Trust is important, Controls are better

Security and Internal Controls for Your Apps and Data at Mendix


Mendix offers an industry-leading application Platform-as-a-Service (aPaaS) for companies to design, build, deploy and manage web and mobile applications. Being a platform provider, it is of utmost importance to ensure that the platform itself, the applications built on the platform and the cloud operations running the platform meet the highest security standards.

Delivering an innovative and secure application platform is the result of comprehensive planning, innovative design, and efficient operations. Mendix makes security a priority at every step, from code development to incident response.

Security Operations

Mendix has adopted a set of security controls from the ISO/IEC 27001:2013 Information Security Framework that govern operations, support and software development life cycles. Mendix has combinations of preventive, defensive and reactive controls to maintain the confidentiality, integrity and availability of the Mendix Platform and customer data.

These controls include:
  • Strict access controls on sensitive data, including two-factor authentication or certificate-based authentication to perform sensitive operations.
  • Background verification checks on operations personnel involved with customer data.
  • Multiple levels of monitoring, logging and reporting, including self-service tools embedded within the Mendix Platform.
  • A 24×7 security incident service that works to mitigate the effects of attacks and malicious activity.
  • A software development lifecycle which embeds security requirements into systems and software through the planning, design, development and deployment phases.


Within Mendix, we understand that customers trust that the privacy of their information will be protected, and that their data will be used in a way that is consistent with their expectations.

Our customers determine what data is submitted to the Mendix Platform as customer data. With respect to such data, Mendix acts as a data processor and addresses the following privacy commitments:

Data Location

Mendix permits customers to specify the particular geography where their customer data will be stored. Data may be replicated for backup within a selected geographic area for redundancy, but will not be replicated elsewhere, so customer data will stay under local law and data privacy protection acts.

Restricted Access

Access to customer data by Mendix personnel is restricted. Customer data is only accessed when necessary to support the customer’s use of the Mendix Platform after explicit authorization by the customer. Furthermore, strong authentication, including the use of two-factor authentication, helps limit access to authorized personnel only. Access of personnel is revoked as soon as it is no longer needed.

Notification of lawful requests

Our customers should control their data when stored within the Mendix Cloud. We will not disclose customer data to law enforcement except as a customer directs or where required by law. When governments make a lawful demand for customer data from Mendix, we strive to be principled, limited in what we disclose, and committed to transparency.

International Standards

Together with our customers, we make sure to comply to international data privacy standards, such as the General Data Protection Regulation (EU) 2016/679.


Compliance plays a key role in the trust from, and success for, our customers. We are committed to abiding by the laws and regulations that apply to us as we conduct business around the world. Furthermore, we use international standards to comply as a company or in a joint effort with our customers.

NEN 7510 Certification

Mendix is certified to be compliant with the NEN 7510 standard with all Annex A controls in scope. NEN 7510 is a Dutch healthcare certification which provides a framework based on the ISO/IEC 27001 and ISO/IEC 27002 standards to protect healthcare organizations and their processors.

ISO/IEC 27001 Certification

Mendix is certified to be compliant with the ISO/IEC 27001 standard with all Annex A controls in scope. ISO/IEC 27001 is a key international standard for security management that specifies security management best practices and comprehensive security controls.

ISO/IEC 27017 Certification

Mendix is certified to be compliant with the ISO/IEC 27017 standard with all Annex A controls in scope. ISO/IEC 27017 is a key international standard for a code of practice for information security controls for cloud services.

ISO/IEC 27018 Certification

Mendix is certified to be compliant with the ISO/IEC 27018 standard with all Annex A controls in scope. ISO/IEC 27018 is a key international standard for a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.

ISAE 3000 Type II & ISAE 3402 Type II Assurance Reports

ISAE 3000 and ISAE 3402 are international assurance standards on controls at a service organization. Mendix holds an ISAE 3000 Type II and an ISAE 3402 Type II report, which discloses how Mendix security controls have been managed over the past year.

SOC 1 Type II, SOC 2 Type II & SOC 3 Type II Assurance Reports

SOC 1SOC 2, and SOC 3 are American assurance standards on controls at a service organization. Mendix holds an SOC 1 Type II report, SOC 2 Type II report, and SOC 3 Type II report disclosing how Mendix security controls have been managed over the past year.

PCI DSS Level 1 Service Provider Attestation of Compliance

Mendix is certified to be compliant with the PCI DSS standard as a Level 1 Service Provider, which is the highest certification a PCI DSS service provider can get.

Cyber Essentials (UK)

Mendix is certified to be compliant with Cyber Essentials. The Cyber Essentials scheme addresses the most common internet-based threats to cyber security. For more details, see Further Scheme Information.


Mendix is attested to be compliant with HIPAA. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.

CSA STAR Certification

CSA STAR is a program for security assurance in the cloud. STAR consists of three levels of assurance based upon a comprehensive list of cloud control objectives.

Mendix has completed the CSA STAR level one self-assessment, which is available upon request.

Our assurance reports are available for (prospective) customers upon request under NDA. Please send an email with your request to [email protected] or ask your Mendix Account Executive for a copy of the latest reports.