Governance, Risk, and Compliance
How Is Information Security Organized in Mendix?
Mendix has implemented an Information Security Management System (ISMS) in accordance with the ISO/IEC 27001 standard. This internationally recognized framework provides the foundation for a comprehensive security program that encompasses the establishment, implementation, maintenance, and continuous improvement of an ISMS. In addition, Mendix adheres to ISO/IEC 27017, which extends these controls with cloud-specific security practices, ensuring enhanced protection for cloud service customers and providers. Together, these standards demonstrate Mendix’s commitment to robust, cloud-aware information security governance.
Which Third-Party Security Certifications and Assurance Reports Does Mendix Have?
Mendix complies with various third-party security certifications and assurance reports. These are described below.
ISO 22301 Certification
Mendix is certified to be compliant with ISO 22301 standard. ISO 22301 is a key international standard for business continuity management, designed to help organizations prevent, prepare for, respond to, and recover from unexpected and disruptive incidents.
ISO/IEC 27001 Certification
Mendix is certified to be compliant with the ISO/IEC 27001 standard with all Annex A controls in scope. ISO/IEC 27001:2022 is a key international standard for security management that specifies security management best practices and comprehensive security controls.
ISO/IEC 27017 Certification
Mendix is certified to be compliant with the ISO/IEC 27017 standard with all Annex A controls in scope. ISO/IEC 27017 is a key international standard for a code of practice for information security controls for cloud services.
ISO/IEC 27018 Certification
Mendix is certified to be compliant with the ISO/IEC 27018 standard with all Annex A controls in scope. ISO/IEC 27018 is a key international standard for a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
ISO 27701 Certification
Mendix is certified to be compliant with ISO/IEC 27701 standard with all Annex A and Annex B controls in scope. ISO/IEC 27701 is a key international standard for privacy management that specifies privacy related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing
ISO 9001 Certification
Mendix is certified to be compliant with ISO 9001 standard. ISO 9001 is a key international standard for quality management that is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement.
NEN 7510 Certification
Mendix is certified to be compliant with the NEN 7510 standard with all Annex A controls in scope. NEN 7510 is a Dutch healthcare certification which provides a framework based on the ISO/IEC 27001:2022 and ISO/IEC 27002 standards to protect healthcare organizations and their processors.
ISAE 3000 Type II and ISAE 3402 Type II Assurance Reports
ISAE 3000 and ISAE 3402 are international assurance standards on controls at a service organization. Mendix holds an ISAE 3000 Type II and an ISAE 3402 Type II report, which discloses how Mendix security controls have been managed over the past year.
SOC 1 Type II and SOC 2 Type II Assurance Reports
SOC 1 and SOC 2 are American assurance standards on controls at a service organization. Mendix holds an SOC 1 Type II report and a SOC 2 Type II report disclosing how Mendix security controls have been managed over the past year.
PCI DSS V4 Level 1 Service Provider Attestation of Compliance
Mendix is certified to be compliant with the PCI DSS standard as a Level 1 Service Provider, which is the highest certification a PCI DSS service provider can get.
HIPAA/HITECH
Mendix is attested to be compliant with HIPAA/HITECH. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.
Cyber Essentials (UK)
Mendix is certified to be compliant with Cyber Essentials. The Cyber Essentials scheme addresses the most common internet-based threats to cyber security. For more details, see Further Scheme Information.
CSA STAR Certification
The CAIQ is a standardized assessment developed by the Cloud Security Alliance (CSA) to evaluate a cloud service provider’s (CSP’s) security controls based on best practices aligned to the
CSA Security Guidance for Cloud Computing. Mendix’ registration can be found on the CSA STAR Registry, a publicly accessible registry where CSPs can publish their self-assessments to demonstrate transparency and compliance with industry best practices.
FSQS and FSQS-NL
Mendix is certified to be compliant with FSQS. The Financial Services Qualification System (FSQS) is a community of financial institutions including banks, building societies, insurance companies, and investment services who are collaborating to agree on a single standard for managing the increasing complexity of third- and fourth-party information needed to demonstrate compliance to regulators, policies, and governance controls.
ENS
Mendix is Esquema Nacional de Seguridad (ENS) High-certified. This certification establishes security standards that apply to all government agencies and public organizations in Spain as well as service providers on which the public services are dependent. The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the National Cryptologic Centre (CCN). This is comprised of basic principles and minimum requirements necessary for the adequate protection of information. To achieve ENS High certification, Mendix was successfully audited by an accredited independent assessor.
FedRAMP® Authorized
Mendix Cloud for Government is FedRAMP® Authorized, enabling U.S. federal agencies to develop and deploy secure, modern applications rapidly and at scale. The environment is securely hosted on AWS GovCloud (US) and operated by Siemens Government Technologies (SGT), ensuring compliance with strict government security and operational standards.
