The compliant whistleblowing channel, without the headaches — that no one, not even us, can read
Required by law? Managing compliance for multiple clients? A public body? Vocea solves your problem with a channel encrypted in the browser (zero-knowledge), ready in minutes and aligned with the latest authority guidelines.
Chosen by companies, public bodies, professional firms and software houses in Italy.
9f2a…cifrato nel browser
Regulations covered
National law of reference: EU · Directive 2019/1937
Anonymity treatment: Each Member State decides whether anonymous reports are accepted (EU Directive 2019/1937, art. 6.2); a reporter later identified remains protected (art. 6.3).
Vocea provides the tools for a compliant channel; full compliance also depends on the organisation’s appointments, DPIA and configuration. For binding advice, consult your supervisory body/compliance officer or a lawyer.
What's your situation?
Vocea starts from your problem, not from our features. Pick the profile that fits you best.
Required company
"I'm required by law: I want to get compliant fast, without hassle, and without risking penalties."
- Penalties reach up to €50,000 — even just for a missing or non-compliant channel.
- The 2025 authority guidelines say email or certified mail are no longer enough: you need a dedicated, encrypted platform.
- Between privacy assessments, appointments, deadlines and GDPR, you don't know where to start.
- Compliant channel live in minutes, with step-by-step guided onboarding.
- Statutory deadlines (7-day acknowledgement, 3-month feedback) tracked and reminded automatically.
- Art. 28 data processing agreement and DPIA template included: we lighten the privacy burden for you.
Consultant / Firm
"I want to offer whistleblowing to my clients and manage many of them from one place — ideally under my own brand."
- Your required clients ask you for a solution, but handling them one by one doesn't scale.
- You want a new value-added service, not to resell a generic product under someone else's brand.
- You need technical confidentiality guarantees to take on the role of external channel manager.
- Multi-client console: manage the channels of multiple organisations from a single dashboard as external manager.
- White-label: your logo and colours on your clients' channels, to offer the service under your own brand.
- Real zero-knowledge: as external manager only you have access, with your key — not even we can read.
Public body / RPCT
"A required public body: I need a compliant channel, with national digital-identity login, accessible, and data kept in-country."
- Public bodies are always required, regardless of headcount.
- You need digital identity login, accessibility and guarantees on data residency.
- The compliance officer must handle confidentiality, deadlines and traceability with no room for error.
- Login with national digital identity (SPID/CIE) and an accessibility-minded interface.
- Option with data residency in Italy, alongside the GDPR-compliant EU base hosting.
- Tamper-evident log (hash chain) and built-in statutory deadline tracking.
Put a whistleblowing channel inside your software
Vocea isn't just a standalone site: you can embed it inside your management software, portal or intranet. In a few lines your users report without ever leaving your software, while zero-knowledge encryption stays entirely on the client side. It's the ideal choice for software houses, ERPs and consultants who want to offer whistleblowing compliance as part of their own product.
Embeddable widget
Channel page embeddable via iframe (light/dark theme) or a wb-link.js snippet on your site. No cookies, no telemetry, no keys to manage: encryption happens in the user's browser.
/v1 API
REST gateway with an X-API-Key and least-privilege scopes (submit, read status): forward encrypted reports and attachments from your systems. The API exposes metadata and ciphertext, never plaintext. Guide at vocea.cloud/integrazioni.html.
Your brand (white-label)
Channel logo, colours and domain under your brand, multi-tenant to manage multiple clients. Offer whistleblowing as a module of your product, backed by Vocea's Italian compliance and support.
Already integrated by partner products in the suite via these same APIs.
Are you required to have a channel?
Just one of these conditions brings you under the Decree 24/2023 obligation.
50+ employees
Private organisations with at least 50 workers must set up an internal reporting channel.
Model 231
Organisations with an organisational Model 231 are required even below 50 employees.
Public sector & regulated
Public administration and regulated sectors (finance, anti-money-laundering, safety, environment) are required regardless of size.
Without a compliant channel, ANAC fines reach up to €50,000. And since 2025 the ANAC guidelines require a dedicated, encrypted platform: email or certified email are no longer enough.
And if you're not required? An internal listening channel is still a mark of integrity: reporting wrongdoing is first of all a civil right. Companies, associations and firms that aren't required also choose Vocea to build trust, ethics and reputation.
How Vocea works
An end-to-end flow designed around zero-knowledge cryptography.
For reporters
- 1
Open the channel
Visit the organization's public channel URL. No registration, no account.
- 2
Fill in the report
Describe the wrongdoing, choose a category, attach files, audio or video. You can stay fully anonymous.
- 3
Browser-side encryption
Everything is encrypted on your device before sending. The server only receives unreadable data.
