| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
•
Calendar (calendar)
• Discuss (mail) • Website (website) |
| Lines of code | 4640 |
| Technical Name |
flexigo_whistleblowing |
| License | OPL-1 |
| Website | https://flexigotech.com |
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
•
Calendar (calendar)
• Discuss (mail) • Website (website) |
| Lines of code | 4640 |
| Technical Name |
flexigo_whistleblowing |
| License | OPL-1 |
| Website | https://flexigotech.com |
Whistleblower Channel for Odoo 19
The native Odoo 19 internal information channel for Spanish and EU organisations with 50 or more workers.
Already paying €1,200–€6,000 a year for an external whistleblowing portal?
Since 13 March 2023, every Spanish company with 50+ workers — and every public-sector entity — must operate an internal information channel that meets Ley 2/2023 and EU Directive 2019/1937. The same rules apply across the EU 27. Generic mailboxes do not preserve anonymity. Word-document libros-registro do not survive an inspection. External SaaS portals work, but they live outside Odoo, force your Compliance Officer to operate two systems, and re-key every follow-up action back into HR, Legal and Finance.
Inspections by the Spanish AAI or the AEPD can result in fines of up to €1,000,000 for legal entities and up to €300,000 for natural persons (Ley 2/2023 art. 65).
How Whistleblower Channel for Odoo 19 solves it
An Odoo-native module that ships with the legal deadlines, the anonymous intake, the hash-chained libro-registro, the encrypted report bodies and the audit pack already wired in. Install it, configure the Responsable del Sistema, publish the public form on your website — and your channel meets the operational obligations of Ley 2/2023 from day one. Every linked HR, Legal or Finance action stays inside Odoo, behind a strict access circle.
What you get
Anonymous + identified intake
Public web form on your Odoo website. The anonymous path collects no IP, no fingerprint, no metadata. Informants get a one-time secure code to follow their case.
Legal deadlines enforced
7-day acknowledgement countdown, 3-month investigation cycle, motivated 3-month extension — every clock is automatic, every reminder is logged.
Hash-chained libro-registro
Append-only register per Ley 2/2023 art. 26, with SHA-256 hash chaining that exposes any tampering. PDF + CSV export.
Encrypted at rest
Report bodies sealed with AES-GCM envelope encryption per company. A raw database export does not leak content.
Audit pack in one click
Libro-registro, access log, retention log and policy documents bundled for an AAI or AEPD inspection.
Retaliation sub-case workflow
A dedicated path to protect the informant once retaliation is alleged — with its own timeline and its own evidence chain.
Retention enforced automatically
3-month purge for not-pursued reports, 10-year cap on the libro-registro identifying data — both wired to scheduled jobs you cannot forget.
Multi-company & group sharing
One Responsable per company, or a single Responsable for a corporate group as allowed by Ley 2/2023 art. 12 — both modes supported.
Face-to-face meetings
Informants can request a meeting within 7 days; the booking is anchored to the report and stays inside the compliance circle.
See it in action
Watch the 2-minute walkthrough in your language — English, Spanish or German — or scan the six backend captures from a working Odoo 19 instance. Every surface a Compliance Officer touches in a day.
🇬🇧 English — 2-minute walkthrough
🇪🇸 Español — walkthrough de 2 minutos
🇩🇪 Deutsch — 2-Minuten-Rundgang
Built for
- Spanish private-sector entities with 50+ workers obliged by Ley 2/2023.
- EU 27 organisations obliged by the national transposition of EU Directive 2019/1937.
- Public-sector entities (excluding municipios under 10,000 inhabitants per Ley 2/2023 art. 14).
- Political parties, trade unions, employer associations, foundations receiving public funds, regardless of headcount.
- Regulated sectors (financial services, AML/CFT subjects, transport safety, environmental protection) per Directive 2019/1937 art. 8(4).
- Corporate groups using the shared-channel option of Ley 2/2023 art. 12.
