Whistleblower Protection (HinSchG)

Version 1.0 — As of: March 2026

The German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) transposes the EU Whistleblowing Directive (2019/1937) into German law and requires companies with 50 or more employees to establish internal reporting channels. This document describes how the SaaS platform "Aldric" supports customers in fulfilling these obligations and how CONPORT Services GmbH, as the provider, meets the HinSchG requirements itself.

Part A: The Aldric Whistleblower Module

The Aldric platform's Whistleblower Module is a fully integrated whistleblower system that covers the requirements of the HinSchG, EU Directive 2019/1937, and sector-specific regulations (e.g., Anti-Money Laundering Act, Supply Chain Due Diligence Act).

§ 1 Anonymous Reporting Channel

(1) The module provides a publicly accessible, anonymous reporting channel. Whistleblowers can submit reports without identifying themselves. The platform generates a unique access code (format: WB-YYYY-XXXXXX) for each report, enabling the whistleblower to track the processing status and communicate anonymously with the responsible unit.

(2) The anonymity of the reporting channel is technically ensured through:

• No collection of IP addresses or device information for anonymous reports;
• Token-based access to case tracking without registration or authentication;
• Strict tenant isolation — reports are accessible only to the tenant they are directed to;
• Encryption of all data in transit (TLS 1.2+) and at rest (AES-256).

(3) In addition to anonymous reporting, whistleblowers may voluntarily provide contact details (name, email, phone). These are stored separately from the report and are accessible only to assigned case handlers.

§ 2 Deadlines and Case Management

(1) The HinSchG prescribes binding deadlines. The Aldric module fully implements them:

Deadline	HinSchG Requirement	Aldric Implementation
7 days	Acknowledgment of receipt to whistleblower (§ 17(1) HinSchG)	Automatic deadline monitoring with escalation on expiry
3 months	Feedback on measures taken (§ 17(2) HinSchG)	Deadline tracking with warnings 14 and 7 days before expiry
3 years	Documentation retention (§ 11 HinSchG)	Automatic retention management with configurable deletion period

(2) Each report follows a defined workflow with the statuses: New → In Progress → Escalated / Resolved → Closed. Status transitions are fully documented in the activity log.

§ 3 Report Categories

The module supports the material scope of the HinSchG (§ 2) through predefined report categories:

• Corruption and Bribery — including public and private sector corruption;
• Data Protection Violations — GDPR, national data protection laws;
• Fraud and Financial Crime — including accounting fraud, tax evasion;
• Discrimination and Harassment — General Equal Treatment Act (AGG);
• Environmental Violations — environmental protection regulations;
• Occupational Health and Safety Violations — workplace safety laws;
• Money Laundering — Anti-Money Laundering Act (GwG);
• Other Violations — free text field for additional areas.

Customers can add custom categories to cover sector-specific requirements (e.g., product safety, food law, financial supervisory regulations).

§ 4 Confidentiality and Identity Protection

(1) The HinSchG protects whistleblower identity (§ 8 HinSchG). The Aldric module implements this protection through technical and organizational measures:

• Access Control: Only explicitly assigned case handlers (compliance officers, ombudspersons) have access to reports. Assignment is managed through the platform's RBAC system;
• Communication: The anonymous messaging channel enables follow-up questions to the whistleblower without revealing their identity;
• Audit Trail: All access to reports is logged (who, when, what action). These logs are tamper-proof, secured by hash-chain technology;
• Tenant Isolation: PostgreSQL Row-Level Security (RLS) ensures that reports are visible exclusively within the associated tenant — including in Provider Edition deployments with sub-tenants.

(2) Disclosure of a whistleblower's identity to unauthorized third parties is an administrative offense under § 9 HinSchG, punishable by fines of up to EUR 50,000. The Aldric module's technical safeguards minimize the risk of unintended disclosures.

§ 5 Prohibition of Retaliation

(1) The HinSchG prohibits retaliation against whistleblowers (§ 36 HinSchG). The Aldric platform supports compliance with this prohibition through:

• Strict separation of reporting data from HR systems;
• Anonymous reporting as the default option;
• Documentation of all case processing steps for potential evidence in retaliation claims;
• Configurable access rights ensuring that the whistleblower's supervisors cannot access their identity.

(2) In disputes regarding retaliation, the burden of proof is reversed in favor of the whistleblower (§ 36(2) HinSchG). The Aldric module's comprehensive audit trail can serve as evidence.

§ 6 Reporting and Export

(1) The module offers reporting and export functions for internal documentation and submission to supervisory authorities:

• Statistics Dashboard: Overview of reports by status, category, priority, and processing time;
• PDF Export: Individual case reports with complete case history, messages, and activity log;
• Aggregated Reports: Anonymized summaries for management or supervisory board.

