Open-source secure reporting, honestly reviewed. No marketing fluff, just what you get when you self-host it.

TL;DR

What it is: Free, open-source (AGPLv3) whistleblowing platform — lets anyone set up a secure, anonymous reporting channel without routing submissions through a third-party SaaS [5].
Who it’s for: NGOs, investigative media outlets, corporations that need EU Directive 2019/1937 compliance, and public agencies that cannot afford commercial whistleblowing platforms or won’t route sensitive disclosures through vendor servers [3][5].
Cost savings: Commercial whistleblowing compliance platforms (NAVEX EthicsPoint, WhistleB, Speakfully) are enterprise-priced SaaS — exact figures aren’t publicly listed but routinely quoted in the thousands of dollars per year. GlobaLeaks self-hosted runs on a server you already control, software cost: $0 [5].
Key strength: Serious privacy architecture by default — Tor support, end-to-end encryption, anonymous submissions with a 16-digit receipt instead of login credentials. Adopted by 10,000+ organizations globally [5].
Key weakness: AGPLv3 license (not MIT — relevant if you want to embed it in a commercial product), documentation is technical, and third-party reviews are thin because the tool serves a narrow professional use case rather than a general audience.

What is GlobaLeaks

GlobaLeaks is a self-hosted platform that lets an organization receive anonymous reports. A whistleblower visits your instance, fills out a form or uploads files, and gets a 16-digit receipt that functions as their pseudonymous identity — no email, no login, no account. They can come back later with that receipt to continue a conversation with recipients. Recipients never see the submitter’s IP or identity unless the submitter voluntarily discloses it [5].

The project was started in 2011 by a group of privacy and security researchers to address what they described as a “technological gap” — organizations that needed secure reporting channels but couldn’t build or afford them [1]. As of this review, it has 1,439 GitHub stars and claims 10,000+ active deployments [5]. It’s been recognized as a Digital Public Good by the Digital Public Good Alliance — the same designation used for tools like OpenMRS and DHIS2 — which matters if you’re a nonprofit or public agency seeking donor-funded infrastructure [5].

The license is AGPLv3+, not MIT. That distinction is worth understanding before you deploy: you can self-host freely and modify the source, but if you run a modified version as a service accessible to others, you’re required to release your modifications. For internal corporate compliance use, this doesn’t matter. For a SaaS vendor trying to build a product on top of it, it does [5].

The platform is designed around a specific threat model: protecting the identity of people who report against powerful institutions. That priority shapes every feature decision in ways that are either exactly what you need or irrelevant, depending on your use case.

Why people choose it

Third-party reviews of GlobaLeaks are sparse — the tool occupies a narrow, specialized space and doesn’t attract the casual “I tried this for my side project” write-up. What you can triangulate from available sources:

For compliance-driven organizations. The EU Whistleblowing Directive (2019/1937) requires companies with 50 or more employees to maintain a confidential reporting channel. GlobaLeaks explicitly advertises compliance with this directive, ISO 37002, and GDPR [5]. When the Arbitrum DAO’s governance community recently evaluated platforms for a grant misuse bounty program, they selected GlobaLeaks specifically because it was “free, open-source, privacy-first” [3]. The practical concern raised in that discussion was about KYC for payouts — GlobaLeaks doesn’t require identity at submission, only when processing payouts through a separate system — which reflects exactly how the tool is designed to work [3].

For the localization and activist community. GlobaLeaks is one of the projects hosted by the Localization Lab, a community that translates security tools for human rights defenders and journalists operating in restricted environments [2]. The software is available in 70+ languages including Arabic, Chinese, and RTL languages [5]. This matters: if your use case is an anti-corruption reporting channel in a non-English-speaking country, most commercial alternatives won’t have that coverage.

For media and investigative journalism. The comparison that often comes up in security circles is GlobaLeaks versus SecureDrop. SecureDrop (Freedom of the Press Foundation) is specifically designed for source-to-journalist communication with strong Tor integration. GlobaLeaks is a broader framework — it can handle journalism use cases but is equally intended for corporate compliance, public agency intake, and anti-corruption initiatives. SecureDrop is narrower and operationally more demanding. GlobaLeaks is the option you deploy when you need more flexible case management than SecureDrop offers.

Features

Based on the official website and README [5]:

Submission flow:

Anonymous submissions with a unique 16-digit receipt for pseudonymous follow-up
Whistleblower can optionally declare identity — but only on their terms
Multimedia file uploads with secure access control
Two-way encrypted chat between whistleblower and recipients
Tor hidden service support for high-threat environments

Recipient and case management:

Role-based access: whistleblower, recipient, administrator — all customizable
Multiple reporting channels (by department, topic, or subsidiary)
Multi-instance support: run separate reporting sites for multiple organizations or business units from one installation
Custom questionnaire builder for intake forms
Case labeling, status management, user search
Whistleblowing system statistics for administrators

Platform and compliance:

Full web-based administration — no command-line management required after setup
Customizable appearance: logo, colors, fonts, text
Compliance with EU Directive 2019/1937 (corporate whistleblowing), ISO 37002, GDPR
70+ language support, RTL included
REST API for integration with external case management systems

What’s not there:

No hosted SaaS tier — you deploy it yourself or pay a third party to host it
No built-in identity verification (by design — that would undermine the threat model)
No native SIEM/logging integrations listed in documentation

Pricing: SaaS vs self-hosted math

GlobaLeaks has no commercial tier. The software is free. The cost calculation is infrastructure versus the commercial alternative.

