Mendix and Data Privacy

This page aims to showcase how Mendix tackles challenges related to data protection. It serves as a comprehensive response to inquiries about Mendix’s data protection controls and compliance.

Mendix

Mendix Technology B.V. (“Mendix”), headquartered in Rotterdam, the Netherlands, is an EU-based company, subject to the General Data Protection Regulation (GDPR). As part of Siemens Digital Industries Software and a subsidiary of Siemens AG (Germany), Mendix operates globally with offices in Boston, Singapore and London.

Mendix provides an industry-leading low-code software development platform. We aspire helping organizations around the world reimagine the way they develop software with our platform’s cutting-edge capabilities. By bridging the gaps in communication and collaboration between business and IT, Mendix helps enterprises turn ideas into outcomes by delivering sophisticated software applications faster than ever before.

Mendix Platform

The Mendix Platform is designed to expedite the delivery of enterprise grade applications throughout their entire development journey – from ideation and design to modelling, deployment, and continuous management – whether in the cloud or on-premises – it streamlines the entire application lifecycle.

Access and Usage – The Mendix Platform is open for use by anyone who becomes a Maker. Makers enjoy complete access to all features of the Mendix Platform, including support functionalities.

Application Creation – Makers utilize the Mendix Platform to create applications, typically on behalf of companies or customers with a Mendix subscription. This platform serves as a toolkit for creating applications, consisting of various components that accelerate every stage of the applications lifecycle – from ideation to development, deployment, testing, and continuous management, whether in the cloud of on-premises. (See for more information What is Mendix).

Versatility in Application Building –Mendix Platform empowers Makers to develop a broad spectrum of applications, whether they’re transactional, event-driven, or tailored for diverse industries, all without being constrained by factors like complexity, performance, or scale.

Documentation and Support – Mendix ensures comprehensive documentation (Mendix documentation) and support (Mendix Support) for the Mendix Platform, and technically facilitates the collaboration of the  Maker community through the Mendix Forum.

Data Control under GDPR – For personal data processed when an individual becomes a Maker, Mendix acts as the controller under the GDPR, determining the ‘why’ and ‘how’ of the personal data processing. A Maker can be an employee of a customer (refer to Mendix Developer Portal Guide for more details). Additionally, Mendix serves as the controller for personal data processed when creating a support ticket for Mendix Support, including communication with the ticket requester.

Customer’s Applications

Makers use the Mendix Platform to design a graphical representation of a customer’s application, and the relationship of the infrastructure components required to support or provide functionality to the application. This results in a software solution or system, representing the outcome of visual modelling techniques with the specific functionalities, features, and user interfaces catering to the business needs and use cases, and allows the application to access, use, create, manage, process and/or store application data. Application data can be any content as determined by the Maker, and may encompass any information that pertains to an identifiable individual, extending to various categories of (sensitive) personal data. Any access to application data is under the control of the customer, and Mendix does not have access to it even when the application processing personal data is deployed to Mendix Cloud. This is safeguarded by various controls in place, including a strict prohibition for all Mendix personal to gain access to application data, unless explicitly authorized and approved by the customer.

Deployment of a Customer’s Mendix Application

A Mendix application can be deployed in different ways. Mendix applications run on the platform’s cloud-native stateless runtime architecture that conforms to Twelve-Factor App principles with support for modern cloud platforms such as Docker, Kubernetes and Cloud Foundry. Mendix applications run on a variety of deployment options, including public cloud (such as Mendix Cloud), virtual private cloud, private cloud, hybrid cloud, multi cloud, and traditional (virtual) servers. See for more information.

Deployment in Mendix Cloud

Mendix Cloud is the deployment solution in which Mendix provides hosting environments for customers. See Mendix Cloud Overview for more information about Mendix Cloud, and Cloud Security for more information about security of the Mendix Cloud. For each application deployed in Mendix Cloud, Customers will choose the data location from available cloud regions. E.g. EU based customers may opt for data location Frankfurt (Germany), with back up in Dublin (Ireland). See for more information.

