Protecting your Company
from Breaches and Liability
Application Security
Better Whistle software prioritizes security through industry-standard practices and extensive research.
Our software is based on the GlobaLeaks open-source whistleblowing platform. However, security and usability features were enhanced to meet the needs of the EU Whistleblowing Directive.
The EU Whistleblower Directive includes penalties for failing to prove adequate security and confidentiality, emphasising the importance of these updates.
This document provides an overview of the security measures in place.
Why This Matters
Employees should feel safe to raise concerns, ensuring a healthier work environment.
Transparency and accountability can boost confidence among staff and stakeholders.
For businesses within the EU or having dealings with EU entites, non-compliance can have legal consequences.
Architecture
The Backend
EU-hosted servers in an ISO 27001-certified data center. We use a Python backend driven by a REST API.
The Client
Our JavaScript web application commnicates with the backend via XMLHttpRequests.
Authentication
Passwords
Administrators and recipients are given securely hashed credentials, using the Argon2 algorithm with individual salts for each user.
Two-Factor Authentication
Better Whistle supports 2FA using the TOTP algorithm with 160-bit secrets. Users can opt for 2FA, and administrators can enforce it.
Secure Anonymizer
Web Application Security
Session Management
XSRF Prevention
Cookies are minimised to reduce XSRF attacks. Authentication relies on a custom HTTP session header.
HTTP Headers
A set of HTTP headers are configured to enhance security, earning A+ scores on security tests.
Network & Connection Security
Encryption
All connections use TLS encryption. TLS certificates are generated with NIST Curve P-384.
Anonymity
Users can optionally access Better Whistle via the Tor network, providing even more anonymity.
Sandboxing
The system utilizes iptables to restrict incoming network connections, and can anonymize outgoing connections through Tor.
Data Encryption
Application Sandboxing
The application runs under a dedicated user and group with reduced privileges.
Database Security
Other Measures
Browser History & Forensic Traces
The application minimizes forensic traces, especially when accessed via the Tor browser.
Secure File Management
Secure file downloads and encryption of temporary files are implemented to protect against malware.
Exception Logging and Redaction
Exception logs are automatically redacted to prevent information leaks.
Entropy Sources
The main source of entropy is /dev/urandom.
UUIDv4 Randomness
UUIDv4 is used for resource identification to enhance security.
TLS for SMTP Notification
All notifications are sent over TLS-encrypted channels via SMTP/TLS or SMTPS.