Compliance - Digital tools and personal support

Lantero maintains an active agenda for ongoing technical development. This applies to our whistleblowing service as well as support services regarding compliance, user management, and the redaction service, Redact. The following is a summary of some of the technical and security-related changes implemented over the past year. ### Cloudflare Turnstile The reporting form in the whistleblowing service now utilizes Cloudflare Turnstile, which provides a seamless way to protect against bots without disrupting the user experience. ### Infrastructure Overview Our internal monitoring has been better structured to allow us to proactively handle issues before they impact the customer. We have real-time monitoring in place, providing immediate feedback regarding any disturbances in our systems or services. Bitdefender is active on all our servers, and we apply maintenance and upgrade procedures on a daily, weekly, and monthly basis to ensure everything runs smoothly and predictably. ### Information and Operational Security Some of our initiatives during the year include: - Anonymized Application Logs: We have established anonymized logs to protect personal data. - Vulnerability Patching: Patched several known vulnerabilities (CVEs) across the npm ecosystem. - Dependency Updates: Ensured that all major code libraries have been updated, such as Express, Vite, and Qs. - JWT-based Verification: We have modernized the authentication flow by switching to JWT-based user verification. In practice, this means the server does not need to store information about logged-in users, providing a more secure and reliable method for session management. - Deletion Protection: Implemented protection against deleting a channel that still contains active cases, serving as an extra safeguard for case information. ### Infrastructure and Performance Several efforts have been made to make the platform faster, more stable, and easier to maintain. During the past year, we have, among other things, completed the following: - MongoDB Upgrade: Upgraded to version, v7. This brings several security enhancements, as well as improvements in encryption, stability, and cluster management, while securing long-term support. - React Upgrade: Upgraded to React v19.2, the latest stable version of React 19. This version represents a paradigm shift in how the framework handles interface updates. Among other benefits, it reduces the need for manual routines and offers advantages for search engine optimization (SEO). - Node.js 24 Support: Provides more efficient memory management and improved support for the latest API standards. - Email Queue: Implementation of an email queue to avoid issues caused by too many simultaneous SMTP connections. - Autosave Functionality: Improved functionality for automatic saving. - Session Renewal: Minute-by-minute session renewal to reduce the risk of being logged out while working. - Nginx Improvements: Updated to follow best practices, including log rotation and HTTP/2 configuration. Do not hesitate to contact us if you would like to learn more about our development and security efforts.

Lantero has offered whistleblowing services since 2014 and has long maintained a well-established service where changes on the surface may appear minor. At the same time, looking back at the past year, we can conclude that it has been a very active year of development, featuring plenty of new functionality, security enhancements, and "under the hood" improvements that bolster both user experience and stability. The following is a brief summary of the past year's developments, and we welcome any questions or feedback from our users. ### Integration of Redact Handling whistleblowing cases involves working with sensitive information where there is a particular responsibility to protect both the whistleblower and other individuals appearing in the cases. When information is requested as a public document, or when information needs to be shared with other parts of the organization, a need for redaction may arise. Lantero has therefore built this functionality directly into the whistleblowing service. The Lantero Redact service is a tool for masking documents, providing the caseworker with AI-generated suggestions for redactions, which can then be adjusted before a new masked document is generated. While offered as a standalone tool, it is now also available as a feature directly within the whistleblowing channel. This means you can save a redacted copy of a whistleblowing case directly within your standard workflow. ### Customized Options for Anonymity Different organizations take different approaches to anonymity. While legislation sets strict requirements for the protection of confidentiality, it does not mandate that reporting must be possible anonymously. We have now made it possible for individual customers to customize their setup regarding anonymity. ### Activity Log Notifications and Daily Summaries Many different types of events can occur during the management of a case in Lantero's whistleblowing system. We have now expanded the notification options so that you can be alerted to more types of events in the case management process. At the same time, we know that organizations with high case volumes may find that they receive too many email notifications. We would therefore like to highlight the daily summary function. This feature allows you to limit email notifications to one per day, summarizing the day's activity. ### Smarter Case Management During the initial assessment of cases, it is now easier to see which caseworkers are staffing each part of the process, particularly to identify available options for staffing the Investigation stage. The case summary generated in PDF format has been improved, with the structure reviewed and refined. ### Improved User Experience As a caseworker, there are new options to customize the case management view, including the ability to collapse sections that are not currently in use. We have added security prompts that require extra confirmation before high-risk activities, such as deleting a channel. The shortcut to the overview page has been made clearer and established as its own button. Previously, the shortcut was located within the Lantero logo, which proved to be too indistinct. Language options have been expanded, and 22 languages are currently available. A series of improvements have been made to the integration with Lantero's portal for login and user management, making the user experience even smoother.

Implementing AI in an organization today is not merely a technical challenge, but very much a legal and security-oriented one. In a conversation between Lantero and expert Joakim Karlén (in Swedish), we highlight the complex issues that arise when Large Language Models (LLMs) encounter European legislation such as GDPR and the new AI Act. ### Innovation in the US, Regulation in the EU Technological development is largely driven by American companies, but for Swedish and European organizations, local legislation sets the boundaries. Joakim Karlén notes that the current dynamic is challenging because the pace of innovation is lightning-fast while regulation is brand new. There is still a lack of clear legal precedent and court rulings, which places high demands on an organization’s internal capacity for risk analysis. ### The Clash Between GDPR and AI Dynamics One of the most central questions is how AI systems—which are by nature dynamic and non-deterministic—can live up to GDPR’s requirements for accuracy. Traditional IT systems are static; you know what you input and what you will get as output. An LLM works differently. By simulating human behavior with a degree of randomness, the output is not always predictable. This creates fundamental uncertainty regarding individual rights and the accuracy of the processed data. ### From Chatbots to Autonomous Agents We are seeing a clear shift from simple chatbots to autonomous agents capable of performing tasks independently. This introduces new risk vectors. Joakim emphasizes that an organization deploying an AI system is considered a "deployer" under the AI Act and thus bears the legal responsibility. This becomes particularly critical when agents are given the mandate to act without human intervention. The risk of incorrect decisions or random behavior means that traceability—the ability to explain why a machine acted in a certain way—becomes both a technical and legal challenge. Not least when it comes to cybersecurity. ### Internal Risks and "Oversharing" While many focus on external hackers, one of the greatest risks is internal. The concept of "oversharing" describes when an AI agent, due to a lack of permission management or classification, gives employees access to sensitive information they are not authorized to see. Protecting the "machine" itself and its access to internal data sources is therefore just as important as protecting the raw data. ### Methodology Wins in the Long Run To succeed, Joakim suggests a methodical approach. Instead of simply "trial and error," organizations should begin with a holistic analysis based on the AI Act, GDPR, and cybersecurity legislation (NIS2). By understanding the purpose of the technology and maintaining control over the information structure, you can build correctly from the start.