical Security Infrastructure

Enterprise-Grade Platform

Our whistleblowing platform is built on Microsoft Dynamics 365, providing:

  • Enterprise-class infrastructure – Trusted by global organisations
  • UK-based data centres – Full data sovereignty and GDPR compliance
  • High availability architecture – 99.9% uptime reliability
  • Advanced threat protection – DDoS prevention and intrusion detection
  • Scalable security – Supports 5 million+ employees across 1,000+ organisations

Encryption & Data Protection

Data encryption at every layer:

  • In-transit encryption – All data transfers secured via HTTPS with TLS 1.3, VPNs, and digital certificates
  • At-rest encryption – All stored data encrypted using Azure Transparent Data Encryption in UK data centres
  • Encrypted storage – Secure, encrypted databases with time-limited access controls
  • Digital signatures – Certificate-based authentication for data integrity

What this means for whistleblowers:

  • Reports cannot be intercepted during transmission
  • Stored data cannot be accessed by unauthorised parties
  • Even if systems were compromised, data remains encrypted
  • Regulatory compliance maintained across all jurisdictions

Zero IP Address Collection

We do not collect IP addresses from whistleblower submissions. As IP addresses are considered personal data under GDPR, we eliminate this risk entirely by not collecting them at all.

This means:

  • No IP data collected – We never capture network identifiers from online reporters
  • GDPR compliance by design – Eliminates personal data collection at source
  • No digital footprint – Online reporters leave no traceable network information
  • Complete location privacy – Geographic location cannot be determined from reports
  • No retrospective identification – Even system administrators cannot trace submissions
  • Enhanced anonymity – Removes a common technical vulnerability in other platforms

Telephone reporting anonymity:

  • No call line identification – We do not use caller ID
  • No audio recording – Telephone calls are never recorded
  • No voice recognition – No biometric data captured
  • No location tracking – Anonymous callers cannot be traced

Result: Whistleblowers leave no digital footprint that could reveal their identity.

Anonymity Protection Systems

Advanced Tokenisation Technology

Our tokenisation system replaces personally identifiable information with secure tokens:

How tokenisation protects identity:

  • Whistleblower submits report anonymously
  • System generates unique case reference number (token)
  • Reporter’s identity (if provided) stored separately from case data
  • Even Safecall call handlers interact only with tokens, never seeing real identities
  • Anonymity barrier maintained throughout investigation

Benefits:

  • True anonymity even for semi-anonymous reporting
  • Secure two-way dialogue without identity exposure
  • System administrators cannot link tokens to individuals
  • Meets “privacy by design” regulatory requirements

Case Reference System

Every report generates a unique case reference number that enables:

  • Anonymous login – Access case updates without providing identity
  • Secure messaging – Two-way communication whilst maintaining anonymity
  • Evidence submission – Add documents after initial report
  • Status tracking – Monitor investigation progress
  • Complete audit trail – All communications logged and time-stamped

Identity Protection Features

Multiple layers of anonymity protection:

  1. Flexible anonymity options
    • Fully anonymous (no identity shared with anyone)
    • Semi-anonymous (identity known to Safecall only, not client)
    • Named (identity shared with client organisation)
  2. Accidental disclosure protection
    • If reporter accidentally reveals identity during call, we honour anonymity request
    • Reports can be written in non-gender-specific language to further protect identity
    • System prevents accidental data leakage
  3. Segregated data storage
    • Identity data (if provided) stored separately from case content
    • Access controls prevent linking identity to case
    • Pseudonymisation per GDPR Article 32(1)(a) and Article 25(1)

Access Controls & Authentication

Multi-Factor Authentication

Secure access for all users:

  • Two-factor authentication (2FA) – Required for all client portal access
  • Single Sign-On (SSO) – Supports OpenID Connect for seamless enterprise integration
  • Active Directory integration – Works with existing identity management systems
  • Protocol flexibility – Supports SAML 2.0, OAuth 2.0, and other authentication standards

Role-Based Security Model

Hierarchical access control based on need-to-know principles:

  • Privacy controls clearly defined – Users see only cases relevant to their role
  • Granular permissions – Different access levels for viewers, investigators, administrators
  • Audit logging – All access and actions tracked for accountability
  • Principle of least privilege – Minimum necessary access granted to each user

Result: Confidential information seen only by authorised personnel, reducing risk of internal breaches.

Security Certifications & Compliance

Industry-Standard Certifications

Safecall maintains the following security certifications:

  • ISO 27001 – Information security management systems
  • SOC 2 – Service organisation controls for security, availability, and confidentiality
  • Cyber Essentials Plus – UK government-backed cybersecurity certification
  • GDPR compliance – Full adherence to EU and UK data protection regulations

Attestation letters available: Our security team can provide attestation letters confirming compliance with these standards during procurement processes.

Regular Security Testing

Continuous validation of security controls:

  • Monthly automated penetration testing – Regular vulnerability scanning
  • Annual physical penetration testing – Independent security experts test systems
  • Security audits – Regular third-party audits validate controls
  • Continuous monitoring – Real-time oversight of system performance and security

Transparency: Detailed penetration testing reports available under NDA during procurement.

