Is this checklist tied to Confidly?

The 16 axes are the canonical EU buyer-evaluation taxonomy, compiled from Resolver's RFP checklist, Flustron's 12 selection criteria and the EU buyer roundups (Elker, EthicsPortal, SpeakUp, May 2026). They apply to any vendor evaluation. The 'Confidly answers' column shows how Confidly responds to each axis; that column is editorial. The framework is vendor-agnostic.

Can I download this as a PDF?

Yes. Press Ctrl+P (Cmd+P on Mac) and choose 'Save as PDF' as the destination. The page is print-styled so the output is clean: no navigation, no CTA, just the 16-axis checklist on 3–4 pages. Confidly does not put this resource behind an email gate.

How should I use this in an actual RFP?

Copy the 'Question' column into your RFP document; rate each vendor's response against the 'Good' and 'Red flag' columns. The checklist is structured so a procurement officer with no whistleblowing background can run the evaluation in 2–3 hours per vendor.

What's missing from this checklist?

Three things you may also want to score depending on your context: (1) Mobile reporter app (some buyers want native iOS/Android, not mobile-web). (2) Multimedia reporting (native voice + video upload). (3) Outsourced case handling (some vendors offer staffed case management as a managed service). The 16 axes here cover the legal, operational and security minimums.

Free · no signup · print-ready

Whistleblower software RFP checklist

Sixteen axes EU procurement teams use to evaluate whistleblowing software. Compiled from Resolver's RFP checklist, Flustron's 12 selection criteria, and the May 2026 buyer roundups (Elker, EthicsPortal, SpeakUp). Vendor-agnostic.

Email to a colleague

01 INTAKE

Anonymous intake

Ask: Does the reporter UI store any identifier? IP? Email? Cookie? Device fingerprint?

✓ Good answer

Server-issued case code + reporter-chosen 6-digit secret. Secret is hashed (bcrypt). No email, no IP, no cookie, no fingerprint.

✗ Red flag

Reporter must create an account or provide an email. IP is logged for 'fraud prevention'. Cookies set even before form submission.

Confidly's answer

Case code + bcrypt-hashed 6-digit secret. No IP, no email, no fingerprint. Two-way chat without de-anonymising.

02 INTAKE

Oral / phone reporting

Ask: Can reporters file a report orally? How? Is the channel staffed or transcribed?

✓ Good answer

Toll-free EU number. Either staffed 24/7 or AI-transcribed with auto-redaction. Required under HinSchG Art. 16 (DE), Loi Sapin II (FR), D.lgs 24/2023 (IT).

✗ Red flag

Web-only intake. No phone or voicemail. Vendor says 'reporters can email instead' (this does not satisfy the oral-reporting requirement).

Confidly's answer

Reporters can attach audio or video recordings to a web submission (oral statement upload). Native PSTN/voicemail intake is on roadmap; if a human-answered hotline is a hard requirement, look at LegalTegrity or Whistlelink.

03 INTAKE

Multi-language support

Ask: How many languages is the form pre-translated into? What handles incoming reports in long-tail languages?

✓ Good answer

Bar is now 30–80 pre-translated languages, or 6–10 pre-translated plus AI translation for the long tail.

✗ Red flag

Under 10 languages with no AI fallback. Per-language add-on fees stacked on top of headline price.

Confidly's answer

6 pre-translated form languages (EN/DE/FR/IT/ES/NL) + AI translation for 25+ incoming languages. All included.

04 INTAKE

Country-specific compliance

Ask: Is the form auto-configured for each national transposition? Or is it a generic 'EU Directive' template?

✓ Good answer

Categories, disclosures and fields auto-set per country: HinSchG, Loi Sapin II, D.lgs 24/2023, Ley 2/2023, Wbk.

✗ Red flag

Generic global form. 'EU Directive-aligned'. You must manually research and configure each country yourself.

Confidly's answer

Country-specific intake templates auto-configured for HinSchG, Loi Sapin II, D.lgs 24, Ley 2, Wbk and the other transpositions.

