Whistleblowing FAQ

Who are reporters/whistleblowers?

Reporters are people who are not indifferent to the organization, its employees, or the region, who have information that can benefit the organization or help to avoid harm, to its employees or the region, and, acting with the best intentions, want to help and are willing to share important information.

Ethicontrol enables informants to report information anonymously, confidentially to the company, or identify themselves to the response team.

Anonymity means that the informant's identity is unknown to anyone - neither to the representatives of Ethicontrol who received the message, nor to the response team, nor to other representatives of the company.

Confidentiality for the company provides for the disclosure of its name to the company Ethicontrol but excludes the transfer of this information to others without the informant's consent. In such a situation, Ethicontrol acts as an intermediary between the informant and the company, protecting the anonymity of the informant.

Identification means that the informant discloses his name during the registration of the message and is ready to openly and independently, without the mediation of Ethicontrol, cooperate with the organization.

However, identification does not mean that everyone should know who left the message. All information on the report and on informants is confidential and Ethicontrol provides access to it only to authorized members of the company's response teams, who are obliged to observe the appropriate confidentiality regime.

What is the purpose of a whistleblowing hotline? Is it for employees or someone else?

By default, Ethicontrol's whistleblowing hotline is intended for any interested and not indifferent parties to the company: shareholders, employees, customers and suppliers, business partners, former employees, relatives of employees, residents of the surrounding territories, and others.

The target audience may vary on the request of the company.

What is the price for Ethicontrol's services?

We aim to provide services at less cost than the cost of developing and maintaining such a tool on your own.
On the page Prices, you can check how it works.

The service cost depends primarily on the number of employees in your company since this is the main factor in the load of our contact center and web systems. Additional charges apply when working in multiple jurisdictions or when you want to improve our process or system significantly.

Each case is unique, and we are ready to take into consideration the wishes and budgets of our clients as much as possible.

Does Ethicontrol provide advice for whistleblowers?

No. We do not provide advice on the content of the message and possible follow-up actions for the informant.

Moreover, we do not have to understand the complexities of each organization and its processes to avoid misleading you.

The only exception is that we are always ready to advise you on anonymity options. Also, we clearly explain what details of the incident should be provided to make it easier for the compliance team to complete their work quickly.

How do you guarantee anonymity and confidentiality?

Three things guarantee your anonymity and confidentiality.

The first is OUR AUTONOMY.

We don't depend on the owners, management, security services, and any other employees of your company. Our autonomy allows us to call things by their proper names and not deviate from the main task of our company - the preservation of your anonymity and confidentiality.

The second is OUR PROTECTION.

We are humans too, and, like you, we are worried about the safety of our health and life. Accordingly, the best way to protect yourself is to know nothing and not be technically able to learn something. "Zero-knowledge policy" is the principle we used when we came up with the architecture of our system.
In our system, information is distributed. We can only know a grain that is visible at the stage of registration of a message, and we did our best to prevent such information from being stored somewhere. We have no access to everything else.
This is the guarantee of our security and, at the same time, your anonymity. For more details, see the answer to the question "What information does Ethicontrol know about the company?" and check the Security section.

Third - YOUR and OUR INFORMATION SECURITY.

Probably, this should come first.
On the one hand, if the reporter himself violates simple rules of information security, there can be no guarantees. To remain anonymous, whistleblowers must strictly adhere to the rules. Our recommendations are listed in the Security section.

On the other hand, as an IT company, we take our own information security very seriously. That is why we select only contractors certified according to the best international standards, make every effort to maintain various encryption and security systems, and implement best practices in our own processes.

Can someone identify me by phone call?

The task of Ethicontrol is to help reporters preserve their anonymity (upon request) not only from the company but also from any third parties in general, including our service.

To do this, we never track the number of incoming calls, we do not record phone conversations, and our employees are trained to help you maintain anonymity.

To keep in touch with you in the future, we issue a unique secret code for each caller or visitor to the web profile. Using this code, you can independently check the status of message processing or get information on the case without identifying yourself in the future.

