HR & Whistleblower Reporting Forms
Grievances, exit interviews, anonymous reports, workplace investigations — built for HR and compliance teams that need confidential reporting channels without handing raw data to a form provider. Zero-knowledge encryption, Swiss hosting, and an architecture designed around the EU Whistleblower Directive.
Whistleblower reporting, workplace grievances, and HR investigations share one property that most other business data does not: the reporter's willingness to speak depends entirely on their confidence that what they write will not be read by the wrong person. That confidence is hard to earn with a generic form tool whose provider can read every submission before it reaches the investigation team.
Schweizerform is built on the opposite premise. Every submission — a grievance, an anonymous tip, a harassment report, an exit-interview response — is encrypted in the reporter's browser before it reaches our servers. Schweizerform physically cannot read it. For organisations implementing the EU Whistleblower Directive (2019/1937), supporting works councils, or simply trying to run a functioning speak-up culture, that property is the difference between a channel that people trust and one they avoid.
Who this page is for
HR directors, compliance officers, general counsel, internal-audit leads, ombudspersons, and works-council representatives at organisations that operate in Switzerland, the EU, or both — and that need a reporting channel employees actually use.
Why Most Form Tools Fail Whistleblower Channels
Most online form tools operate on a conventional SaaS model: the reporter's browser sends plain-text data over HTTPS, and the provider's server stores it. That server can read everything. So can the provider's staff, their integration partners, anyone who compromises their infrastructure, and — depending on jurisdiction — any authority that serves a lawful order on the provider.
For most forms — marketing surveys, event RSVPs — that model is fine. For a whistleblower channel, it creates a specific problem: the reporter's identity and the content of their report sit in plain text on a third-party server the organisation does not control.
- An employee reports alleged harassment by a named manager; the provider's database contains a readable account, searchable by anyone with admin access
- A finance clerk flags suspicious accounting entries; the report lives next to the company's routine form submissions on the same provider's infrastructure
- An exit-interview response names specific colleagues as a reason for leaving; the answer is indexed, backed up, and potentially surfaced to analytics
- A subpoena or data-access request targets the form provider; the request reaches your whistleblower data without the reporter ever being notified
- The provider is acquired, changes privacy policy, or suffers a breach; every historical report is exposed at once
The EU Whistleblower Directive expects confidentiality by design
Directive (EU) 2019/1937 requires internal reporting channels to be designed, established, and operated in a way that ensures the confidentiality of the identity of the reporting person and any third party mentioned in the report (Art. 9). Plain-text storage at a provider who can read submissions is hard to reconcile with that requirement when it is technically avoidable.
How Schweizerform Preserves Confidentiality
Schweizerform is a zero-knowledge end-to-end encrypted form platform. The encryption happens in the reporter's browser, before any data leaves their device. Only holders of the form's Access Code can decrypt submissions. We — the provider — cannot.
You generate a form and an Access Code
When you create a whistleblower form, Schweizerform generates a key pair and an Access Code. The public key lives in the form; the Access Code is held only by the investigation team. Our servers never see it.
The reporter submits anonymously from any device
When an employee submits a report, their browser encrypts every field — and every uploaded document — with strong symmetric encryption, then wraps the symmetric key to the form's public key. Our servers receive encrypted blobs they cannot decrypt.
The investigation team decrypts in-browser
When an authorised investigator opens the submission, their browser fetches the encrypted blob, unwraps the symmetric key using the Access Code, and decrypts locally. The plain text never touches our servers.
Reporter identity is protected by architecture, not policy
Because we never see plain-text submissions, we cannot be compelled to hand them over, produce them in analytics, or expose them in a breach. Confidentiality is preserved by cryptography, not by trust in the vendor.
Concrete Reporting Channels
Anonymous whistleblower intake
The core use case. A dedicated form, posted on the intranet or a public-facing compliance page, collects reports of suspected misconduct: financial irregularities, regulatory breaches, bribery, environmental violations, competition-law issues. The reporter chooses whether to disclose their identity; the channel itself makes no attempt to derive it from metadata we store.
Harassment, discrimination, and workplace safety reports
Reports that name specific individuals require the strongest confidentiality posture. A zero-knowledge channel means HR, line managers, and even IT administrators with infrastructure access cannot see the content of unopened reports. Only the investigation committee with the Access Code can.
Exit interviews and staff-survey free-text
Departing employees often share information they would not have shared while employed — feedback on culture, management, and specific incidents. Encrypting those responses protects both the employee (from retaliation) and the organisation (from the risk that exit-interview content leaks through a provider breach or legal request).
Works-council and union-liaison submissions
In jurisdictions with statutory employee-representation structures (Germany's Betriebsrat, France's CSE, Swiss company-specific bodies), a confidential submission channel between staff and their representatives benefits from the same property: no third-party cloud has readable access to the content.
Investigation intake and witness statements
During an active internal investigation, witness statements, evidence uploads, and timeline reconstructions are collected through secure forms. Each investigation can have its own form with its own Access Code, so the circle of people who can read a given matter is strictly scoped.