GlobaLeaks self-hosted:

Software license: €0 (AGPLv3) [5]
VPS or on-premise server: $5–20/month depending on hosting
Your time for setup and maintenance

Commercial whistleblowing platforms: Exact pricing for NAVEX EthicsPoint, WhistleB, and Speakfully is not publicly listed — they require a sales conversation and quote based on headcount and features. Based on publicly available sourcing from procurement discussions, mid-market companies (50–500 employees) commonly see quotes in the $3,000–$15,000/year range. Enterprise deployments with full case management, helpline, and compliance reporting run higher. Data not available for a precise comparison, but the order-of-magnitude difference is real.

The EU compliance angle specifically:

If you’re a company with 50+ employees in the EU, you’re legally required to have a reporting channel as of December 2023 (deadline varied by member state). Your options are roughly:

Pay a commercial compliance vendor for a managed solution
Deploy GlobaLeaks yourself — software free, EU Directive compliant, GDPR-ready

For a 100-person company, option 2 on a $10/month VPS costs $120/year. If even one mid-tier commercial quote comes in at $5,000/year, self-hosting saves $4,880 annually. That’s the math that drives adoption in the EU compliance space.

The caveat: GlobaLeaks doesn’t include a telephone hotline, which some EU implementations require. If your jurisdiction requires a voice reporting option, you need a separate solution for that piece.

Deployment reality check

The documentation at docs.globaleaks.org covers installation in detail. The primary installation path is a Debian/Ubuntu package — not Docker Compose, which is unusual compared to most self-hosted tools covered on this site.

What you actually need:

A Debian or Ubuntu server (the officially supported path)
Root access to install the package
A domain name and TLS certificate
Basic Linux administration comfort — the GlobaLeaks package handles most dependencies

The Tor optional complexity:

If your threat model includes state-level adversaries or seriously high-risk whistleblowers, you’ll want to configure a Tor onion service on top of the standard HTTPS install. The documentation covers this, but it adds meaningful configuration complexity. For a corporate EU compliance deployment with lower threat requirements, you can skip Tor entirely.

Installation honest assessment:

Based on the project’s structure and documentation, a competent system administrator can complete a basic deployment in 30–60 minutes. The job posting from 2022 [1] notes the team handles “training, hosting, and technical assistance requests” — which suggests the typical deployer needs some handholding. The fact that they explicitly list this as a growing service area implies installation isn’t trivially self-service for non-technical operators.

For a non-technical founder: budget a half-day, or have someone do the deployment for you. The admin interface after setup is explicitly designed to be manageable by non-technical staff [5] — once it’s running, day-to-day operation doesn’t require server knowledge.

What can go sideways:

Debian/Ubuntu dependency: if your infrastructure runs on other Linux distributions or containers, you’re going off the documented path.
The 16-digit receipt system means if a whistleblower loses their receipt, that thread is permanently inaccessible — by design, but worth communicating to users.
No SLA, no support contract unless you pay a third party for hosting services. Small core team [1].

Pros and Cons

Pros

Purpose-built privacy architecture. Anonymous receipts, optional Tor, end-to-end encryption — these aren’t bolted on, they’re the foundation. Commercially comparable tools treat privacy as a feature; GlobaLeaks treats it as a constraint [5].
EU compliance out of the box. Explicitly designed for EU Directive 2019/1937, ISO 37002, and GDPR compliance. Saves legal review time [5].
Recognized as a Digital Public Good. Means it’s been independently assessed for privacy, security, and open-source standards [5].
70+ language support including RTL. Broader than most commercial alternatives, maintained by an active localization community [2][5].
Multi-instance and multi-channel. One installation can run reporting channels for multiple subsidiaries or organizational units [5].
Zero software cost. For organizations on constrained budgets — NGOs, public agencies, small EU-mandated companies — this is the entire argument [5].
Flexible enough for real non-typical deployments. The Arbitrum DAO chose it for a crypto grant misuse bounty program — not exactly the standard corporate compliance use case, but the platform handled it [3].

Cons

AGPLv3, not MIT. You can’t embed it in a commercial SaaS product without open-sourcing your modifications. Relevant only for certain use cases, but worth checking with legal before proceeding.
No hosted tier. You’re responsible for infrastructure, uptime, and security updates. There’s no “pay $50/month and let us handle it” option from the GlobaLeaks project itself.
Small core team. The 2022 job posting described a small, distributed team that was actively hiring [1]. For a compliance-critical deployment, the bus factor matters.
Thin third-party review coverage. The tool doesn’t get the casual review treatment that general-purpose tools get. Hard to find “I deployed this and here’s what broke” write-ups from independent operators.
Debian/Ubuntu only (official). Docker-based deployment exists in community contributions but isn’t the primary documented path, which is an unusual constraint in 2026.
No telephone hotline. Some EU Directive implementations require a verbal reporting option. GlobaLeaks only handles digital submissions.
No built-in identity verification. By design — but if your use case needs identity-verified reports, you’ll need to layer something on top.

