Whistleblower

From TempusServa wiki
Jump to navigation Jump to search

Application

The LES Whistlebloaer Portal is fully managed by Tempus Serva Aps.

The system supports the following roles and usecases

  • Lawyer: Handles whistleblower cases
  • Tenant user: Handles whistleblower cases
  • Whistleblower: Anonoumous users that creates new cases

Whistleblower have the option to return to their case using a randomized code.

Hosting setup

The LES Whistleblower Portal is hosted by Amazon Webservices EC2 in the data center in Stockholm, which complies with the following standards PCI DSS 3.2 Level 1 Service Provider, FIPS 140-2, ISO 27001. The server is protected by 2 layers of firewalls and utilizes the following supported services:

  • SSL certificates are automatically updated monthly from LetEncrypt
  • UptimeRobot polls the server each minute checking
    • Access to database
    • Sufficient storage and RAM
  • Database is dumped nightly
    • Replicated to encrypted storage in EU
    • Rentention daily 60 days, monthly 2 years
  • Office365 SMTP service for sending emails

Technology Stack

The technological stack consists of:

  • LES Whistleblower Portal
  • TS No-code Platform
  • Apache Tomcat
  • MySQL
  • Amazon Linux 2

Security setup

The following security and compliance features are enabled and active:

  • Password policy: The enabled policy forces users to create passwords based on the following minimum criteria:
    • Minimum 8 characters
    • Must contain uppercase and lowercase letters
    • Must contain numbers
    • Must contain special characters
  • Multi-factor authentication (SMS)

Access to case management for attorney/lawyer at LES (ombudsman) and contact persons in the company, respectively, is protected with a username and password, followed by a session-specific One-Time-Password delivered as regular or Flash SMS, to verify the user’s identity.

  • Storage encryption (AWS + LUKS)

Storage is encrypted with LUKS (Linux Unified Key Setup – 256-bit AES disk encryption). Thus, persons with physical access to hardware cannot access stored data.

  • Encryption During Transmission

Communication is protected with SSL certificates and HTTPS (TLS). Numeric suites for HTTPS are continuously updated.

  • Activity and data logging
  • Versioning
  • GDPR deletion policies (anonymize after 60 days)
  • Event and system logging
  • Scrubbing of files (personally identifiable meta-data)

All files uploaded via the portal are cleaned of personally identifiable meta-data such as name, initials, geotags, etc. LES Whistleblower Portal supports all common file formats, including: MS O ce files, PDF, image formats like PNG, JPG, BMP etc., as well as media files MP3 and MP4.


Note that IP logging on server requests is disabled, in order to secure anonomity of the users.

See Security setup for additional information on security and compliance features available on TS No-code Platform.