We ask you to adhere to the following rules to make the task as complicated or as expensive as possible for those wishing to identify you:

do not make calls from the territory of your organization;
do not make calls from the means of communication that belong to your company or about which it is notified;
do not make calls from the means of communication which you used to make calls to the means of communication of your company (or about which it is notified);
do not make calls in the presence of persons whom you do not trust;
do not make calls in the presence of the means of communication from which you made calls to the means of communication of your company (or about which it is notified);
do not transmit information that will help identify you indirectly.

We give similar recommendations regarding the use of the web form.

The target audience may vary on the request of the company.

Why I'm asked to provide my personal data?

Although the Ethicontrol system is designed to work effectively with anonymous reporters, practice shows that personal contact can be more.

For example, the life cycle of messages in which the reporter identified himself takes 40% shorter on average than all others.

Therefore, we are always ready to provide an opportunity for whistleblowers to identify themselves and ask for such personal data as name, contact number, or e-mail.

What's included in anonymity and data protection?

1. Our independence from the management of your company. We do not collect or provide information about reporters, which can be used to track or expose the personal data of system users.

Accordingly, our site does not use cookies, does not determine IP addresses, and our contact center does not determine the caller's number and does not record telephone conversations. Our operators do not ask questions by which the company can find out the identity of the whistleblower, and even if the anonymous reporter somehow revealed himself, we will make sure that this is not in the system.

2. Protection of data transmission. All data transmitted via the web interface is encrypted using SSL encryption.

3. Anonymity protection. Each whistleblower receives a secret code to access the whistleblower's office to continue to keep in touch with the team that is responding to his message anonymously.

4. Certified independent server. Your company's database is hosted on a third-party server.
We use only certified servers following the requirements of SOX 404, SAS 70, SSAE 16, as well as PCI DSS 3.0., ISO 27000, and ISO 20000.

5. We do not have access to your data. The architecture of the system separates the database from the application to restrict the access of Ethicontrol employees to the incident database of your company. And the system, in turn, records any actions to access the database.

6. Protection of personal data following the EU Directive 95/46 / EC and Data Protection Directive, as well as the relevant national legislation.

7. Encryption and backup of data on the server.

Which company information does Ethicontrol "know"?

In short, Ethicontrol knows about the company only what it is allowed to know about itself.

Once again, Ethicontrol has no right to spread ANY information about the company, including the very fact of using the service without the written permission of the company.

More broadly, we should start with the very definition of "know" - let's understand this as an opportunity to register information, save and accumulate it, as well as the ability to duplicate it later, apply, use or distribute.

Accordingly, when we talk about registration or obtaining information - Ethicontrol receives general information about the company when registering and signing a service agreement. Such information includes name, organizational form, tax and bank details, contact persons, means of communication, address, location and name of organizational units, names and grounds for actions of the authorized management, as well as names and email addresses of users of the web system on behalf of companies.

Further, Ethicontrol's contact center receives information about the incidents that caused the concern of the reporters. It contains the type of incident, what happened and when, who is to blame, who is the witness, who is the victim, and so on. This information passes through us, but we do not "remember" it.
It is due to the fact that any information which passed through the website or contact center goes directly to the database that belongs to your company.
"Directly" means that it is not registered or saved anywhere else. We only keep general information about the time and duration of the contact, the type and number of the incident, as well as the unique code of the whistleblower.
Also, for information security reasons, we are implementing several measures to exclude the possibility of storing even a bit of confidential information. See the FAQ section for details.

We do not have permanent access to the database, and if maintenance is required, such access occurs after agreement with the company and under the supervision of its technical specialists. At the same time, the system records any requests for data access, and it is easy to check us.
The storage of your data in the company's database is organized under the requirements of the legislation of the relevant jurisdiction.

Thus, we do not have information about the company or events indicated in the reports of whistleblowers, and we only know what we are allowed to know.

What are the security guarantees for the reporter? How to protect yourself from harassment?

Among the security guarantees or protection from retaliation for using the whistleblowing hotline, you can often see a written commitment from management, shareholders protection, or protection through courts and civil or criminal law mechanisms.

However, we cannot call such methods a GUARANTEE.

At Ethicontrol, we believe that the only guarantee of the reporter's safety is his total ANONYMITY.

We recommend you acquaint yourself with the corresponding section on the Question-Answer page.

How easy is it to hack the system?

