.png?width=613&height=613&name=image%20with%20tree%20copy%20(1).png)
As a professional whistleblowing outsourcer and ethics hotline platform vendor, we offer our customers multiple intake channels to suit different preferences and compliance needs. One of the most commonly used is the email channel.
Why We Recommend Vendor-Hosted Email Channels
We offer an email intake channel by default, which includes several unique features:
- A dedicated domain, @ethics.email, enables the creation of professional mailboxes such as company@ethics.email. This signals to users that the mailbox is specifically for ethics-related matters and operates independently from the company.com domain.
- A secure, standalone email server ensures that all communications remain confidential and independent from the customer’s infrastructure. This provides reassurance to reporters and whistleblowers that their messages will remain anonymous and that sender identities are not visible to the client.
- Direct mailbox integration with the customer’s case management system eliminates any intermediaries between whistleblowers and the compliance response team, preserving anonymity. Every email automatically creates a new case, with attachments uploaded as evidence. Senders receive an acknowledgment within minutes containing instructions on how to securely access the whistleblowing platform for further dialogue.
Why Some Clients Prefer to Use Their Own Mailbox
We frequently encounter requests from customers to set up a mailbox such as hotline@company.com. Typically, these requests are driven by the following considerations:
- Maintaining continuity with an established address. Many organizations begin their whistleblowing efforts with a mailbox hosted on their own servers, and as they transition to a more advanced platform, they prefer to retain the familiar address already communicated to stakeholders.
- Preferring a recognizable and user-friendly mailbox name. Using a corporate domain with names like @trust, @ethics, @speakup, or @hotline can be easier for employees to remember and reinforces the intended purpose of the mailbox.
- Avoiding dependence on an external provider’s address. Some companies are concerned that relying on a vendor-provided email may create obstacles if they decide to switch providers in the future.
So, what is the best way out of this? Should we keep the company's mailbox or use a fresh one from the vendor?
Before rushing to conclusions, let's consider one more option.
Option: Email Forwarding from Company Mailbox to Vendor Mailbox
A compromise some clients choose is email forwarding: e.g., configuring hotline@company.com to forward all incoming emails to company@ethics.email. This preserves familiarity while allowing vendor-side automation and anonymity features. But this can be tricky.
⚠️ Important Disclaimer on Risks of Email Forwarding
Forwarding emails from a company-controlled mailbox to a vendor mailbox may expose whistleblowers to significant privacy and security risks, such as:
- Metadata exposure: The original sender’s IP address and email identity may be stored or logged in the company server before forwarding occurs. When a user emails hotline@company.com and the server forwards the message the original email lands on the company server first. Even if it’s immediately forwarded, traces may remain (logs, backups, journal entries). This undermines anonymity, especially in regulated environments (EU Whistleblowing Directive, ISO 37002).
- Logging and backup: Company mail servers may automatically archive the original message, even if deleted later.
- Accidental access: Forwarding may be interrupted or misconfigured, resulting in lost or misdirected reports.
- Chain of custody concerns: From a legal or compliance standpoint, forwarding may raise questions about who first received and had access to the report.Forwarding should only be used with extreme caution and after a detailed risk assessment and consultation with IT and legal teams.
| Feature | Vendor Mailbox (@ethics.email) |
Customer Mailbox (@company.com) |
Company Mailbox with Forwarding |
|---|---|---|---|
| Anonymity Assurance | ✅ High | ❌ Low | ⚠️ Compromised (logs may exist) |
| Trust Perception | ✅ High (independent) | ✅ High (familiar domain) | ✅ High (if used properly) |
| Integration with Case Management | ✅ Full automation | ⚠️ Custom integration needed | ✅ Possible if forwarding is stable |
| Brand Consistency | ➖ Neutral | ✅ High | ✅ High |
| Vendor Lock Risk | ⚠️ Medium | ✅ Low | ✅ Low |
| Setup Complexity | ✅ Low | ⚠️ Medium | ⚠️ Medium to high |
| Support & Maintenance | ✅ Vendor-managed | ❌ Customer IT required | ⚠️ Dual responsibility |
| Security & Legal Risk | ✅ Low | ⚠️ Medium | ❌ High if not properly controlled |
Our Recommendation
We recommend using the vendor-hosted mailbox. It will give you anonymity, automation, and legal integrity are a priority. Plus - full outsourcing and assurance that no internal systems can compromise reports.
If brand familiarity is important, you should set up redirecting (instead of forwarding) users from hotline@company.com to company@ethics.email (via banners or messages). When you redirect via messaging:
- Safer than forwarding. No message is received by your system.
- You simply inform the sender to use a different, independent address.
- This avoids metadata capture and server-side traces entirely.