What the Directive actually mandates.
Article 9 of EU Directive 2019/1937 requires: (a) a channel that ensures the confidentiality of the identity of the reporting person and any third parties mentioned in the report; (b) written acknowledgment of receipt within seven days; (c) diligent follow-up within three months. Recital 85 is explicit: "confidential" means technical confidentiality — not just a policy statement, but encryption at rest and in transit that prevents unauthorized access.
Most vendor implementations are web forms that write the submission to a database. That database is accessible to the IT team that administers the system, to the vendor under their hosting terms, and potentially to law enforcement through the hosting provider's jurisdiction. None of these satisfy the technical confidentiality requirement in Recital 85.
Technically confidential delivery.
The reporting person uploads their report (a document, a file, a voice recording) via a one-time ParaShare link generated by the compliance officer. Paramant encrypts the upload with ML-KEM-768 + AES-256-GCM. The relay holds only the ciphertext; only the designated compliance officer's account can decrypt. After the officer downloads, the relay wipes the ciphertext from RAM. The ML-DSA-65 receipt records that a delivery occurred — not what was delivered, and not who sent it.
Paramant does not log the identity of senders. The reporting person shares no personal data with Paramant beyond the technical metadata of an HTTPS request. The relay is a zero-knowledge intermediary.
EU 2019/1937 article-by-article.
| Requirement | Paramant control |
|---|---|
| Art. 9(a) — Confidential channel | ML-KEM-768 end-to-end; relay holds only ciphertext; cannot decrypt |
| Art. 9(a) — Access limited to authorised personnel | One-time link, burn-on-read; only the designated recipient can download |
| Art. 9(b) — Written acknowledgment within 7 days | ML-DSA-65 signed receipt delivered within seconds of upload completion |
| Recital 85 — Reporter identity protected | No sender identity logged; zero-knowledge relay; no PII retained by Paramant |
| GDPR Art. 32 — Technical security measures | FIPS 203/204 encryption; EU/DE hosting; RAM-only relay; no persistent storage |
How the channel operates.
What Paramant does not replace.
Paramant handles the secure delivery channel. It does not provide the case management workflow required for Article 9(c) follow-up, the policies required for Article 6 (permitted reporting channels), or the legal advice required to assess whether a report constitutes a qualifying disclosure. Those require your legal team and, in most Member States, a designated Whistleblowing Officer with specific legal obligations. Paramant removes the weakest link — the delivery infrastructure — from the compliance picture.