WhisTrust
Back to Demo →

WhisTrust Documentation

Complete guide to using WhisTrust - your secure digital whistleblowing system

Introduction to WhisTrust

WhisTrust is a secure, confidential digital whistleblowing system designed for organizations to receive and manage anonymous reports of misconduct, fraud, safety concerns, and policy violations.

Purpose

Enable confidential reporting, secure communication, and transparent case resolution

Security First

End-to-end encryption, metadata cleaning, and compliance-ready data handling

Getting Started

For Reporters (Anonymous Users)

1Visit the Report Portal
2Fill in report details (category, description, optional contact info)
3Upload any supporting files securely
4Receive a unique tracking code to monitor your case

For Admin Users

WhisTrust uses Role-Based Access Control (RBAC). Your access depends on your assigned role:

1Visit the Admin Portal
2Login with your credentials (e.g., admin@whistrust.com)
3Access features based on your role (see Role Permissions section below)

System Workflows

Workflow 1: Anonymous Report Submission
Submit a confidential report without revealing your identity

What This Does

Allows users to submit reports of misconduct, fraud, or policy violations securely and anonymously. Each submission receives a unique tracking code for follow-up.

Step-by-Step Instructions

  1. Navigate to the Report Portal
  2. Select report category (fraud, harassment, safety, etc.)
  3. Enter detailed description of the incident
  4. Optionally provide name and email (not required for anonymity)
  5. Attach supporting documents or evidence (optional)
  6. Click "Submit Report"
  7. Save your unique tracking code for case monitoring

Testing Checklist

  • Submit a test report with all fields filled
  • Verify tracking code is generated (e.g., "ABC1234")
  • Check report appears in admin dashboard
  • Confirm file uploads are successful
  • Test with anonymous submission (no name/email)
Workflow 2: Case Tracking & Two-Way Messaging
Communicate securely with administrators about your case

What This Does

Enables encrypted two-way communication between reporters and administrators. Messages are encrypted before storage and decrypted on display to ensure maximum privacy.

Step-by-Step Instructions

  1. Enter your tracking code on the Track Your Case page
  2. View case status and timeline
  3. Review previous messages from administrators
  4. Type your response in the message box
  5. Send message (encrypted automatically)
  6. Receive real-time notifications of new messages

Testing Checklist

  • Track a case using valid tracking code
  • Send a test message from reporter view
  • Verify message appears in admin panel
  • Send reply from admin and confirm it appears to reporter
  • Check encryption/decryption works correctly
Workflow 3: Admin Dashboard & Case Management
Manage and resolve cases with comprehensive admin tools

What This Does

Provides administrators with a complete case management interface including case assignment, status updates, priority management, custom labels, and file access.

Key Features

  • Case Overview: View reports with role-based filtering:
    • Admin: All cases
    • Manager: Cases assigned to users in their department
    • Investigator: Only cases assigned to them
    • HR: Only HR-related categories
  • Case Details: Side drawer with full case information, messages, and attachments
  • Assignment: Assign cases to specific administrators or investigators (Admin & Manager only - Investigator/HR cannot assign)
  • Status Management: Update case status (Pending → In Review → In Progress → Resolved) - Admin, Manager, and Investigator can update; HR is read-only
  • Priority & Labels: Set priority levels (Low/Medium/High) and add custom labels - HR role cannot edit priority
  • Two-Way Messaging: Communicate with reporters securely (all roles can send messages)

Testing Checklist

  • Open a case and review all details
  • Verify case filtering works per role (Admin sees all, Manager sees department, etc.)
  • As Admin/Manager: Assign case to another user
  • As Investigator/HR: Verify assignment controls are hidden
  • Update case status and priority (Admin, Manager, Investigator)
  • As HR: Verify status/priority controls are disabled with tooltips
  • Add custom labels to case
  • Filter cases by status, priority, or label
  • Send message to reporter from case details (all roles)
Workflow 4: File Upload Security & Privacy
Secure file handling with metadata cleaning and encryption

What This Does

Ensures all uploaded files are stored securely with metadata stripped to prevent identity exposure. Files are accessible only to authorized administrators via signed URLs.

Security Features

  • Automatic metadata cleaning (removes EXIF, author info, timestamps)
  • Secure storage in Supabase with access control
  • Signed URLs for temporary file access
  • File type validation and size limits
  • Admin-only download permissions

Testing Checklist

  • Upload file during report submission
  • Verify file appears in admin case details
  • Download file from admin panel
  • Check file metadata is cleaned
  • Test with different file types (PDF, images, docs)
Workflow 5: Offline / Proxy Case Entry
Allow administrators to submit cases on behalf of reporters

What This Does

Enables authorized administrators to submit reports on behalf of individuals who cannot access the system directly. Source marked as "proxy" or "offline".

Testing Checklist

  • Admin creates case via offline entry form
  • Verify source is marked as "proxy" or "offline"
  • Confirm case appears in system with special badge
  • Test case management flows work normally
Workflow 6: Audit Logs & Notifications
Track all system activities and receive real-time updates

What This Does

Comprehensive audit trail of all system actions (report creation, status changes, assignments, messages) and real-time notification system for admins.

