Security - Better Whistle

Protecting your Company
from Breaches and Liability

Application Security

Better Whistle software prioritizes security through industry-standard practices and extensive research.

Our software is based on the GlobaLeaks open-source whistleblowing platform. However, security and usability features were enhanced to meet the needs of the EU Whistleblowing Directive.

The EU Whistleblower Directive includes penalties for failing to prove adequate security and confidentiality, emphasising the importance of these updates.

This document provides an overview of the security measures in place.

Why This Matters

1. Protecting Employees
Employees should feel safe to raise concerns, ensuring a healthier work environment.

2. Maintaining Trust
Transparency and accountability can boost confidence among staff and stakeholders.

3. Legal Compliance
For businesses within the EU or having dealings with EU entites, non-compliance can have legal consequences.

Architecture

Our system consists of two main components: the Backend and the Client.

The Backend

EU-hosted servers in an ISO 27001-certified data center. We use a Python backend driven by a REST API.

The Client

Our JavaScript web application commnicates with the backend via XMLHttpRequests.

Authentication

Authentication methods are crucial for data security.

Passwords

Administrators and recipients are given securely hashed credentials, using the Argon2 algorithm with individual salts for each user.

Two-Factor Authentication

Better Whistle supports 2FA using the TOTP algorithm with 160-bit secrets. Users can opt for 2FA, and administrators can enforce it.

Secure Anonymizer

Whistleblowers are able to access their reports anonymously and continue communication with the company, without revealing their identities, using a randomly-generated secure identifier.

Web Application Security

Better Whistle adheres to OWASP security guidelines

Session Management

Sessions are assigned to authenticated users, with session IDs generated randomly. Sessions expire after 60 minutes, or when the user logs out or closes their browser.

XSRF Prevention

Cookies are minimised to reduce XSRF attacks. Authentication relies on a custom HTTP session header.

HTTP Headers

A set of HTTP headers are configured to enhance security, earning A+ scores on security tests.

Network & Connection Security

We employ an array of measures to keep our network access secured

Encryption

All connections use TLS encryption. TLS certificates are generated with NIST Curve P-384.

Anonymity

Users can optionally access Better Whistle via the Tor network, providing even more anonymity.

Sandboxing

The system utilizes iptables to restrict incoming network connections, and can anonymize outgoing connections through Tor.

Data Encryption

Better Whistle employs encryption for data, file attachments, messages, and metadata. Various libraries such as Python-NaCL, PyOpenSSL, Python-Cryptography and PythonGnuPG are used.

Application Sandboxing

AppArmor is integrated into the system, enforcing strict sandboxing policies.

The application runs under a dedicated user and group with reduced privileges.

Database Security

The system uses a secure database. Security measures include secure deletion, automatic vacuuming of deleted entries, and limited database trust and functionality.

Other Measures

We also employ a variety of other security measures

Browser History & Forensic Traces

The application minimizes forensic traces, especially when accessed via the Tor browser.

Secure File Management

Secure file downloads and encryption of temporary files are implemented to protect against malware.

Exception Logging and Redaction

Exception logs are automatically redacted to prevent information leaks.

Entropy Sources

The main source of entropy is /dev/urandom.

UUIDv4 Randomness

UUIDv4 is used for resource identification to enhance security.

TLS for SMTP Notification

All notifications are sent over TLS-encrypted channels via SMTP/TLS or SMTPS.

Protecting your Company
from Breaches and Liability

Application Security

Why This Matters

Architecture

The Backend

EU-hosted servers in an ISO 27001-certified data center. We use a Python backend driven by a REST API.

The Client

Our JavaScript web application commnicates with the backend via XMLHttpRequests.

Authentication

Passwords

Administrators and recipients are given securely hashed credentials, using the Argon2 algorithm with individual salts for each user.

Two-Factor Authentication

Better Whistle supports 2FA using the TOTP algorithm with 160-bit secrets. Users can opt for 2FA, and administrators can enforce it.

Secure Anonymizer

Web Application Security

Session Management

XSRF Prevention

Cookies are minimised to reduce XSRF attacks. Authentication relies on a custom HTTP session header.

HTTP Headers

A set of HTTP headers are configured to enhance security, earning A+ scores on security tests.

Network & Connection Security

Encryption

All connections use TLS encryption. TLS certificates are generated with NIST Curve P-384.

Anonymity

Users can optionally access Better Whistle via the Tor network, providing even more anonymity.

Sandboxing

The system utilizes iptables to restrict incoming network connections, and can anonymize outgoing connections through Tor.

Data Encryption

Application Sandboxing

Database Security

Other Measures

Browser History & Forensic Traces

Secure File Management

Exception Logging and Redaction

Entropy Sources

UUIDv4 Randomness

TLS for SMTP Notification

Ready to simplify compliance?

Better Whistle Benefits

Understanding the directive and setting up a system might seem daunting, but we have a hassle-free solution at Better Whistle.

Protecting your Companyfrom Breaches and Liability

Application Security

Why This Matters

Architecture

The Backend

EU-hosted servers in an ISO 27001-certified data center. We use a Python backend driven by a REST API.

The Client

Our JavaScript web application commnicates with the backend via XMLHttpRequests.

Authentication

Passwords

Administrators and recipients are given securely hashed credentials, using the Argon2 algorithm with individual salts for each user.

Two-Factor Authentication

Better Whistle supports 2FA using the TOTP algorithm with 160-bit secrets. Users can opt for 2FA, and administrators can enforce it.

Secure Anonymizer

Web Application Security

Session Management

XSRF Prevention

Cookies are minimised to reduce XSRF attacks. Authentication relies on a custom HTTP session header.

HTTP Headers

A set of HTTP headers are configured to enhance security, earning A+ scores on security tests.

Network & Connection Security

Encryption

All connections use TLS encryption. TLS certificates are generated with NIST Curve P-384.

Anonymity

Users can optionally access Better Whistle via the Tor network, providing even more anonymity.

Sandboxing

The system utilizes iptables to restrict incoming network connections, and can anonymize outgoing connections through Tor.

Data Encryption

Application Sandboxing

Database Security

Other Measures

Browser History & Forensic Traces

Secure File Management

Exception Logging and Redaction

Entropy Sources

UUIDv4 Randomness

TLS for SMTP Notification

Ready to simplify compliance?

Better Whistle Benefits

Understanding the directive and setting up a system might seem daunting, but we have a hassle-free solution at Better Whistle.

Protecting your Company
from Breaches and Liability