What Employees, Regulators, and Subpoenas See
| View | Generic provider | Schweizerform |
|---|---|---|
| Employee filing a report | Plain-text form, stored on vendor cloud | Plain-text form, encrypted in-browser before submission |
| Provider staff / support agent | Can read submission content | Cannot decrypt; sees encrypted blobs only |
| Subpoena served on the provider | Plain-text reports can be produced | Encrypted ciphertext only; useless without the Access Code |
| Provider breach | Readable reports and reporter identities exposed | Ciphertext exposed; content and identity remain unreadable |
Regulatory Context: EU Directive and Swiss Approach
The EU Whistleblower Directive (2019/1937) obliges most legal entities with 50 or more workers, and all public-sector bodies above a size threshold, to provide an internal reporting channel. Key properties the channel must have include confidentiality of the reporter and anyone mentioned, acknowledgement within 7 days, feedback within 3 months, and non-retaliation protection.
Switzerland, as of the time of writing, has not enacted a dedicated federal whistleblower law; a draft amendment to the Code of Obligations was rejected in 2020. Swiss employers none the less often choose to implement the EU standard either because they have EU subsidiaries in scope, because investor or ESG expectations push them that way, or because they see it as good practice. Schweizerform's architecture aligns with the confidentiality-by-design requirement either way.
Confidentiality is only one part of the directive
A compliant internal channel also involves defined acknowledgement timelines, a designated impartial person or department handling reports, documentation obligations, and a clear prohibition on retaliation. Schweizerform provides the technical confidentiality layer; your compliance programme provides the process around it.
Features Relevant to HR and Whistleblower Channels
- Zero-knowledge end-to-end encryption on every submission — no provider read access
- True anonymous submission mode — no account required, no reporter metadata collected by default
- Encrypted document uploads — memos, recordings, spreadsheets, and screenshots are encrypted in-browser before leaving the reporter's device
- Multi-language forms (EN / DE / FR / IT) out of the box — the same reporting form available in every official Swiss language and English
- Per-form Access Codes scoped to specific investigation teams — different matters can use different codes
- Swiss hosting with nFADP-aligned data-processing posture — data does not leave Switzerland for the response payload
- Audit log of access events (who opened an encrypted submission and when) without exposing submission content
- Free tier suitable for piloting a single reporting channel before rolling out company-wide
Common Objections
"Our reporters will never trust an online form — they want a phone hotline."
The directive explicitly allows written channels, oral channels, or both. Many organisations find that written channels attract different, often more detailed, reports — and that an encrypted written form is easier to scale than a 24/7 multilingual hotline. The two complement each other; Schweizerform addresses the written side.
"If we lose the Access Code, we lose the reports."
That is correct, and it is a deliberate property of zero-knowledge architecture. The recommended practice is a documented key-custody procedure — sealed envelopes held by two independent officers, split custody between compliance and legal, or a hardware security module — so that loss of one custodian does not lose access but no single person can unilaterally unlock submissions.
"We need to integrate with our case-management system."
Real integrations exist, but they must happen after decryption. The investigator's workstation decrypts a submission and then exports it into the case-management tool. An integration that happens on our server is by definition impossible because we do not have the keys.
"The works council is worried about surveillance."
That worry usually eases once the architecture is explained: the provider cannot read submissions, and the employer cannot read submissions unless they hold the Access Code — which is typically held by a jointly-appointed compliance officer or an external ombudsperson. The channel becomes harder for anyone to misuse, including the employer.
Rolling Out a Schweizerform Whistleblower Channel
Agree the scope and custody model
Decide which reports the channel covers (financial irregularities only, or the full directive scope), who holds the Access Code, and how key custody is split to avoid single-person risk.
Draft the form in all four languages
Keep fields short and optional. Offer a free-text description box, a category selector, optional attachment upload, and an optional contact field for reporters who want a dialogue. Publish the same form in EN / DE / FR / IT.
Publish the access point clearly
Link the form from the intranet, the careers page, the employee handbook, and supplier onboarding materials as applicable. A prominent, stable URL is part of the directive's accessibility expectation.
Train the investigation team on the access flow
The investigators who hold the Access Code decrypt submissions from their own browsers. Walk them through the flow, the acknowledgement timeline, and the documentation template.
Review annually
Re-test the channel at least annually: confirm the form is reachable, the Access Code is held by the right people, the acknowledgement process is functioning, and the retention policy is being applied.
The Bottom Line
A reporting channel is only as strong as the confidentiality that the reporter believes it offers. A form tool that can read every submission — however good its UI, however cheap its price — fails that test before the first report is ever filed.
Schweizerform offers a different proposition: zero-knowledge end-to-end encryption on every form, Swiss hosting, and a posture that aligns with the EU Whistleblower Directive's confidentiality-by-design requirement and with Swiss nFADP expectations. No paid upgrade for security. No US-cloud dependency for response data. No third-party-readable copy of sensitive reports on a server you do not control.
Start with a single reporting channel on the free tier. Swiss hosting, zero-knowledge encryption, and full EN / DE / FR / IT support — no credit card required.
Disclaimer: This page is general information and marketing content, not legal, regulatory, or labour-law advice. References to the EU Whistleblower Directive (2019/1937), the Swiss Code of Obligations, the nFADP, works-council frameworks, and related regimes are summarised at a conceptual level and are subject to jurisdictional interpretation and future legislative change. Responsibility for a compliant reporting channel — including non-retaliation measures, acknowledgement timelines, documentation, and impartial investigation — remains with the employer. Consult qualified Swiss/EU labour-law counsel and a data-protection specialist before making compliance or purchasing decisions.