05 COMPLIANCE

EU data residency

Ask: Where is data stored? Can you choose the country? Are SCCs required for any sub-processor?

✓ Good answer

EU-only by default. SCC-free for EU customers. Per-channel residency on enterprise tiers (DE entity stores in DE, FR in FR).

✗ Red flag

'EU option available' (must request, may cost extra). Sub-processors in US or non-adequate countries. SCCs required.

Confidly's answer

EU-only by default. SCC-free. Per-channel residency on Enterprise (DE → DE, FR → FR).

06 COMPLIANCE

Audit log + retention

Ask: Is the audit log append-only? Exportable? Can you set per-channel retention?

✓ Good answer

Append-only, exportable (CSV/JSON), configurable retention per channel, right-to-erasure with audit trail.

✗ Red flag

Audit log is mutable. No retention controls. Right-to-erasure requires a support ticket.

Confidly's answer

Append-only. CSV/JSON export on Enterprise. Per-channel retention on Enterprise. One-click right-to-erasure with audit trail.

07 COMPLIANCE

Reporter status updates

Ask: Is the 7-day acknowledgement and 3-month feedback (Directive Art. 9) automated, or manual?

✓ Good answer

Automatic, in the reporter's language, with audit-logged delivery confirmation.

✗ Red flag

Manual. Vendor says 'you can configure email reminders' (this means you still have to write and send them).

Confidly's answer

Auto at 7 days and 3 months, in the reporter's language, audit-logged. Directive Art. 9 satisfied by default.

08 INVESTIGATION

AI summary, classify, draft

Ask: Does AI summarise reports, classify severity, translate incoming language, and draft acknowledgement replies? Is every action human-confirmed?

✓ Good answer

Native AI for all four. Advisory, with every action human-confirmed before it lands in the audit log.

✗ Red flag

Vendor markets 'AI-powered' but the actual feature is keyword auto-tagging. AI actions land in the audit log without confirmation.

Confidly's answer

AI summarises, classifies severity, translates, drafts replies. Every action advisory and human-confirmed.

09 INVESTIGATION

AI case clustering

Ask: Does the platform surface when multiple anonymous reports describe the same underlying pattern?

✓ Good answer

AI clusters by department, actor descriptors and timeframe. Catches systemic issues no manual triage will.

✗ Red flag

No equivalent. Each report stands alone; pattern detection is left to humans (it won't happen at scale).

Confidly's answer

AI case clustering on Pro: multi-reporter pattern detection. The single biggest investigation differentiator.

10 INVESTIGATION

Workflow, playbooks, escalation

Ask: Can you define playbooks per category? Auto-escalation when cases stall? Conflict-of-interest detection on investigator assignment?

✓ Good answer

Custom playbooks (checklists, sub-tasks, deadlines, artefacts). Auto-escalation. Conflict-of-interest detector when assigning investigators.

✗ Red flag

Fixed workflow. No deadlines. Conflict-of-interest is a manual gut check.

Confidly's answer

Custom playbooks per category, auto-escalation rules, conflict-of-interest detector all on Pro.

11 INVESTIGATION

Role-based access, ombudsperson

Ask: Can you give external counsel time-boxed per-case access without giving them admin? Owner/admin/investigator/viewer roles?

✓ Good answer

Granular roles. Internal-only notes. Time-boxed external counsel access (ombudsperson seats) with full audit visibility.

✗ Red flag

Binary access: admin or nothing. External counsel must be granted full admin to see one case.

Confidly's answer

Four roles. Internal-only notes. External ombudsperson seats on Enterprise with time-boxed per-case access.

12 ORGANIZATIONS

HRIS + workplace integration

Ask: Native sync with Personio, BambooHR? Slack and Teams notifications? Auto-revoke on offboarding?

✓ Good answer

Native HRIS connectors (not Make.com), anonymous-safe Slack/Teams alerts, auto-revoke on offboarding, flag when a named-in-report person leaves.