Data Protection & Privacy Compliance

GDPR and international data protection:

  • UK-based data centres – Data sovereignty guaranteed
  • Pseudonymisation – Personal data protected per GDPR Article 25(1)
  • Data minimisation – Only necessary data collected and retained
  • Right to erasure – Data redaction timelines strictly adhered to
  • Cross-border data transfer protocols – Compliance with international requirements
  • Data Protection Impact Assessments – Conducted for all processing activities

Infrastructure Security

Data Centre Security

Physical and technical protections:

  • UK-based data centres – Tier III or higher facilities
  • Advanced security protocols – DDoS attack prevention and mitigation
  • Unauthorised traffic blocking – Network-level protections
  • Redundant systems – High availability and disaster recovery
  • Physical access controls – Restricted data centre access

Network Security

Protecting data in transit:

  • Virtual Private Networks (VPNs) – Secure tunnels for data transfer
  • Digital certificates – Certificate-based authentication
  • Firewall protection – Multi-layered network security
  • Intrusion detection systems – Real-time threat monitoring
  • Secure API connections – Encrypted endpoints for system integrations

System Hardening

Proactive security measures:

  • Regular security patches – Timely updates to address vulnerabilities
  • Secure configuration – Systems hardened according to best practices
  • Minimum attack surface – Unnecessary services disabled
  • Security monitoring – Continuous oversight of system integrity

Audit Trail & Evidence Integrity

Complete case documentation:

  • Time-stamped communications – All interactions logged with precise timestamps
  • Immutable audit trail – Case history cannot be altered retroactively
  • Chain of custody – Document handling tracked throughout process
  • Evidence preservation – Secure storage maintains evidential value
  • Forensic readiness – Systems designed to support legal proceedings

Regulatory Compliance Support

Meeting international whistleblowing requirements:

  • EU Whistleblowing Directive – Full compliance with technical requirements
  • UK regulations – Meets PIDA and Worker Protection Act standards
  • US requirements – SOX, Dodd-Frank, and other regulations supported
  • Global standards – Adaptable to jurisdiction-specific requirements

Data Breach Prevention

Safeguarding against unauthorised access:

  • Segregation of duties – Prevents single point of failure
  • Access logging – All system access tracked and auditable
  • Anomaly detection – Unusual activity flagged immediately
  • Incident response procedures – Documented protocols for security events
  • Breach notification compliance – GDPR-compliant reporting procedures

Continuous Security Improvement

Security Governance

Ongoing commitment to security excellence:

  • Dedicated security team – Specialists focused on threat monitoring
  • Regular security reviews – Quarterly security posture assessments
  • Vendor risk management – Third-party security assessed
  • Security awareness training – All staff trained in security protocols
  • Incident response planning – Regular drills and updates

Threat Intelligence

Staying ahead of emerging threats:

  • Industry trend monitoring – Awareness of evolving attack vectors
  • Threat intelligence feeds – Real-time threat data integration
  • Security community engagement – Participation in information sharing
  • Proactive defence – Anticipating rather than reacting to threats

Why Security & Anonymity by Design Matters

Increased Reporting Rates

When whistleblowers trust the system’s security:

  • Higher report volumes – Employees feel safe to speak up
  • Better quality information – Detailed reports when anonymity is guaranteed
  • Early issue detection – Problems identified before escalation
  • Cultural improvement – Openness encouraged by robust protections

Security by design provides:

  • Regulatory compliance – Meets international whistleblowing legislation requirements
  • Litigation readiness – Defensible processes with complete audit trails
  • Risk mitigation – Protects against data breaches and identity exposure
  • Reputational protection – Demonstrates commitment to whistleblower safety

Whistleblower Confidence

Technical security builds trust:

  • Fear of retaliation reduced – Anonymity technology provides genuine protection
  • Professional credibility – Enterprise certifications inspire confidence
  • Transparency – Security practices documented and auditable
  • Proven track record – 25+ years protecting whistleblowers

Security Architecture Summary

Security LayerTechnologyBenefit
EncryptionHTTPS/TLS 1.3, Azure Transparent Data Encryption, VPNs, digital certificatesProtects data in transit and at rest
AnonymityTokenisation, case reference system, no caller ID, zero IP collectionComplete identity protection
Access Control2FA, SSO, role-based permissionsPrevents unauthorised access
InfrastructureMicrosoft Dynamics 365, UK data centresEnterprise-grade reliability
ComplianceISO 27001, SOC 2, Cyber Essentials Plus, GDPRMeets international standards
TestingMonthly automated + annual physical pen testingContinuous security validation
MonitoringReal-time threat detection, DDoS protectionProactive threat prevention
AuditComplete time-stamped trail, immutable logsLegal defensibility

Technical Specifications

Platform Architecture

  • Platform: Microsoft Dynamics 365
  • Hosting: UK-based Tier III+ data centres
  • Availability: 99.9% uptime SLA
  • Scalability: Supports 5 million+ users across 1,000+ organisations

Security Protocols

  • Encryption in transit: HTTPS with TLS 1.3, VPN tunnels
  • Encryption at rest: Azure Transparent Data Encryption
  • Authentication: 2FA, SSO (SAML 2.0, OAuth 2.0, OpenID Connect)
  • Access control: Role-based hierarchical model
  • IP collection: Zero IP address collection (GDPR compliant by design)

Certifications & Standards

  • ISO 27001 (Information Security Management)
  • SOC 2 (Service Organisation Controls)
  • Cyber Essentials Plus
  • GDPR compliant (UK and EU)

Testing & Validation

  • Automated penetration testing: Monthly
  • Physical penetration testing: Annually
  • Security audits: Regular third-party reviews
  • Monitoring: Continuous real-time oversight

Getting Started with Secure Whistleblowing

Safecall’s security and anonymity by design approach is included as standard in our whistleblowing service:

  • No additional cost for enterprise security features
  • All certifications included – ISO 27001, SOC 2, Cyber Essentials Plus
  • Rapid deployment – Secure systems operational within 24 hours
  • Comprehensive support – Security team available for technical consultations

Ready to protect your whistleblowers with enterprise-grade security?
Book a demo | Call +44 (0) 191 516 7720