- 4
Get your code
Receive a unique code to follow the status and chat securely with the officer.
For the Supervisory Body
- 1
Secure access
Sign in with SPID/CIE and two-factor authentication.
- 2
Local decryption
Load the private key in your browser and decrypt the report. The key is never sent.
- 3
Compliant handling
Update status, meet statutory deadlines, reply in chat and generate documentation.
- 4
Traceability
Every action is recorded in a tamper-evident log with a verifiable hash chain.
What zero-knowledge means
Encryption happens entirely in the reporter's browser using WebCrypto. The symmetric keys that protect the data are themselves encrypted with the recipients' RSA public keys. The server stores only ciphertext and wrapped keys: without the matching private key, the data is undecryptable.
Three keys, three layers of protection
K_content — Content
Protects the report text and attachments.
K_identity — Identity
Protects the reporter's identity, separate and optional.
K_metadata — Metadata
Protects management metadata added by the officer.
Technical anonymity, not just procedural
The law leaves anonymity as a choice; we make it real by design. We do not store the IP address, identity sits in a separate encrypted compartment and not even we hold the key: this is technical anonymity, stronger than the merely procedural anonymity required or allowed by the rules.
Not all channels are equal. The web channel (form or embedded widget) offers the strongest technical anonymity. Channels such as WhatsApp, where enabled, protect your identity — your number is never shown to the organization — but they are not technically anonymous: the message passes through third-party systems (WhatsApp/Meta and a delivery hub) before encryption. For maximum anonymity, choose the web channel.
Why Vocea, and not another
Italian compliance and real security, with no compromises.
Truly zero-knowledge
Unlike merely "encrypted" systems, where the provider holds the keys, here not even we can read reports: the key stays only with your manager. Always ask a vendor: "who holds the private key?".
Compliant by design
Decree 24/2023, 7-day and 3-month deadlines, DPA and DPIA template, alignment with ANAC guidelines and ISO 37002.
Data in the EU or Italy
GDPR-compliant European hosting, with an Italian data-residency option for public administration and critical entities.
Easy to use
For whistleblowers it feels like a chat; for the supervisory body, automatic deadlines and a tamper-proof log.
Italian compliance suite
Vocea is part of an Italian vertical suite (NIS2, 231, ESG): native compliance and support, not a global product retrofitted. One partner for several obligations.
Frequently asked questions
Everything you need to understand the service.
Who is required to set up the channel?
Private companies with 50+ employees, anyone with a Model 231 (even below 50), public administration and regulated sectors. The obligation has been fully in force since 17 December 2023.
Is the report really anonymous?
Yes, if you choose not to provide your identity. Data is encrypted directly in the browser and the IP address is not stored; if you decide to identify yourself, your identity travels in a separate, optional encrypted compartment. The assistant warns you if the text risks revealing who you are.
What does «zero-knowledge» mean?
It means the key to read reports stays only with the supervisory body. Our server only stores encrypted text: not even Vocea can read the content.
How much does it cost?
It depends on the plan and the size of your organisation. You can start with a free 30-day trial and request a tailored quote, with no commitment.
Where is the data stored?
On GDPR-compliant infrastructure in the European Union, with an Italian data-residency option for public administration and critical entities.
Is a dedicated email or PEC inbox enough?
No. The 2025 ANAC guidelines consider email inadequate and require a dedicated, encrypted platform such as Vocea.
What if my identity comes out later?
Even those who report anonymously remain protected by law if they are later identified and suffer retaliation (EU Directive 2019/1937, art. 6.3).
Vocea is coming
The platform goes live on 1 September 2026. Request information or a demo now — we'll reach out before launch.
Request information
Leave us your details: we'll get back to you for a demo or any question about Vocea. No commitment.
Are you a company? Activate your channel
A few guided steps to go live and stay compliant with Legislative Decree 24/2023, with anonymity and end-to-end encryption.
1. Request activation
Fill in the form below: we will get back to you to enable your organization.
2. Sign in to the console
At vocea.cloud/gestore with SPID/CIE digital identity: no password to manage.
3. Create the channel and onboard
Appoint managers and key holders, accept the DPA, fill in the DPIA: the platform guides you step by step.
4. Activate and publish
Activate the channel and share link and QR with staff: reports arrive end-to-end encrypted.
5. Integrate (optional)
From the console you issue API keys to connect HR, portals or intranet. Guide at vocea.cloud/integrazioni.html.
Access the platform
Restricted areas for reporters, for the Supervisory Body and for channel administrators.
Make a report
This channel protects your identity with zero-knowledge encryption. You can report anonymously.
Track your reportCreate a channel
Set up a compliant channel in minutes, with guided onboarding.
Create your whistleblowing channel