Who are informants / reporters / whistleblowers?
Informants are people who are not indifferent to the organization, its employees or the region, who have information that can benefit the organization or help to avoid harm, its employees or the region and, acting with the best intentions, want to help and willing to share important information.
Ethicontrol enables informants to report information anonymously, confidentially to the company or identifying themselves to the response team.
Anonymity means that the identity of the informant is unknown to anyone - neither to the representatives of Ethicontrol who received the message, nor to the response team, nor to other representatives of the company.
Confidentiality for the company provides for the disclosure of its name to the company Ethicontrol but excludes the transfer of this information to others without the consent of the informant. In such a situation, Ethicontrol acts as an intermediary between the informant and the company, protecting the anonymity of the informant.
Identification means that the informant discloses his name during the registration of the message and is ready to openly and independently, without the mediation of Ethicontrol, to cooperate with the organization.
However, identification does not mean that everyone should know who left the message. All information on the report and on informants is confidential and Ethicontrol provides access to it only to authorized members of the company's response teams, who are obliged to observe the appropriate confidentiality regime.
What is the purpose of whistleblowing hotline? Is it for employees or someone else?
By default, Ethicontrol's whistleblowing hotline is intended for any interested and not indifferent parties to the company: shareholders, employees, customers and suppliers, business partners, former employees, relatives of employees, residents of the surrounding territories, and others.
The target audience may vary on request of the company.
What is the price for Ethicontrol's services?
Our goal is to provide services at less cost than the cost of developing and maintaining such a tool on your own.
On the page Prices you can check how it works.
The service cost depends primarily on the number of employees in your company since this is the main factor in the load of our contact centre and web systems. Additional charges apply when working in multiple jurisdictions or when you want to improve our process or system significantly.
Each case is unique, and we are ready to take into consideration the wishes and budget of our clients as much as possible.
How do you guarantee anonymity and confidentiality?
Three things guarantee your anonymity and confidentiality.
The first is OUR AUTONOMY.
We don't depend on the owners, management, security services and any other employees of your company. Our autonomy allows us to call things by their proper names and not deviate from the main task of our company - preservation of your anonymity and confidentiality.
The second is OUR PROTECTION.
We are humans too, and, like you, we are worried about the safety of our health and life. Accordingly, the best way to protect yourself is to know nothing and not be technically able to learn something. "Zero-knowledge policy" is the principle we used when we came up with the architecture of our system.
In our system, information is distributed. We can only know a grain that is visible at the stage of registration of a message, and we did our best to prevent such information from being stored somewhere. We have no access to everything else.
This is the guarantee of our security and, at the same time, your anonymity. For more details, see the answer to the question "What information does Ethicontrol know about the company?" and check Security section.
Third - YOUR and OUR INFORMATION SECURITY.
Probably, this should come first.
On the one hand, if the informant himself violates simple rules of information security, there can be no guarantees. To remain anonymous, whistleblowers must strictly adhere to the rules. Our recommendations are listed in the Security section.
On the other hand, as an IT company, we take our own information security very seriously. That is why we select only contractors certified according to the best international standards, make every effort to maintain various encryption and security systems, and implement best practices in our own processes.
Can someone identify me by the phone call?
The task of Ethicontrol is to help informants preserve their anonymity (upon request) not only from the company but also from any third parties in general, including our service.
To do this, we never track the number of an incoming call, we do not record phone conversations, and our employees are trained to help you maintain anonymity.
To keep in touch with you in the future, we issue a unique secret code for each caller or visitor to the web profile. Using this code, you can independently check the status of message processing or get information on the case without identifying yourself in the future.
We ask you to adhere to the following rules to make the task as complicated or as expensive as possible for those wishing to identify you:
* do not make calls from the territory of your organization;
* do not make calls from the means of communication that belong to your company or about which it is notified;
* do not make calls from the means of communication which you used to make calls to the means of communication of your company (or about which it is notified);
* do not make calls in the presence of persons whom you do not trust;
* do not make calls in the presence of the means of communication from which you made calls to the means of communication of your company (or about which it is notified);
* do not transmit information that will help identify you indirectly.
We give similar recommendations regarding the use of the web form.
Why I'm asked to provide my personal data?
Although the Ethicontrol system is designed to work effectively with anonymous informants, practice shows that personal contact can be more.
