Most vendor demos look the same. This checklist is the set of questions that separate a hotline your people will actually trust from one that just checks a box. Use it with every vendor you evaluate, including us. Copy it into your RFP, print it, or score vendors side by side. None of it requires an email or a sales call.
1. Reporting channels & intake
A hotline only works if people can reach it the way they want to, and the report arrives in a usable form.
- Which channels can reporters use (web form, chat, phone or voice, email, QR code or poster), and are they all included or priced separately?
- Is voice intake a real, guided conversation, or just voicemail that someone transcribes later?
- Can employees report in their own language, and is translation automatic?
- How quickly can a non-technical admin stand up a new reporting form or intake line?
- Can the intake questions be tailored to your policies, categories, and tone?
- What does the reporter actually see and experience? Ask for a live reporter walkthrough, not just an admin demo.
2. Anonymity & reporter trust
If people do not trust the line, they call a regulator or post on Glassdoor instead. Anonymity is the whole product.
- For anonymous reports, what identifying data is stored (IP address, phone number, device fingerprint)?
- Can a reporter stay fully anonymous and still have a two-way conversation with investigators?
- How does a reporter follow up or add information later without revealing who they are?
- Who can unmask a sealed identity, under what documented process, and is every access logged?
- What stops an administrator from quietly viewing something they should not?
3. Case management & investigations
Surfacing the report is step one. The platform has to carry it to a documented resolution.
- Does every channel land as one structured case, or are you juggling separate inboxes?
- What investigation tools are built in (tasks, interview notes, evidence, findings, remediation tracking)?
- Can you enforce who sees which case on a need-to-know basis, down to the individual record?
- Is there an immutable audit log of every action, and can you export it?
- Are conflicts of interest and disclosures handled in the same system, or a separate tool?
4. AI: substance over buzzwords
Almost every vendor now says AI. Ask what it actually does and where your data goes.
- What specifically does the AI do (intake interview, triage, risk scoring, case briefs, duplicate detection, PII redaction)?
- Is AI included in the price, or gated behind a higher tier?
- Where does report data go when the AI processes it, and is it ever used to train external models?
- Can an admin configure the AI interviewer's greeting, tone, and questions?
- What happens when the AI is unsure? Is there a clear human path?
5. Security, privacy & data residency
A vendor that shows its actual controls and subprocessors openly is far easier to clear through your own security review than one that only waves a badge.
- Where is data physically stored and processed, and can you get US-only residency?
- Is the subprocessor list published openly, or only available under NDA?
- How does the vendor handle certifications? Do they claim badges they do not hold, or show their real, current controls?
- Is data encrypted in transit and at rest, and how is access to production systems controlled?
- Can you export all of your data, and what happens to it if you leave?
6. Compliance & legal defensibility
When a matter gets serious, the questions are about records, jurisdiction, and whether it holds up.
- Does the platform support the frameworks you answer to (SOX, Dodd-Frank and the SEC program, DOJ ECCP expectations, and any sector rules)?
- Are records complete and tamper-evident enough to stand up if a case is challenged?
- Whose law governs the contract, and where would a dispute be heard?
- Can Legal self-serve the documents they need (DPA, security overview, subprocessors) without a sales call?
- How are legal holds and data retention configured and enforced?
7. Program effectiveness & analytics
The DOJ no longer asks whether you have a hotline. It asks whether it works. Make sure you can prove it.
- Can you show usage, trends, categories, and time-to-resolution to your board?
- Does the tool help you demonstrate the program is effective, not just that it exists?
- Can you show a closed loop from report to remediation to resolution?
- Does anything help you catch issues earlier, before they become external complaints?
8. Pricing, implementation & lock-in
The sticker price is rarely the real price. Find the add-ons and the exit before you sign.
- What is the true all-in annual cost, and what is an add-on (phone number, extra seats, AI usage, storage)?
- Is there a genuine free or trial path to evaluate on your own data before committing?
- How long does implementation take, and who does the work, you or the vendor?
- Is there a contract term or lock-in, and can you cancel and export cleanly?
- What does support actually include, and in what time zone?
9. Vendor fit & transparency
A short gut-check that tells you a lot about the next few years.
- Is this a US-native product, or an EU platform with a US sales office?
- How quickly and honestly do they answer a hard security question?
- Will they connect you with a reference in your industry?
- Do they publish pricing, or hide it behind a call?
How to use it
Score each vendor one to five on every section. The gaps show up fast, and they are usually in anonymity, transparency, and the true total cost, not the feature list everyone demos. MyHotline is built to answer every question here in the open, so the fastest way to test us against it is to start free and check for yourself.