HinSchG & EU Directive 2019/1937 Compliant

The Open Source
Whistleblower
Platform

Free, self-hosted, and 100% compliant with HinSchG and EU Directive 2019/1937. Protect your whistleblowers, protect your organization — with zero IP logging and mandatory two-factor authentication.

Try Demo → Read Documentation
Version 0.1.0 GPL-3.0 Python 3.14 Docker
HinSchG compliant
DSGVO / GDPR
No IP logging
Open Source
Self-hosted
Two-factor access
The Problem

Commercial tools shouldn't be
required by law

Since July 2023, the Hinweisgeberschutzgesetz (HinSchG) obligates companies with 50 or more employees to operate a secure internal reporting channel. Yet most compliant software starts at €50 per month — for a legal obligation.

Worse: these commercial platforms are typically cloud-hosted, meaning your reports — and potentially your employees' identities — reside on third-party servers. Every cloud deployment carries GDPR risk.

OpenWhistle gives you a fully compliant, fully self-hosted reporting platform at no cost. Your data never leaves your infrastructure. The source code is open for audit. There is no vendor lock-in.

Kostenloses Hinweisgebersystem — compliant with §§ 12–18 HinSchG from day one.

Deploy in 5 minutes →
Feature OpenWhistle Commercial
Cost Free forever €50–200/month
Hosting Self-hosted Cloud (3rd party)
Source code Open (GPL-3.0) Closed
GDPR / DSGVO Fully compliant Depends on vendor
IP logging Never Often
Customizable Yes Limited
Audit trail Full, local Vendor-controlled
Core Capabilities

Everything required by law,
nothing more

Every design decision in OpenWhistle prioritises the safety of the whistleblower and the legal obligations of the organisation.

Anonymous Reporting

No IP addresses are ever logged, even at the nginx layer. Four independent layers of anonymity protection ensure the whistleblower cannot be identified from technical metadata alone.

Two-Factor Report Access

Whistleblowers receive a unique case number and UUID4 PIN after submission. Both are required to access or update their report — no account, no email address required.

HinSchG Compliance

Built-in 7-day acknowledgement deadline and 3-month feedback deadline tracking per §17 HinSchG, with colour-coded dashboard warnings for administrators.

Bidirectional Communication

Admin and whistleblower can exchange messages through the same secure channel. Full audit trail without compromising the reporter's identity at any point.

Multi-Factor Admin Auth

Admin login requires password plus TOTP (RFC 6238) or OIDC single sign-on. No single point of compromise. Web-based setup wizard for first-run configuration.

Bruteforce Protection

Redis-based rate limiting on all report access attempts. Session-token based, never IP-based — anonymity is preserved even during abuse mitigation.

The Process

Simple for whistleblowers.
Powerful for administrators.

Whistleblower Submit & Track Anonymously
Fill the anonymous form
No account required. No email address. No personal information collected. The submission form is accessible at a public URL — any employee can use it.
Receive case number + PIN
Immediately after submission, the whistleblower receives a unique case number and a UUID4 PIN. These must be stored securely — there is no recovery mechanism.
Check status & communicate
Enter the case number and PIN to view case status, read admin responses, and send follow-up messages at any time — all without revealing identity.
Administrator Review & Respond Within Deadline
Receives notification
Admin is notified of new reports via the dashboard. The §17 acknowledgement deadline timer starts immediately. Login requires password and TOTP code.
Reviews in dashboard
The admin dashboard shows all open cases with deadline countdowns. All communication with the whistleblower is routed through the anonymised message thread.
Responds within legal deadlines
Acknowledgement within 7 days and substantive feedback within 3 months as required by §17 HinSchG. Deadlines are colour-coded and flagged in the dashboard.
Legal Framework

Built for German
and European law

OpenWhistle implements every statutory requirement — not just the headline obligations but the detailed procedural requirements that auditors and regulators check.

§17 HinSchG

Acknowledgement & Feedback

The law mandates a 7-day acknowledgement and a 3-month substantive feedback deadline, with a legally required bidirectional communication channel.

  • 7-day acknowledgement deadline per §17 Abs. 1
  • 3-month feedback deadline per §17 Abs. 2
  • Secure bidirectional channel per §17 Abs. 3
  • Dashboard countdown timers with escalating warnings
DSGVO Art. 5

GDPR Data Minimization

Article 5(1)(c) of the GDPR requires collecting only the minimum data necessary. OpenWhistle takes this literally: no IP, no session identity, no fingerprint.

