Security overview for the Whispr EDU product

Whispr EDU is independent of other BackPR products

Whispr EDU is one of multiple distinct product lines under the BackPR umbrella (backpr.com). Each Whispr product is built and operated by a separate team with separate infrastructure scope, sub-processors, security practice, and contracts. References on this page apply only to Whispr EDU. The Whispr Compliance Italy product at whispr.backpr.com is a sibling product with its own security page.

Reporter follow-up and internal handling are kept separate

• Reporter intake is anonymous by default; identification is the reporter's deliberate choice.
• Reporter follow-up uses dedicated mailbox credentials rather than general email.
• Administrative notes, assignment, and internal status are kept outside the reporter-visible thread.
• Audit events are recorded for case creation, acknowledgment, assignment, note creation, exports, and closure.

Authenticated, role-aware, scope-limited

• Administrative actions use authenticated sessions.
• Roles are applied at the administrative tier (administrator, reviewer, viewer).
• Disabled accounts are blocked from access.
• Two-factor authentication endpoints exist and can be enforced by deployment settings.

Cloudflare, Resend, and Stripe where billing is in use

This page reflects the current hosted stack. Stack changes are reflected here and in the subprocessors page.

Transport encryption and platform-level protections

Traffic to and from the product uses transport encryption. Storage protections are those provided by the underlying hosted platform. Whispr does not claim end-to-end encryption, certifications, or custom cryptographic controls on this page. Where deeper assurance is required, request it during procurement or technical review.

Case actions are recorded; incident response follows the agreement

Case events are recorded as part of normal handling, not in a separate spreadsheet process. Exports are explicit actions and are logged. Incident response and customer notification follow the timing and process set out in the signed agreement and applicable law. No specific recovery-time, recovery-point, uptime, or breach-notification timing commitment is made on this page.

Configuration, supervision, and emergency response

The customer organisation is responsible for: (a) selecting reviewers and applying role assignments, (b) supervising user behaviour on the administrative side, (c) responding to reports, (d) operating an emergency-response path that is separate from this product, (e) any safeguarding decision, and (f) staff training. Whispr does not adjudicate, prioritise, or escalate reports on the customer's behalf.

How to report a security issue

Suspected security issues affecting the Whispr EDU product can be reported to security@backpr.com. We acknowledge reports as practical. We do not run a bug-bounty programme, do not pay for findings, and do not commit to specific response times, remediation windows, or disclosure timing. Submission of a report does not create a legal, contractual, or fiduciary relationship between the reporter and Whispr. Testing must be limited to non-destructive techniques and must not affect availability, integrity, or confidentiality of customer data.

What this page does not claim

This page does not promise: certifications, formal independent attestations, specific uptime, specific RPO or RTO, specific session inactivity timing, specific backup cadence, specific support hours, or a fixed procurement turnaround. Those terms belong, where applicable, only in the signed agreement.