Any system can be hacked - anonymous hackers prove it on the example of numerous American banks or US government agencies.

We designed the security system in such a way as to make hacking the system economically sensible - expensive and time-consuming.

For example, to decrypt an SSL-encrypted message sent from your browser through the Ethicontrol service, you need to spend the total capacity of a huge data center, which should work for at least two months on just one case. The cost of such a case is estimated at millions of dollars.

At the same time, after two months, according to our typical process, the message should have already been processed, verified, investigated and closed, significantly reducing the cost of disclosed confidential information.

What happens to the information and data I provide?

Any information which passes through the website or contact center goes directly to the database that belongs to your company.
"Directly" means that it is not registered or stored anywhere else. We only have general data about the time and duration of the contact, the type, and number of the incident, as well as the unique code of the informant.

Also, for information security reasons, we clear the temporary memory (cache) of the web system servers and contact center terminals regularly to exclude the possibility of storing even a bit of confidential information.

We do not have permanent access to the database. When there is a need for maintenance, such access occurs with the company's permission and under the supervision of technical specialists. At the same time, the system logs any data access requests.

Data storage in the company's database is organized under the requirements of the legislation of the relevant jurisdiction.

The only exception is that we are always ready to advise you on anonymity options. Also, we clearly explain what details of the incident should be provided to make it easier for the compliance team to complete their work quickly.

What happens to the information on the case after it's closed?

All information on the case in the database belongs to the company.

Companies independently approve data storage policies.

By default, any information on the case is kept for two months after the closure of the case. After that, the case undergoes a cleaning procedure: only a skeleton of important information is saved, and the system deletes all names and personal data.

Is there a risk of data loss?

Yes, there is.

However, we made sure to minimize it and provide for additional regular backups of encrypted data carriers.

Additionally, we use servers with geographical distribution in different locations. We use only the services of certified suppliers whose level of reliability is confirmed with the availability of their own backup procedures and smooth management.

To whom do you pass the information received from reporters?

The information entered into the web system immediately goes to your company's database.
The company decides on the list of users of the system independently.

Ethicontrol is physically unable to transfer information after it has been recorded in the database, and also has no right to transfer access rights to persons who have not been identified by the company as users of the system.

How long does it take to process the request and when to expect the follow-up?

Ethicontrol processes your messages at a glance.

Thus, adjusted for the speed of communication, your message automatically goes to the desktop of the responsible person in the company within 2-5 minutes.
Further, it all depends on the speed of the reaction team and the preciseness of your message.

The first clarifying questions may arise within 72 hours.

If the information is sufficient for investigation, the reaction team may take 3-15 business days to process the message. Accordingly, the first conclusions and results should be expected within 30 days after the registration of the message.

Of course, the cases differ, and especially complex incidents can require detailed investigations that can last several months and can also include dozens of iterations of communication between the reporter and the response team.

Typically, companies will establish their own reaction procedures using or modifying our typical process.

Regardless of the specifics of the company, Ethicontrollers believe that any message should be processed and resolved no longer than two months after its registration.

Are you involved in internal checks and investigations? If not, who is involved?

No.

Ethicontrol is only an isolated middleman of information between the reporters and the company.

We do not take part in the company's internal investigations and do not have access to the investigation materials. We provide a tool and are responsible for two-way communication, preservation of anonymity, and efficiency of the process.

How the reporter can receive feedback?

After contacting Ethicontrol, each whistleblower receives a unique secret code of the message. This code is an access code to the reporter's web office and a password for anonymous access to the information on the message through the contact center.

When entering the web account, you can see:

details of the primary message;
the status of processing your message;
questions and comments on your message from the reaction team;
the estimated date of the next feedback or change in the status of message processing.

All this information is available by phone if calling the hotline and giving the secret code of the message.

The system automatically monitors any changes in the message status and generates automatic notifications which immediately appear in the informant's web office.

If you identified yourself and left your contact information (email, phone), Ethicontrol sends you a notification by email or SMS with an invitation to visit the web account to get feedback. If you indicated the possibility of receiving calls by phone, then when feedback appears, the operators of the contact center will call you.

Does the call center provide services to foreign-language speakers?

Yes, provided that this feature is included in your company's tariff plan.

The basic language that does not require additional costs is English.

General