🛡 Vocea
🚀 Available from 1 September 2026

The compliant whistleblowing channel, without the headaches — that no one, not even us, can read

Required by law? Managing compliance for multiple clients? A public body? Vocea solves your problem with a channel encrypted in the browser (zero-knowledge), ready in minutes and aligned with the latest authority guidelines.

Compliant with EU Directive 2019/1937 · GDPR · national law

Chosen by companies, public bodies, professional firms and software houses in Italy.

🔒 Zero-knowledgevocea.cloud
░▒▓█ AES-256-GCM █▓▒░
9f2a…cifrato nel browser
📄
K_content
🪪
K_identity
🏷️
K_metadata
🛡️ RSA-4096
🔑 chiave solo all'OdV

Regulations covered

Direttiva UE 2019/1937D.Lgs. 24/2023GDPR Art. 9Linee Guida ANACISO 37002 (allineamento)

National law of reference: EU · Directive 2019/1937

Anonymity treatment: Each Member State decides whether anonymous reports are accepted (EU Directive 2019/1937, art. 6.2); a reporter later identified remains protected (art. 6.3).

Vocea provides the tools for a compliant channel; full compliance also depends on the organisation’s appointments, DPIA and configuration. For binding advice, consult your supervisory body/compliance officer or a lawyer.

Tailored solutions

What's your situation?

Vocea starts from your problem, not from our features. Pick the profile that fits you best.

🏢

Required company

"I'm required by law: I want to get compliant fast, without hassle, and without risking penalties."

  • Penalties reach up to €50,000 — even just for a missing or non-compliant channel.
  • The 2025 authority guidelines say email or certified mail are no longer enough: you need a dedicated, encrypted platform.
  • Between privacy assessments, appointments, deadlines and GDPR, you don't know where to start.
  • Compliant channel live in minutes, with step-by-step guided onboarding.
  • Statutory deadlines (7-day acknowledgement, 3-month feedback) tracked and reminded automatically.
  • Art. 28 data processing agreement and DPIA template included: we lighten the privacy burden for you.
Get compliant
🤝

Consultant / Firm

"I want to offer whistleblowing to my clients and manage many of them from one place — ideally under my own brand."

  • Your required clients ask you for a solution, but handling them one by one doesn't scale.
  • You want a new value-added service, not to resell a generic product under someone else's brand.
  • You need technical confidentiality guarantees to take on the role of external channel manager.
  • Multi-client console: manage the channels of multiple organisations from a single dashboard as external manager.
  • White-label: your logo and colours on your clients' channels, to offer the service under your own brand.
  • Real zero-knowledge: as external manager only you have access, with your key — not even we can read.
Become a partner
🏛️

Public body / RPCT

"A required public body: I need a compliant channel, with national digital-identity login, accessible, and data kept in-country."

  • Public bodies are always required, regardless of headcount.
  • You need digital identity login, accessibility and guarantees on data residency.
  • The compliance officer must handle confidentiality, deadlines and traceability with no room for error.
  • Login with national digital identity (SPID/CIE) and an accessibility-minded interface.
  • Option with data residency in Italy, alongside the GDPR-compliant EU base hosting.
  • Tamper-evident log (hash chain) and built-in statutory deadline tracking.
Solution for public bodies
🧩 The Vocea surprise

Put a whistleblowing channel inside your software

Vocea isn't just a standalone site: you can embed it inside your management software, portal or intranet. In a few lines your users report without ever leaving your software, while zero-knowledge encryption stays entirely on the client side. It's the ideal choice for software houses, ERPs and consultants who want to offer whistleblowing compliance as part of their own product.

🧩

Embeddable widget

Channel page embeddable via iframe (light/dark theme) or a wb-link.js snippet on your site. No cookies, no telemetry, no keys to manage: encryption happens in the user's browser.

🔌

/v1 API

REST gateway with an X-API-Key and least-privilege scopes (submit, read status): forward encrypted reports and attachments from your systems. The API exposes metadata and ciphertext, never plaintext. Guide at vocea.cloud/integrazioni.html.

🏷️

Your brand (white-label)

Channel logo, colours and domain under your brand, multi-tenant to manage multiple clients. Offer whistleblowing as a module of your product, backed by Vocea's Italian compliance and support.

Already integrated by partner products in the suite via these same APIs.

Are you required to have a channel?

Just one of these conditions brings you under the Decree 24/2023 obligation.

👥

50+ employees

Private organisations with at least 50 workers must set up an internal reporting channel.

📋

Model 231

Organisations with an organisational Model 231 are required even below 50 employees.

🏛️

Public sector & regulated

Public administration and regulated sectors (finance, anti-money-laundering, safety, environment) are required regardless of size.

Without a compliant channel, ANAC fines reach up to €50,000. And since 2025 the ANAC guidelines require a dedicated, encrypted platform: email or certified email are no longer enough.

And if you're not required? An internal listening channel is still a mark of integrity: reporting wrongdoing is first of all a civil right. Companies, associations and firms that aren't required also choose Vocea to build trust, ethics and reputation.

How Vocea works

An end-to-end flow designed around zero-knowledge cryptography.

For reporters

  1. 1

    Open the channel

    Visit the organization's public channel URL. No registration, no account.