✗ Red flag

'Available via Zapier/Make' (you pay third-party automation fees). Slack notifications leak case content.

Confidly's answer

Native Personio, BambooHR connectors on Pro. Anonymous-safe Slack and Teams alerts. Auto-revoke + named-person-leaves flag.

13 ORGANIZATIONS

Multi-entity / holdings

Ask: One operator view across subsidiaries? Isolated audit trails per entity? Per-entity roles and residency?

✓ Good answer

Multi-entity console with fully isolated audit trails per subsidiary. Per-entity roles and per-channel residency.

✗ Red flag

One channel per entity (silos). No cross-entity overview. Each entity needs its own paid subscription.

Confidly's answer

Multi-entity console on Enterprise. Up to 5 channels with isolated audit trails. Per-channel residency.

14 ORGANIZATIONS

Reporting + benchmarks

Ask: Auto-generated annual compliance report (country-tailored)? Quarterly board PDF? Anonymised peer benchmarks?

✓ Good answer

Annual report auto-generated in the format the national enforcement body expects. Board PDF. Peer benchmarks where vendor scale allows.

✗ Red flag

You build the annual report yourself in Excel. No board-ready output. No benchmarks.

Confidly's answer

Annual compliance report (country-tailored PDF) on Pro. Quarterly board report on Enterprise. Peer benchmarking on roadmap.

15 TRUST

ISO certifications

Ask: ISO 27001 (infosec) is table-stakes. Does the vendor have 37001 (anti-bribery), 37002 (whistleblowing management) or 37301 (compliance)?

✓ Good answer

ISO 27001 published. Roadmap or audit toward 37001/37002/37301.

✗ Red flag

No published certifications. 'GDPR-compliant' as the only trust signal.

Confidly's answer

ISO 27001 audit on annual roadmap. 37002 alignment posture for whistleblowing management.

16 COST

Total cost over 3 years

Ask: What is the full 3-year cost at your headcount, including per-employee, per-channel, per-language and per-module add-ons?

✓ Good answer

Transparent tier pricing on a public page. All core features included. No per-language or per-channel fees. Predictable scale.

✗ Red flag

Quote-only. Add-on creep (per-language, per-channel, per-module). Per-employee scaling that bites past 200.

Confidly's answer

€49 / €149 / €399 (Starter / Pro / Enterprise) on a public page. All languages, all channels, all core features included.

FAQ

Is this checklist tied to Confidly?: The 16 axes are the canonical EU buyer-evaluation taxonomy, compiled from Resolver's RFP checklist, Flustron's 12 selection criteria and the EU buyer roundups (Elker, EthicsPortal, SpeakUp, May 2026). They apply to any vendor evaluation. The 'Confidly answers' column shows how Confidly responds to each axis; that column is editorial. The framework is vendor-agnostic.
Can I download this as a PDF?: Yes. Press Ctrl+P (Cmd+P on Mac) and choose 'Save as PDF' as the destination. The page is print-styled so the output is clean: no navigation, no CTA, just the 16-axis checklist on 3–4 pages. Confidly does not put this resource behind an email gate.
How should I use this in an actual RFP?: Copy the 'Question' column into your RFP document; rate each vendor's response against the 'Good' and 'Red flag' columns. The checklist is structured so a procurement officer with no whistleblowing background can run the evaluation in 2–3 hours per vendor.
What's missing from this checklist?: Three things you may also want to score depending on your context: (1) Mobile reporter app (some buyers want native iOS/Android, not mobile-web). (2) Multimedia reporting (native voice + video upload). (3) Outsourced case handling (some vendors offer staffed case management as a managed service). The 16 axes here cover the legal, operational and security minimums.

Ready to evaluate Confidly against your RFP?

14-day free trial. EU-hosted. No credit card. The same 16 axes, answered live in the product.

Start free trial See pricing

Multi-entity? Talk to us →