How we protect sources

Our nginx web server is configured to suppress IP logging for all source-facing routes: /submit, /meeting, /nda, and their corresponding API endpoints.

Specifically, the access_log is set to off, and X-Forwarded-For and X-Real-IP headers are cleared before the request reaches our application. We have also confirmed our application code never logs req.ip on these routes.

What is encrypted at rest:

• Organization name in tips
• Full tip description/content
• Contact information (Signal/ProtonMail)
• Meeting token contact details
• All uploaded files

We use AES-256-GCM with a 32-byte key stored as an environment variable on the server — never in the database or source code. Each encrypted value has a unique random initialization vector.

Before meeting with a source, we sign a mutual confidentiality agreement. This creates legal obligations in both directions: we are bound not to reveal your identity; you agree to provide truthful information. See the meeting request flow for details.

Washington State's journalist shield law (RCW 5.68.010) protects journalists from being compelled to identify confidential sources. We assert this protection for all source communications. We will exhaust all legal appeals before complying with any court order to identify a source.

Secure meetings are conducted via Signal, an end-to-end encrypted messaging app. Our dedicated Signal number for source contact:

Do not text this number from an SMS app — use Signal only.

• Source identity or contact information
• Details that could narrow identification of a source
• Metadata about file uploads
• IP addresses or device information
• The existence of a tip or meeting request
• NDA agreement details beyond the anonymous case reference

1. Use the anonymous tip form on this site — no account required, no IP logged.
2. Use Signal with your Signal number or ProtonMail via the meeting request flow.
3. Email via ProtonMail to our secure address (provided after NDA signing).