Audit Log Features

  • Track all user actions with timestamps and user role information
  • Automatic role capture: Every audit entry automatically includes the user_role field
  • Track user management actions: Role changes, user activation/deactivation are logged with full details
  • Filter by action type, resource, user, role, and date range
  • View detailed metadata for each action (old/new values, target user info)
  • Export logs for compliance reporting

Notification Features

  • Real-time bell notifications for new reports
  • Notifications for case assignments and message replies
  • Badge showing unread count
  • Mark notifications as read

Testing Checklist

  • Submit a new report and check audit log entry
  • Assign a case and verify notification appears
  • Check notification bell updates in real-time
  • Filter audit logs by date and action type
  • Mark notifications as read and verify badge count
Workflow 7: Encryption & Security Layers
Multi-layer security to protect sensitive data

What This Does

Implements multiple security layers including client-side message encryption, metadata cleaning, role-based access control, and secure authentication.

Security Layers

  • Message Encryption: AES encryption for all messages
  • File Metadata Cleaning: Automatic removal of identifying information
  • Row-Level Security (RLS): Database-level access control
  • Role-Based Access Control (RBAC): Four distinct roles (Admin, Manager, Investigator, HR) with granular permissions. Each role sees only authorized features and data.
  • Secure Authentication: Supabase Auth with session management
  • HTTPS Only: All connections encrypted in transit
Workflow 8: Priority & Label Management
Organize and filter cases with custom labels and priorities

What This Does

Allows administrators to set case priorities (Low/Medium/High) and add custom labels for better organization and filtering.

Features

  • Set priority levels with color-coded badges
  • Add multiple custom labels per case
  • Filter cases by priority in the table
  • Visual indicators for quick case assessment

Testing Checklist

  • Add labels to a case (e.g., "Finance", "Urgent")
  • Change case priority from dropdown
  • Verify priority badge displays correctly
  • Filter cases by priority level
  • Confirm filters work together (status + priority)
Workflow 9: Role-Based Access Control (RBAC)
Granular permissions and access control for different user roles

What This Does

WhisTrust implements comprehensive role-based access control with four distinct roles. Each role has specific permissions, sees only relevant data, and has access to appropriate features. Unauthorized routes are automatically blocked with clear access-denied messaging.

Role Permissions

AdminFull System Access
  • View all cases across all departments
  • Assign cases to any user
  • Update case status and priority
  • View Analytics dashboard
  • Access Audit Logs
  • Manage user accounts - change roles, activate/deactivate users (see User Management section)
ManagerDepartment Oversight
  • View cases assigned to users in their department (department-based filtering)
  • Assign cases to investigators within their department
  • Update case status and priority
  • View Analytics dashboard
  • Access Audit Logs
  • Cannot manage users or access user management page
InvestigatorCase Investigation
  • View only cases assigned to them
  • Update status and priority of assigned cases
  • Send messages and manage assigned cases
  • Cannot assign cases
  • Cannot view Analytics or Audit Logs
HRHuman Resources Focus
  • View only HR-related categories (Workplace Conduct, Harassment, Discrimination, Bullying)
  • Send messages to reporters
  • Read-only: Cannot edit status or priority
  • Cannot assign cases
  • Cannot view Analytics or Audit Logs

UI Features

  • Role Badge: Your role is displayed next to your name in the sidebar with color-coding (Admin: primary, Manager: secondary, Investigator/HR: outline)
  • Conditional Navigation: Only authorized menu items appear in the sidebar. Unauthorized routes (e.g., Users page for non-admin) are hidden
  • Disabled Controls: Unauthorized actions (like status updates for HR) show helpful tooltips when hovered, explaining permission restrictions
  • Access Denied Page: Attempting to access unauthorized routes (e.g., /admin/users as Manager) redirects to a clear access-denied page with navigation options
  • Case Filtering: Cases are automatically filtered based on your role's permissions:
    • Admin: All cases
    • Manager: Cases assigned to users in the same department
    • Investigator: Only cases assigned to them
    • HR: Only HR-related categories (Workplace Conduct, Harassment, Discrimination, Bullying)
  • User Management (Admin Only): Admin users can manage other admin accounts - change roles, activate/deactivate users. All actions are logged in audit trail with user role information

Tooltip Examples

HR trying to update status: "You don't have permission to edit reports. Only Admin, Manager, and Investigator can update case status."

Non-admin trying to manage users: "Only Admin can change user roles." or "Only Admin can activate/deactivate users."