  • No IP addresses stored at any layer
  • No browser fingerprinting
  • Right to erasure: hard DELETE in PostgreSQL
  • Self-hosted: data never leaves your infrastructure
EU 2019/1937

EU Whistleblower Directive

The directive covers organizations with 50 or more employees and all public bodies. Germany implemented it via HinSchG, effective 2 July 2023.

  • Covers private sector from 50 employees
  • All federal and state public authorities
  • Municipalities with 10,000+ residents
  • Financial sector regardless of size
Quick Start

Deploy in under 5 minutes

OpenWhistle ships as a Docker image published to GitHub Container Registry, Docker Hub, and quay.io. A single docker compose up -d starts the application, PostgreSQL, Redis, and nginx.

After first boot, the /setup route opens an in-browser wizard to create your admin account and configure TOTP two-factor authentication. The wizard disables itself permanently after completion.

All configuration is managed via environment variables in a single .env file. No YAML configuration files, no complex setup.

System Requirements
  • Docker 24 or newer
  • Docker Compose v2
  • 512 MB RAM minimum
  • PostgreSQL 18 (included)
  • Redis 8 (included)
  • Domain with valid HTTPS certificate
Full installation guide →
bash — openwhistle setup
# Clone the repository
$ git clone https://github.com/openwhistle/OpenWhistle.git
$ cd OpenWhistle

# Edit .env with SECRET_KEY and database credentials
$ cp .env.example .env
$ nano .env

# Start all services
$ docker compose up -d
► Network openwhistle_default Created
► Container openwhistle-db-1 Started
► Container openwhistle-redis-1 Started
► Container openwhistle-app-1 Started
► Container openwhistle-nginx-1 Started

# Open the setup wizard
$ open http://localhost:4009/setup
FAQ

Frequently asked questions

Common questions about OpenWhistle, HinSchG compliance, anonymity guarantees, and deployment.

Is OpenWhistle really free?
Yes. OpenWhistle is licensed under the GNU General Public License v3.0. It is completely free, forever — there is no enterprise tier, no paid features, and no subscription. You can self-host it on your own infrastructure at no cost. The source code is publicly available on GitHub.
Does it comply with HinSchG (Hinweisgeberschutzgesetz)?
Yes. OpenWhistle implements all requirements of §§ 16–18 HinSchG, including the 7-day acknowledgement deadline (§17 Abs. 1), the 3-month feedback deadline (§17 Abs. 2), the bidirectional communication channel (§17 Abs. 3), identity confidentiality (§8), and data deletion (§26).
Is the whistleblower truly anonymous?
No IP addresses are stored anywhere in the system. nginx strips X-Forwarded-For headers, the application middleware drops the remote address before any processing, there is no IP column in the database schema, and Redis session tokens carry no identifying metadata. Four independent anonymity layers.
Can I use OpenWhistle for my company?
Yes. OpenWhistle is designed for any organization subject to HinSchG — private-sector companies with 50 or more employees, all federal and state public authorities, municipalities with 10,000+ residents, and financial sector firms. The GPL-3.0 license explicitly permits commercial self-hosted use.
What are the technical requirements?
Docker 24 or newer, Docker Compose v2, at least 512 MB RAM, PostgreSQL 18 and Redis 8 (both included in the Docker Compose configuration), and a domain with a valid HTTPS certificate. A standard VPS with 1 vCPU and 1 GB RAM is sufficient for most organisations.
Is there commercial support available?
Community support is available via GitHub Issues. The project welcomes contributions, bug reports, and feature requests. There is currently no paid support tier. Contributions to the project are welcome and appreciated.
How is it different from EQS, BKMS, or other commercial tools?
OpenWhistle is entirely self-hosted — your data never leaves your infrastructure. It is open source under GPL-3.0, so you can audit every line of code. Commercial tools like EQS Integrity Line or BKMS typically cost €50–200/month, run on external cloud infrastructure (creating GDPR exposure), and have closed source code. OpenWhistle is free, fully auditable, and you control the data.
Ist OpenWhistle ein kostenloses Hinweisgebersystem?
Ja. OpenWhistle ist eine kostenlose, Open-Source-Software für interne Meldestellen nach dem Hinweisgeberschutzgesetz (HinSchG). Die Software steht unter der GPL-3.0-Lizenz und kann dauerhaft kostenlos selbst betrieben werden. Es gibt keine kostenpflichtigen Funktionen, kein Abonnement, und keinen Cloud-Zwang. Ihre Daten verbleiben auf Ihrer eigenen Infrastruktur.