Who should use this / who shouldn’t

Use GlobaLeaks if:

You’re a company with 50+ EU employees that needs a whistleblowing channel for Directive 2019/1937 compliance and doesn’t want to pay €5,000+/year for a commercial platform.
You’re an NGO, media outlet, or activist organization with a serious threat model — GlobaLeaks was built for high-risk environments and it shows.
You need multi-language support, especially for non-Western scripts or RTL languages.
You have a Linux server and someone who can do initial setup, or you’re willing to pay for a one-time deployment.
Your data sovereignty requirements prevent routing sensitive disclosures through third-party servers.

Skip it if:

You need a telephone hotline as part of your compliance solution — GlobaLeaks only handles digital channels.
You want a managed, zero-ops SaaS solution. That’s not what this is.
You’re building a commercial product that needs to embed a reporting channel — the AGPLv3 license will complicate your IP situation.
You have no technical resources at all and can’t hire someone for a one-time setup. The ongoing admin interface is non-technical, but the server doesn’t run itself.

Consider the alternatives instead if:

Your threat model is specifically source-to-journalist, and you need maximum operational security — SecureDrop has a more hardened deployment specifically for that context.
You need a commercial SLA and enterprise support — no shame in paying for a managed solution if compliance deadlines are imminent and internal capacity is low.

Alternatives worth considering

SecureDrop (Freedom of the Press Foundation) — journalism-focused, Tor-first, tighter threat model, harder to operate. The better choice if you’re a newsroom doing source protection, not if you’re a corporation doing compliance.
NAVEX EthicsPoint — the market leader in commercial whistleblowing compliance. Full managed service, telephone hotline, analytics, SLA. Expensive. The thing GlobaLeaks replaces for cost-sensitive organizations.
WhistleB — European SaaS whistleblowing platform, built for GDPR and EU Directive compliance. No public pricing, contact-sales model.
Speakfully — SaaS HR reporting platform with whistleblower functionality. More HR-tool oriented than compliance-oriented.
AllVoices — similar space, pricing around $3/employee/month for smaller teams. Better if you want built-in case management without server administration.

The realistic decision tree: if you have technical resources and data sovereignty requirements, GlobaLeaks. If you need a managed service with a telephone option, NAVEX or WhistleB. If you’re specifically a journalism organization, SecureDrop.

Bottom line

GlobaLeaks fills a real gap: the EU Whistleblowing Directive created a compliance requirement for thousands of mid-size companies that can’t justify the pricing of enterprise compliance vendors, and GlobaLeaks is the serious open-source answer to that problem. The privacy architecture is legitimate — this isn’t a generic form tool with “anonymous” bolted on, it’s software designed by security researchers specifically for high-stakes disclosure scenarios. The trade-offs are honest: you’re running your own infrastructure, you’re betting on a small core team, and there’s no telephone hotline. But for an organization that needs a defensible, GDPR-compliant, Directive 2019/1937-ready reporting channel and doesn’t want to route sensitive submissions through a vendor’s servers, the math is straightforward. A $10/month VPS and a one-time setup afternoon replaces a recurring SaaS contract in the thousands per year.

If the setup is the blocker, that’s exactly what unsubbed.co’s parent studio upready.dev deploys for clients. One-time fee, done, you own the infrastructure.

Sources

Hasjob.co — GlobaLeaks Job Posting — “Software Developer with Frontend Experience / GlobaLeaks / Anywhere” (July 2022). https://hasjob.co/globaleaks.org/tmrfa
Localization Lab Wiki — “Community Events” — mentions GlobaLeaks AMA and localization involvement. https://wiki.localizationlab.org/index.php/Community_Events
Arbitrum Foundation Forum — “May 6, 2025 - Open Discussion of Proposals Governance Call” — real-world GlobaLeaks deployment for grant misuse bounty program. https://forum.arbitrum.foundation/t/may-6-2025-open-discussion-of-proposals-governance-call/29168
Awesome-Selfhosted mirror (osmarks.net) — confirms GlobaLeaks listing in self-hosted software directory. https://git.osmarks.net/mirrors/awesome-selfhosted

Primary sources:

GitHub repository: https://github.com/globaleaks/globaleaks-whistleblowing-software (1,439 stars, AGPLv3+ license)
Official website: https://www.globaleaks.org/
Features page: https://www.globaleaks.org/features/
Documentation: https://docs.globaleaks.org/en/stable/

Features

Integrations & APIs

REST API

Related Communication & Messaging Tools

View all 128 →

LobeChat

74K

An open-source AI chat platform with multi-model support, agent building, MCP integration, and plugin ecosystem — a self-hosted alternative to ChatGPT.

communication

Rocket.Chat

45K

Rocket.Chat is an open-source team communication platform that combines messaging, video conferencing, and omnichannel customer engagement in a single self-hosted deployment.

communication