Testing Checklist

  • Login as each role and verify sidebar shows correct menu items
  • Check role badge displays correctly next to your name with appropriate color
  • Verify case filtering works:
    • Admin sees all cases
    • Manager sees only cases assigned to users in their department
    • Investigator sees only assigned cases
    • HR sees only HR-related categories
  • Attempt to access restricted routes (e.g., /admin/users as Manager) - should redirect to access-denied page
  • Hover over disabled controls (status/priority for HR, user management for non-admin) and verify tooltips appear
  • As Admin: Change a user's role and verify audit log entry shows user_role_updated with old/new values
  • Check audit logs show correct user_role column for each action
Workflow 10: Reports & Analytics Dashboard
Comprehensive insights into case volumes and trends (Admin & Manager only)

What This Does

Provides administrators with key metrics, category breakdowns, trend analysis, and exportable reports for compliance and management purposes.

Analytics Features

  • Total reports count and status breakdown
  • Average resolution time tracking
  • Category distribution with percentages
  • Trend analysis over time
  • CSV export functionality
  • Access: Admin and Manager roles only (Investigator and HR cannot access Analytics)

Testing Checklist

  • As Admin/Manager: View analytics dashboard with real data
  • Verify metrics match actual report counts
  • Check category breakdown is accurate
  • Export analytics data to CSV
  • Verify CSV contains all expected data
  • As Investigator/HR: Attempt to access /admin/analytics - should redirect to access-denied page
Workflow 11: User Management (Admin Only)
Manage admin user accounts, roles, and activation status

What This Does

Allows Admin users to manage other admin accounts in the system. This includes changing user roles (Admin, Manager, Investigator, HR), activating or deactivating accounts, and viewing user information. All user management actions are automatically logged in the audit trail with full details including who performed the action and what changed.

Key Features

  • User List: View all admin users with their roles, departments, and activation status
  • Role Management: Change user roles between Admin, Manager, Investigator, and HR
  • Account Activation: Activate or deactivate user accounts (inactive users cannot log in)
  • Audit Logging: All changes are logged with:
    • Who made the change (user and role)
    • What changed (old/new role, activation status)
    • When the change occurred
    • Target user details
  • Access Control: Only Admin role can access this page. Other roles attempting to access will be redirected to the access-denied page.
  • UI Restrictions: Non-admin users see disabled controls with helpful tooltips explaining permission requirements.

User Management Actions

Change User Role

Update a user's role. This immediately affects their permissions and access. Logged as user_role_updated with old and new role values.

Activate/Deactivate Account

Control user access. Deactivated users cannot log in. Logged as user_activated or user_deactivated with user details.

Testing Checklist

  • As Admin: Access /admin/users page
  • View list of all admin users with their roles
  • Change a user's role (e.g., Manager → Investigator)
  • Verify audit log shows user_role_updated entry
  • Deactivate a user account
  • Verify audit log shows user_deactivated entry
  • Activate the user account again
  • Verify audit log shows user_activated entry
  • As Manager/Investigator/HR: Attempt to access /admin/users - should redirect to access-denied
  • Check audit logs verify user_role is captured for all actions
Testing Instructions

Test User Roles

Reporter (Anonymous)

No login required. Use tracking codes to access cases. Can submit reports and communicate via messages.

AdminFull Access

Full system access including user management.

Login: admin@whistrust.com

ManagerDepartment

Department-based case oversight. Sees cases assigned to users in their department. Can view analytics and audit logs.

Cannot manage users or access user management page.

InvestigatorAssigned Cases

View and manage only assigned cases.

Cannot assign cases or view analytics.

HRHR Categories

View HR-related cases only (Workplace Conduct, Harassment, Discrimination, Bullying).

Read-only access. Cannot edit case status or priority. Cannot view analytics.

Sample Test Data

Sample Tracking Code: ABC1234

Test Categories: Fraud, Harassment, Safety, Ethical Violations

Test File Types: PDF, JPG, PNG, DOCX (max 10MB each)

Admin Login: admin@whistrust.com / Admin@123

Security & Data Handling

Encryption

All messages are encrypted using AES encryption before storage. Files are encrypted in transit and at rest.

Metadata Cleaning

Automatic removal of EXIF data, author information, and timestamps from uploaded files to prevent identity exposure.

Access Control

Role-based permissions with database-level security. Only authorized admins can access specific cases.

Data Storage

Secure cloud storage with signed URLs for temporary file access. Full audit trail maintained for compliance.

Compliance Ready

WhisTrust is designed to meet data localization requirements and compliance standards. All data handling follows security best practices and can be hosted in compliant jurisdictions.

FAQ & Troubleshooting

Why can't I see my messages?

Make sure you're using the correct tracking code. Messages may take a moment to sync. Try refreshing the page or checking your tracking code.

File upload failed. What should I do?

Check file size (max 10MB per file), file type is supported (PDF, images, docs), and your internet connection is stable. Try uploading one file at a time.

I forgot my tracking code. Can I get it back?

If you provided an email during submission, you should have received the tracking code. For security, we cannot retrieve tracking codes without authentication.

How secure is my data?

All data is encrypted in transit (HTTPS) and at rest. Messages use client-side encryption, and files have metadata removed. Only authorized admins can access case data.

Need More Help?

For additional support, please contact your organization's compliance team or system administrator. Technical issues can be reported through your organization's IT support channels.

WhisTrust Documentation v1.0 | Last Updated: 11/10/2025

Try DemoHome