For example, the life cycle of messages in which the informant identified himself takes 40% shorter on average than all others.
Therefore, we are always ready to provide an opportunity for informants to identify themselves and ask for such personal data as name, contact number or e-mail.
Which company information does Ethicontrol "know"?
In short, Ethicontrol knows about the company only what it allowed to know about itself.
Once again, Ethicontrol has no right to spread ANY information about the company, including the very fact of using the service without the written permission of the company.
More broadly, we should start with the very definition of "know" - let's understand this as an opportunity to register information, save and accumulate it, as well as the ability to duplicate it later, apply, use or distribute.
Accordingly, when we talk about registration or obtaining information - Ethicontrol receives general information about the company when registering and signing a service agreement. Such information includes name, organizational form, tax and bank details, contact persons, means of communication, address, location and name of organizational units, names and grounds for actions of the authorized management, as well as names and email addresses of users of the web system on behalf of companies.
Further, Ethicontrol's contact center receives information about the incidents that caused the concern of the informants. It contains the type of incident, what happened and when, who is to blame, who is the witness, who is the victim, and so on. This information passes through us, but we do not "remember" it.
It is due to the fact that any information which passed through the website or contact center goes directly to the database that belongs to your company.
"Directly" means that it is not registered or saved anywhere else. We only keep general information about the time and duration of the contact, the type and number of the incident, as well as the unique code of the informant.
Also, for information security reasons, we are implementing several measures to exclude the possibility of storing even a bit of confidential information. See the FAQ section for details.
We do not have permanent access to the database, and if maintenance is required, such access occurs after agreement with the company and under the supervision of its technical specialists. At the same time, the system records any requests for data access, and it is easy to check us.
The storage of your data in the company's database is organized under the requirements of the legislation of the relevant jurisdiction.
Thus, we do not have information about the company or events indicated in the reports of informants, and we only know what we are allowed to know.
What are the security guarantees for the informant? How to protect yourself from harassment?
Among the security guarantees or protection from retaliation for using the whistleblowing hotline, you can often see a written commitment from management, shareholders protection, or protection through courts and civil or criminal law mechanisms.
However, we cannot call such methods a GUARANTEE.
At Ethicontrol, we believe that the only guarantee of the informant's safety is his total ANONYMITY.
We recommend you to acquaint yourself with the corresponding section on the Question-Answer page.
How easy is it to hack the system?
Any system can be hacked - anonymous hackers prove it on the example of numerous American banks or US government agencies.
We designed the security system in such a way as to make hacking the system economically sensible - expensive and time-consuming.
For example, to decrypt an SSL-encrypted message sent from your browser through the Ethicontrol service, you need to spend the total capacity of a huge data center, which should work for at least two months on just one case. The cost of such a case is estimated at millions of dollars.
At the same time, after two months, according to our typical process, the message should have already been processed, verified, investigated and closed, significantly reducing the cost of disclosed confidential information.
Who do you pass the information received from informants?
The information entered into the web system immediately goes to your company's database.
The company decides on the list of users of the system independently.
Ethicontrol is physically unable to transfer information after it has been recorded in the database, and also has no right to transfer access rights to persons who have not been identified by the company as users of the system.
How long does it take to process the request and when to expect the follow up?
Ethicontrol processes your messages at a glance.
Thus, adjusted for the speed of communication, your message automatically goes to the desktop of the responsible person in the company within 2-5 minutes.
Further, it all depends on the speed of the reaction team and preciseness of your message.
The first clarifying questions may arise within 72 hours.
If the information is sufficient for investigation, the reaction team may take 3-15 business days to process the message. Accordingly, the first conclusions and results should be expected within 30 days after the registration of the message.
Of course, the cases differ, and especially complex incidents can require detailed investigations that can last several months and can also include dozens of iterations of communication between the informant and the response team.
Typically, companies will establish their own reaction procedures using or modifying our typical process.
Regardless of the specifics of the company, Ethicontrollers believe that any message should be processed and resolved in no longer than two months after its registration.
Are you involved in internal checks and investigations? If no, who is involved?
Ethicontrol is only an isolated middle man of information between the informants and the company.
We do not take part in the company's internal investigations and do not have access to the investigation materials. We provide a tool and are responsible for two-way communication, preservation of anonymity and efficiency of the process.