  2. 2

    Fill in the report

    Describe the wrongdoing, choose a category, attach files, audio or video. You can stay fully anonymous.

  3. 3

    Browser-side encryption

    Everything is encrypted on your device before sending. The server only receives unreadable data.

  4. 4

    Get your code

    Receive a unique code to follow the status and chat securely with the officer.

For the Supervisory Body

  1. 1

    Secure access

    Sign in with SPID/CIE and two-factor authentication.

  2. 2

    Local decryption

    Load the private key in your browser and decrypt the report. The key is never sent.

  3. 3

    Compliant handling

    Update status, meet statutory deadlines, reply in chat and generate documentation.

  4. 4

    Traceability

    Every action is recorded in a tamper-evident log with a verifiable hash chain.

🔒 Zero-knowledge

What zero-knowledge means

Encryption happens entirely in the reporter's browser using WebCrypto. The symmetric keys that protect the data are themselves encrypted with the recipients' RSA public keys. The server stores only ciphertext and wrapped keys: without the matching private key, the data is undecryptable.

Three keys, three layers of protection

📄

K_content — Content

Protects the report text and attachments.

🪪

K_identity — Identity

Protects the reporter's identity, separate and optional.

🏷️

K_metadata — Metadata

Protects management metadata added by the officer.

Technical anonymity, not just procedural

The law leaves anonymity as a choice; we make it real by design. We do not store the IP address, identity sits in a separate encrypted compartment and not even we hold the key: this is technical anonymity, stronger than the merely procedural anonymity required or allowed by the rules.

Not all channels are equal. The web channel (form or embedded widget) offers the strongest technical anonymity. Channels such as WhatsApp, where enabled, protect your identity — your number is never shown to the organization — but they are not technically anonymous: the message passes through third-party systems (WhatsApp/Meta and a delivery hub) before encryption. For maximum anonymity, choose the web channel.

Why Vocea, and not another

Italian compliance and real security, with no compromises.

🔒

Truly zero-knowledge

Unlike merely "encrypted" systems, where the provider holds the keys, here not even we can read reports: the key stays only with your manager. Always ask a vendor: "who holds the private key?".

Compliant by design

Decree 24/2023, 7-day and 3-month deadlines, DPA and DPIA template, alignment with ANAC guidelines and ISO 37002.

🇮🇹

Data in the EU or Italy

GDPR-compliant European hosting, with an Italian data-residency option for public administration and critical entities.

Easy to use

For whistleblowers it feels like a chat; for the supervisory body, automatic deadlines and a tamper-proof log.

🧩

Italian compliance suite

Vocea is part of an Italian vertical suite (NIS2, 231, ESG): native compliance and support, not a global product retrofitted. One partner for several obligations.

Frequently asked questions

Everything you need to understand the service.

Who is required to set up the channel?

Private companies with 50+ employees, anyone with a Model 231 (even below 50), public administration and regulated sectors. The obligation has been fully in force since 17 December 2023.

Is the report really anonymous?

Yes, if you choose not to provide your identity. Data is encrypted directly in the browser and the IP address is not stored; if you decide to identify yourself, your identity travels in a separate, optional encrypted compartment. The assistant warns you if the text risks revealing who you are.

What does «zero-knowledge» mean?

It means the key to read reports stays only with the supervisory body. Our server only stores encrypted text: not even Vocea can read the content.

How much does it cost?

It depends on the plan and the size of your organisation. You can start with a free 30-day trial and request a tailored quote, with no commitment.

Where is the data stored?

On GDPR-compliant infrastructure in the European Union, with an Italian data-residency option for public administration and critical entities.

Is a dedicated email or PEC inbox enough?

No. The 2025 ANAC guidelines consider email inadequate and require a dedicated, encrypted platform such as Vocea.

What if my identity comes out later?

Even those who report anonymously remain protected by law if they are later identified and suffer retaliation (EU Directive 2019/1937, art. 6.3).

🚀 Available from 1 September 2026

Vocea is coming

The platform goes live on 1 September 2026. Request information or a demo now — we'll reach out before launch.

Request information

Leave us your details: we'll get back to you for a demo or any question about Vocea. No commitment.

Fields marked with * are required.

Are you a company? Activate your channel

A few guided steps to go live and stay compliant with Legislative Decree 24/2023, with anonymity and end-to-end encryption.

1

1. Request activation

Fill in the form below: we will get back to you to enable your organization.

2

2. Sign in to the console

At vocea.cloud/gestore with SPID/CIE digital identity: no password to manage.

3

3. Create the channel and onboard

Appoint managers and key holders, accept the DPA, fill in the DPIA: the platform guides you step by step.

4

4. Activate and publish

Activate the channel and share link and QR with staff: reports arrive end-to-end encrypted.

5

5. Integrate (optional)

From the console you issue API keys to connect HR, portals or intranet. Guide at vocea.cloud/integrazioni.html.

Access the platform

Restricted areas for reporters, for the Supervisory Body and for channel administrators.

Make a report

This channel protects your identity with zero-knowledge encryption. You can report anonymously.

Track your report

Officer area

Reports list

Restricted area access

Create a channel

Set up a compliant channel in minutes, with guided onboarding.

Create your whistleblowing channel