Dependable security of the highest standards, every step of the way.

Customers choose us because we are the leading application-as-a-platform-service; they stay with us because security and control are baked into everything we do.

Mendix Platform Security

  • We’ve made security, governance, data privacy, and compliance a priority in every aspect, from our platform and the applications built on it, to our security operations. And because new threats never rest, neither do we.

  • With a combination of reactive, preventative, and defensive controls, we are continuously making our platform the kind of secure environment you can count on to help you remain competitive.

“Cybersecurity is a key ingredient for trust from our customers. It is also the basis for sustainable success and a strong ecosystem.”

Roland Busch

President & CEO of Siemens AG

Compliance is key

A global clientele means understanding and developing our platform with an eye toward maintaining compliance with rules and regulations both internationally as well as locally. We maintain an extensive roster of certifications, reports, and standards that are available to customers and prospects upon request, such as:

Business Continuity

Mendix has a certified Business Continuity Management System in place to safeguard the uptime agreed upon with our customers. Available to customers with an enterprise license, this ensures zero downtime in the case of a Mendix Runtime outage.

How do we do it? Mendix Cloud enables auto-recovery and failover within the same availability zone while user load is balanced over two runtime containers. If a single runtime container were to ever crash, the other runtime container would automatically take over all user requests while the Cloud Foundry Health Manager replaced the crashed runtime container with a new runtime container. Because Mendix has stateless architecture, end users aren’t impacted, and the period of disruption is shortened.

Read the Evaluation Guide

Mendix Platform Status

Transparency is vital in maintaining customer trust and for that reason, we have a dedicated page for monitoring Mendix Cloud, Mendix Services, and announcing scheduled maintenance dates. Bookmark and check back regularly for the latest updates.

Check Platform Status

Low-Code Governance: Enabling Consistency and Innovation

When you can bake governance into every part of your low-code process, you can level up consistency, adaptability, AND ability to innovate.

Our new ebook shows you how, read it today to learn more!

Download eBook

Albaraka Bank chose Mendix because “...with Mendix Security Certifications, we would be able to build with confidence.”

Additional security and compliance resources

  • The Mendix Vulnerability Disclosure Program

    Mendix leverages HackerOne as a responsible vulnerability disclosure and bug bounty provider. HackerOne gives Mendix access to the most trusted and tightly vetted community of hackers on the plane and enables communication of discovered vulnerabilities by ethical hackers.

    Visit Our HackerOne Dashboard
  • Security Advisories

    Mendix publishes security advisories by leveraging Siemens ProductCERT, which is a dedicated team of seasoned security experts that manages the receipt, investigation, internal coordination, and public reporting of security issues related to Siemens products, solutions, and services.

    View Security Advisors
  • Mendix Service Level Agreement

    Read through the SLA to understand what is and isn’t a part of service levels with the Mendix Platform.

    Download Agreement

Mendix Security & Compliance FAQs

  • When will the new SOC2 report be published?

    The Mendix SOC2 audit period runs from November 1st till October 31st of the following year. The report is then published the first week of December following the audit period. Other reports that run on the same schedule include the SOC1, SOC3, ISAE3000, and ISAE3402 reports.

  • What’s the difference between SOC 1, 2, and 3?

    To put it plainly, a SOC 1 report is going to tell you how accurate a company’s description of their safety and security controls are surrounding the handling of financial information. There are two types of SOC 1 reports – Type 1, which is the accuracy of that information as of a certain date – sort of like a one-time snapshot – and Type 2 which is the accuracy of that information and effectiveness of those controls over a certain period of time. Mendix holds the Type 2 report for SOC 1, SOC 2, and SOC 3 assurance reports.

    A SOC 2 report on the other hand is going to cover information on the controls surrounding data security as well as how confidential and private the information processed is. Much like the SOC 1, there are two types of reports – the Type 1 acting as more of a snapshot in time, whereas Type 2 is how effective those controls are over a period of time.

    A SOC 3 report is essentially the for-general-use version of the SOC 2 report. It covers the same material as a SOC 2 in less detail, but it can be freely distributed to the public whereas the SOC 2 report is restricted in who it can be distributed to and goes more in-depth on the details.

  • How does Mendix encrypt my data?

    The Mendix Platform encrypts data at rest and data in transit out of the box. Customers who would like to encrypt their Mendix application data can download the Encryption module available in the marketplace which uses Advanced Encryption Standard (AES).

  • In what regions is my data stored?

    Mendix permits customers to specify the particular geography where their customer data will be stored. Data may be replicated for backup within a selected geographic area for redundancy, but will not be replicated elsewhere, so customer data will stay under local law and data privacy protection acts.

    Customers can choose from the following regions. New regions are added based on customer demand:

    Australia (Sydney)
    Canada (Montreal)
    EU (Frankfurt, Germany)
    EU (Dublin, Ireland)
    Japan (Tokyo)
    Singapore (Singapore)
    UK (London)
    US East (North Virginia)
    US West (Oregon)

  • How is security handled in a Mendix application?

    Out-of-the-box role-based user access is provided to all applications built on the Mendix platform. And because applications in Mendix can consist of one or more modules with each module containing a functional scope (e.g., orders, customers, items, etc) while being self-contained so that it can be reused in multiple applications, security aspects can be defined on both levels.

    Security settings defined on the application level will apply to all modules within the application, while module-level settings will be specific to each individual module.

    Read more on application development security here.

  • Where do you manage the overall security settings for a project in Mendix?

    You can manage the security settings for each application in Mendix by navigating to App Explorer > App > Security, where a dialog box will open allowing you to switch on application security. From there you can determine the security needed for modules, entities, etc.

    Read more detailed information on best practices for implementing application security here.

  • When I create a Mendix Support Ticket, where is my ticket data stored and processed?

    For handling Support Tickets, Mendix uses customer support and help desk ticketing platform provided by Zendesk. When you log and submit a Mendix Support Ticket you provide limited personal data (i.e your name and email address) to Mendix, enabling us to contact you. This data will be stored in the EU region only.

    Mendix provides for 24/7 global support, from our 3 regions (EMEA – the Netherlands; AMS – United States; and APAC – India). Only the name you provided to Mendix when submitting the Support Ticket is visible to our Mendix Support staff in all regions; no Mendix Support staff has access to the application data (i.e. data being processed or stored in your application). All access to your application data is solely under your control. Mendix has implemented strict organizational and technical measures, including administrative controls prohibiting access to application data by Mendix Support staff unless and so far such access is authorized by prior explicit customer approval.

    While you can add any attachment while logging and submitting your Support Ticket, Mendix strongly discourages you to add any personal data, confidential information, information containing trade secrets, or any other information of sensitive nature in the attachment. Please note that any information in an attachment to your Support Ticket can be viewed and accessed by all Mendix Support staff. Any information attached to your Support Ticket will also be stored in the EU region only. Attachments being submitted, will be send via the encrypted, secure file sharing platform Sendsafely and will be stored in the EU region.