(2) The reporting function respects the HinSchG's confidentiality requirements: exported reports do not contain whistleblower identities unless explicitly authorized by the whistleblower.

Part B: CONPORT Services GmbH's Own HinSchG Compliance

As the provider of the Aldric platform, CONPORT Services GmbH is itself subject to the requirements of the HinSchG. The following sections document the company's own compliance.

§ 7 Applicability

(1) The HinSchG applies to all companies with 50 or more employees (§ 12(2) HinSchG). Regardless of its current headcount, CONPORT Services GmbH has voluntarily established an internal reporting channel in order to:

• Build compliance structures proactively;
• Use and test its own platform in production (dogfooding);
• Strengthen trust with customers, partners, and employees;
• Proactively meet the requirements of public sector clients.

§ 8 Internal Reporting Channel

(1) CONPORT Services GmbH operates its own reporting channel through the Aldric platform. Reports may be submitted by:

• Employees (including trainees, working students, interns);
• Freelancers and contractors;
• Suppliers and their employees;
• Customers and business partners;
• Former employees and job applicants.

(2) The reporting channel is accessible via the public reporting page of the CONPORT instance on the Aldric platform. The URL is communicated to all eligible persons and linked on the company website.

(3) Reports may be submitted anonymously or with contact details. Anonymous reporting is expressly enabled and treated equally.

§ 9 Responsible Unit

(1) The management of CONPORT Services GmbH is responsible for receiving and processing reports. For reports concerning management itself, an independent external ombudsperson is to be appointed.

(2) The responsible unit is obligated to:

• Acknowledge reports within 7 days;
• Assess and implement follow-up measures;
• Provide feedback to the whistleblower within 3 months;
• Maintain confidentiality of the whistleblower's identity.

§ 10 External Reporting Channels

(1) In addition to the internal reporting channel, whistleblowers may at any time report to external reporting channels pursuant to § 7 HinSchG:

• Federal Office of Justice (BfJ): Central external reporting channel pursuant to § 22 HinSchG — www.bundesjustizamt.de/hinweisgeberstelle
• BaFin: For reports in the financial sector (§ 21 HinSchG)
• Federal Cartel Office: For competition law violations

(2) Whistleblowers are free under the HinSchG to choose between the internal and an external reporting channel. There is no obligation to report internally first.

§ 11 Data Protection

(1) The processing of personal data within the whistleblower system is based on Art. 6(1)(c) GDPR (legal obligation) in conjunction with the provisions of the HinSchG.

(2) Data processed includes:

• Information about the reported matter;
• Contact details of the whistleblower (only if voluntarily provided);
• Name and function of persons handling the case;
• Communication between the whistleblower and the responsible unit;
• Documentation of follow-up measures taken.

(3) Data is retained for 3 years after the conclusion of proceedings pursuant to § 11 HinSchG and subsequently deleted, unless longer retention is required by other legal provisions.

(4) For further information on data processing, please refer to our Privacy Policy and the App Privacy Policy.

§ 12 Training and Awareness

(1) CONPORT Services GmbH ensures that all employees are informed about the whistleblower system and their rights under the HinSchG. This includes:

• Information on the internal reporting channel upon commencement of employment;
• Regular training on reporting options and the prohibition of retaliation;
• Provision of informational materials on the HinSchG.

(2) The Aldric module supports customers with training through integrated compliance training courses that can be delivered via the platform's training module.

§ 13 Penalty Risks

(1) Violations of the HinSchG can result in significant fines:

Violation	Fine
Hindering a report or retaliation (§ 40(1))	Up to EUR 50,000
Breach of confidentiality obligation (§ 40(3))	Up to EUR 50,000
Failure to establish internal reporting channel (§ 40(6))	Up to EUR 20,000
Knowingly false report by whistleblower (§ 40(7))	Up to EUR 20,000

(2) The Aldric module minimizes these risks through automated deadline compliance, technical identity protection, and comprehensive documentation of all processing steps.

§ 14 Contact

For questions about whistleblower protection at CONPORT Services GmbH:

• General inquiries: compliance@conport.services
• Security incidents: security@conport.services

For information about the Aldric platform's Whistleblower Module, please contact our sales team at info@conport.services.

§ 15 Final Provisions

(1) This document is reviewed regularly and updated when the legal situation changes. The current version is always available on this page.

(2) In the event of conflicts between this document and the statutory provisions of the HinSchG, the statutory provisions shall prevail.

(3) For further legal information, we refer to:

• Whistleblower Protection Act (HinSchG) — Full Text (German)
• EU Directive 2019/1937 — Full Text

As of: March 2026