Compatibility
- Odoo 19.0 — Community and Enterprise
- Multi-company aware (record-rule isolation enforced at the database layer)
- Multilingual: Spanish (es_ES), English (en_GB / en_US), Catalan (ca_ES), Portuguese (pt_PT, pt_BR), French (fr_FR)
- Standard depends:
base,web,mail,website,portal,calendar— no Enterprise-only dependencies - External Python:
cryptography,Pillow,pytz
Pricing
External whistleblowing SaaS subscriptions for SMBs typically range from €1,200 to €6,000 per company per year. A Whistleblower Channel for Odoo 19 licence pays for itself in the first quarter for any obliged organisation already inside Odoo.
Frequently asked questions
Does this module guarantee 100% legal compliance?
No — and no software does. Whistleblower Channel for Odoo 19 supports the operational obligations of Ley 2/2023 and EU Directive 2019/1937 (anonymous intake, 7-day acknowledgement, 3-month investigation, libro-registro, retention, audit pack, encryption at rest). Compliance is a combination of process, governance and tooling. We strongly recommend that your DPO and Legal Counsel review your configuration, your DPIA and your designation of the Responsable del Sistema before going live. This module does not constitute legal advice.
Is anonymous reporting really anonymous?
The anonymous path of the public form collects no IP address, no browser fingerprint and no metadata at the application layer. The informant receives a one-time secure code (16+ random characters) plus a passphrase they choose — used to log back in and follow the case. The secure code is shown only once; the system never emails it. We document the reverse-proxy hardening required so that anonymity is preserved end-to-end.
What happens if the informant alleges retaliation?
A dedicated retaliation sub-case opens, linked to the original report but with its own timeline, its own evidence chain and its own access circle. The original report is not contaminated; the retaliation case is tracked separately, in line with the protection regime of Ley 2/2023 art. 36–41.
Can I run a single channel for a corporate group?
Yes. Ley 2/2023 art. 12 and EU Directive 2019/1937 art. 8(6) allow groups of companies, and subsidiaries with fewer than 250 workers, to share an internal information channel and a Responsable del Sistema. The module supports both modes (per-company channel or shared channel), with record-rule isolation respected.
How do I prove the libro-registro has not been tampered with?
Every entry in the libro-registro carries a SHA-256 hash of the entry payload chained to the hash of the previous entry. Any retroactive modification breaks the chain. The integrity verification routine is part of the audit pack export.
How is data encrypted?
Report bodies and identifying metadata are sealed with AES-GCM envelope encryption, with a per-company data-encryption key wrapped by a master key. A raw database dump does not leak content — the key has to be resolved at the application layer by the Responsable's role.
What does the audit pack contain?
A single export bundle with: the libro-registro PDF, the chronological access log, the retention enforcement log, the policy documents in force, the privacy notice, the DPIA artefact, and the Responsable's designation record. Generated in one click for an AAI or AEPD inspection.
What integrations does it have?
Standard Odoo only: HR (optional, per-case authorisation), Mail/Discuss (compliance-circle notifications), Calendar (face-to-face meeting bookings), Portal (public form + informant follow-up). No third-party SaaS is required. You may enable Odoo Enterprise's 2FA (auth_totp) or SAML/OIDC for the compliance circle.
What languages does the public form support?
Out of the box: Spanish, English, Catalan, Portuguese, French. The data model is language-agnostic — any additional Odoo language pack can be enabled.
Do you provide support?
Yes. Reach out to comercial@flexigotech.com for installation help, configuration questions and bug reports. Critical security issues should also be reported to that mailbox.
Ready to retire your whistleblowing SaaS?
Install Whistleblower Channel for Odoo 19 from the Odoo Apps Store and configure your internal channel inside one working day.
Questions, demos, group-licence quotes: comercial@flexigotech.com
Whistleblower Channel for Odoo 19 supports your compliance workflows under Spanish Law 2/2023 [BOE-A-2023-4513] and EU Directive 2019/1937 [EUR-Lex 32019L1937]. It does not constitute legal advice. Consult your legal counsel and your Data Protection Officer for binding interpretation, configuration of the Responsable del Sistema, completion of your DPIA, and any sector-specific obligation (financial services, AML/CFT, public sector). Regulatory references current as of 2026-05-18.
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module