NIS2 QM30
Mendix is certified to be compliant with NIS2 QM30, the highest level of the NIS2 Quality Mark. This scheme aligns with the EU’s NIS2 Directive and provides a structured way to demonstrate compliance. QM30 certification represents the most stringent level, required for entities directly regulated under NIS2, ensuring robust governance, risk management, and cybersecurity resilience across the supply chain.
C5 Type II Certification
Mendix holds the ISAE 3000 Type II report, covering the C5 (Cloud Computing Compliance Controls Catalogue) framework. This attestation report developed by the German Federal Office for Information Security (BSI) defines minimum security requirements for cloud service providers. C5 Type II includes an independent audit of implemented controls over a defined period to ensure that security measures are effective and consistently applied.
FIPS Compliance
Mendix supports compliance through our private offerings. Additionally, Mendix Studio Pro and the Mendix Runtime can be made FIPS-compliant.
FIPS (Federal Information Processing Standard) is a US National Institute of Science and Technology (NIST) standard that specifies security requirements for cryptographic modules protecting sensitive information. This ensures that Mendix meets stringent federal standards for data encryption and cryptographic operations.
How Often Does Mendix Perform Risk Assessments?
As required by the Mendix ISO/IEC 27001:2022 certification, risk assessments are conducted annually, when significant changes occur and proactively on a recurring basis. The Mendix risk management program follows a structured approach that aligns with the NIST Risk Management Framework (RMF), systematically evaluating information security risks by identifying relevant threats, vulnerabilities, and potential impacts. This ensures a proactive and repeatable process for managing risk across the organization.
What Kind of Security Tests Are Performed on the Mendix Platform?
Independent auditing firms periodically performs security audits of Mendix, which are reported through our ISO/IEC 27001, ISO/IEC 27017, 27018, and NEN 7510 certificate, PCI DSS Level 1 Service Provider Attestation of Compliance, ISAE 3000 Type II attestation report, ISAE 3402 Type II attestation report, SOC 1 Type II attestation report and SOC 2 Type II attestation report.
In addition, companies specialised in offensive security perform penetration tests on the Mendix Platform at least on a monthly basis. These penetration tests are based on the Open Web Application Security Project (OWASP), Information Systems Security Assessment Framework (ISSAF), and Open Source Security Testing Methodology Manual (OSSTMM).
Mendix maintains a comprehensive vulnerability management program to ensure the ongoing security of the Mendix Platform. Prior to each release, the platform undergoes rigorous security testing—including Static Application Security Testing (SAST) and Software Composition Analysis (SCA)—to detect vulnerabilities in both custom code and third-party components.
In production, we continuously monitor the platform using various methods such as vulnerability scanning tools, a responsible disclosure and bug bounty program, and threat intelligence feeds. For more information, see Cloud Security.
What Security Controls Does Mendix Have in Place for Its Employees?
All Mendix employees are required to provide a government-certified background check (certificate of good conduct) and are bound by strict confidentiality obligations that are embodied within a confidentiality agreement. Furthermore, Mendix has implemented a mandatory security awareness program for all employees covering relevant topics related to their responsibilities. Mendix security and privacy staff holds industry standard certifications, including but not limited to CISSP, CCSP, CIPP/E, CDPSE, and CISM.
How Does Mendix Help Customers Meet Regulatory Requirements?
Mendix provides a platform designed to support customers in meeting a wide range of regulatory and compliance obligations across industries. By combining built-in security controls, audit logging, electronic signature support, and traceability features, Mendix enables organizations to build applications that align with frameworks such as DORA, PCI DSS, HIPAA and GxP. The platform supports configurable access controls, data protection mechanisms, and validation support to help customers meet both internal policies and external regulatory standards. Whether deploying in the Mendix Cloud or in a regulated on-premises environment, customers retain control over their compliance responsibilities within a shared responsibility model, while leveraging Mendix’s independently audited infrastructure and processes as a secure foundation.
How Does Mendix Handle Security Incidents?
Mendix has established a structured and proactive approach to security incident management to ensure timely detection, response, and resolution of potential threats. Security incidents are managed through a formal incident response process aligned with ISO/IEC 27001 and Mendix unified control framework. This process involves continuous monitoring of Mendix Cloud environments, detection, rapid triage, and classification of incidents, as well as containment, root cause analysis, and remediation.
Customers are notified in accordance with contractual obligations and regulatory requirements, including data breach notification timelines where applicable. Mendix also performs post-incident reviews to improve controls and prevent recurrence.
For on-premise or private cloud deployments, organizations are responsible for implementing their own incident response procedures, although Mendix provides guidance and support as needed. This structured approach ensures transparency, accountability, and continuous improvement in managing security events.