Send a report with the outmost confidentiality.

CONFIDENTIALITY, INFRASTRUCTURE, AND IT SECURITY

CONFIDENTIALITY

The report is only accessible to you and to the Supervisory Body of UPMC Italy, ISMETT or SMIH recipient of the report. Through this platform, you can send a report securely and confidentially and, if you wish, also entirely anonymously.

Confidential Reporting: a confidential report is a report in which the whistleblower is identifiable. Confidential reports require the user to first register and then, once the account has been created, the user can send the report. It is also possible to send a confidential report without creating an account by filling in the report form in the “Report without registration” section and entering personal data at the end of the form. The reporting party’s data are separate from the report. Therefore, the confidential report is sent to the recipient Supervisory Body anonymously. Only the Supervisory Body can associate the report with the data of the whistleblower and thus view the whistleblower’s identity.

Anonymous reports: anonymous reports do not allow the report to be associated with the whistleblower’s name, since the data on the whistleblower’s name do not exist. In this case, the whistleblower is not obliged to register with the system and can send the report as an unregistered user in the “Report without registration” section.

This platform guarantees confidentiality and security of information: All content you enter, including your identity, is encrypted and can only be read by you and the Supervisory Body recipient of the report.

Once you have sent the report, you can follow its progress and continue to communicate with the Supervisory Body through the message area, associated with the report. Again, all information is encrypted and protected by the platform. If you have indicated an e-mail address (or if you have registered), you will be notified by e-mail when the Supervisory Body sends you a message. In any case, we advise you to periodically access your report to check for any requests for clarification from the Supervisory Body. For the sake of confidentiality, we recommend you not to use a company e-mail address.

If you have indicated your name or sent your report as a registered user, your identity remains hidden even from the Supervisory Body, which will nevertheless be able to view it if it deems it necessary. In that case, you will be informed by a notice within the report.

For the sake of confidentiality, we suggest that you

  1. do not include personal data that could be traced to your identity in the description of the reported incident;
  2. do not use a company e-mail address for registration or to receive notifications from the system;
  3. do not send a report from your workstation.

INFRASTRUCTURE AND IT SECURITY

The management software of whistleblowing, in line with the law, guarantees the highest levels of security for the whistleblower and in relation to used infrastructure.

Security of the whistleblower and the reports

Asymmetric encryption on textual contents and attachments: the encryption does not require specific actions from the users. The cryptographic system ensures that both the messages and the attachments can only be read by the sender and the recipient through a “public and private cryptographic key”.

Log-in

Access regulated in accordance with the privacy legislation: the access to the reports is allowed only through the insertion of credentials (for registered users) or by entering the codes associated with the report (for unregistered users).

IT Security

Separation of reporting the whistleblower’s identity: as provided in the ANAC Determination no. 6 of April 28, 2015, Part III, Chapter 2, the secrecy of the whistleblower’s identity is guaranteed by the application, which separates the process of registration from the process of the insertion of a report, for a proper separation of data; in the report, in fact, the name of the whistleblower is not shown. The Supervisory Body has the possibility to activate the procedure through which the system connects the identity of the whistleblower to the report when this is considered necessary and in cases provided by law. The Supervisory Body must insert a motivation for his request to reveal the identity of the whistleblower. This action is automatically notified to the whistleblower by the application and is registered in the system logs.

DigitalPA dedicated servers: maximum data protection and security levels, guaranteed both by DigitalPA and by the server farm infrastructure, either certified under ISO 27001/2014.

Integrated Hardware and Software Firewalls: every platform has an integrated firewall with strict rules, which limit accesses and actions exclusively to the tasks that the user must perform with the software; integrating the different firewalls enhances the security even further.

SSL certificate: the whistleblowing software is accessible exclusively via HTTPS access (Secure Sockets Layer). Dedicated IP and SSL Certificate for each client.

User input validation: the platform is based on an approach of validating the input of the user. Through extremely rigid rules, the user is verified both at the client and at the server level.

CSRF Prevention: all requests managed by the platform are protected by CSRF token.