Table of Contents
- How Does the Mendix Platform Manage My Identities?
- How Can I Administer My Company Within the Mendix Platform?
- How Can I Administer My Project Within the Mendix Platform?
- How Does the Mendix Platform Support Multi-Factor Authentication?
- What Kind of Logging & Audit Trails Are Provided in Mendix?
- What Kind of Security Tests Are Performed on the Mendix Platform?
- What Kind of Encryption Is Provided by Mendix?
As part of the Mendix Cloud, Mendix provides a user management and provisioning service called MxID. Because it is built on the Mendix Platform, MxID inherits all the security measures from the platform. MxID also provides an administration portal for the management of user access and authentication.
Apart from the company profile and settings, Mendix supports the definition of Company Admins, who can assign permissions to users following a delegated administration concept. One or more administrators can be identified per tenant who, in turn, can perform administrative tasks in the tenant according to the permissions granted.
The Mendix Developer Portal allows administrators to manage users (defined in MxID) and configure role-based user access to environments to deploy and manage apps. The Developer Portal security interface is integrated into the app project dashboard, so you have a 360° view of all the access rights for a specific person within the context of an app. Mendix enforces the segregation of duties between (at least) the developer and application administrator, whose roles are both safeguarded using personal accounts. Mendix will not allow you to configure a general management account, to ensure that all actions are traceable to a person.
For more information, see Company & App Roles in the Mendix Developer Portal Guide.
An independent auditing firm periodically performs security audits of Mendix, which are reported through our ISO/IEC 27001, ISO/IEC 27017, 27018, and NEN 7510 certificate, PCI DSS Level 1 Service Provider Attestation of Compliance, ISAE 3000 Type II attestation report, ISAE 3402 Type II attestation report, SOC 1 Type II attestation report, SOC 2 Type II attestation report, SOC 3 Type II attestation report, and HIPAA assurance letter.
In addition, a leading IT security firm performs penetration tests on the Mendix Platform on a monthly basis. These penetration tests are based on the Open Web Application Security Project (OWASP), Information Systems Security Assessment Framework (ISSAF), and Open Source Security Testing Methodology Manual (OSSTMM).
For vulnerability management, a program is in place for continuous monitoring of the security posture of the Mendix Platform. Before a release is shipped, the release is scanned by Snyk, Veracode, and SonarQube.