If customer applications involve the processing of personal data, a determination solely within the customers’ discretion, Mendix assumes the role of a processor under the GDPR. In this capacity, Mendix hosts, stores, and facilitates the availability and accessibility of such applications, encompassing application data that may or may not include personal data.

Data Encryption in Mendix Cloud

Mendix ensures the security of application data in Mendix Cloud through encryption, both for data at rest and in transit within app environments. The encryption keys are managed by Mendix. Additionally, customers have the option to enhance data security further by utilizing the Encryption Module from the Mendix Marketplace, enabling them to encrypt the application data using the Advanced Encryption Standard (AES). For more details, refer to the Data Security section.

No Application Data Transfer

Mendix adheres to a strict policy regarding the transfer of customer’s application data. No application data will be moved from the customer selected data location without explicit approval from the customer.

Mendix Support

Mendix offers technical support specifically for its platform and does not extend support to customers’ applications. Support is facilitated through Zendesk, a customer support and help desk ticketing platform. When a Mendix Support Ticket is logged, limited personal data such as the requester’s name and email address is shared with Mendix for communication purposes. This information is exclusively stored within the EU region.

Mendix ensures 24/7 global support from three regions: EMEA (the Netherlands), AMS (United States), and APAC (India). Only the name provided by the requester when submitting a Support Ticket is visible to Mendix Support staff across all regions. Importantly, Mendix Support staff does not have access to application data, as control over such data remains solely with the customer  Stringent organizational and technical measures have been implemented, including administrative controls that restrict access to application data unless explicitly authorized and approved by the customer.

While requestors have the option to attach files to Support Tickets, Mendix strongly discourages the inclusion of personal data, confidential information, information containing trade secrets, or any other information of sensitive nature in these attachments. It’s important to note that all Mendix Support staff can view and access information contained in attachments. The attached information is stored exclusively in the EU region, and attachments are transmitted securely via the encrypted file-sharing platform Sendsafely.

Sub processors

For a detailed list of Mendix’s sub processors, please refer to:  Siemens subprocesssors list. Currently, Mendix utilizes the following sub processors:

  1. AWS: Service: Hosting of the Mendix CloudWhen deploying applications on Mendix Cloud, AWS is utilized as a sub processor. The customer has the authority to determine the data location. Explore available data locations.
  2.  Zendesk: Service: Support Ticketing System.Mendix employs Zendesk for its Support Ticketing System (See Mendix Support). Mendix Support staff does not access application data. However, when a customer includes an attachment or a screenshot in a support ticket containing personal data processed in an application, Zendesk functions as a sub processor. While Zendesk is a U.S. company, data storage occurs in Europe (Germany).
  3.  Sendsafely: Service: Secured Encrypted Attachment SendingSendsafely is utilized for the secure and encrypted transmission of attachments. Although Sendsafely is a U.S. company, an EU data location is established for attachment storage.
  4.  Mendix Support Teams in USA and India: Mendix Support Teams, operating under Siemens entities in the USA and India,  provide technical Mendix support. These teams are considered sub processors only when explicit customer approval for accessing application data (Access to customer data) is granted, or when a customer attaches files to a Mendix Support ticket, as detailed in the Mendix Support section above.

For all sub processors, the EU Standard Contractual Clauses ((EU) 2021/915 of 4 June 2021) are agreed upon, and a transfer impact assessment is conducted. Sub processors undergo thorough evaluation for minimal additional measures required concerning privacy risks.

Data Processing Agreement

Whenever Mendix operates as a processor, a Data Processing Agreement will be established with the respective customer. The details of Mendix’s data processing agreement can be accessed on the  Siemens Data Privacy Terms  website.

Data Protection Impact Assessments, Data Transfer Impact Assessments

Should a customer be legally obligated to conduct a data protection impact assessment or a transfer impact assessment, Mendix stands ready to offer, upon request, reasonable information and assistance. This support considers specifics of the processing and the information accessible to Mendix, aiming to aid the customer in the thorough completion of their data protection and transfer impact assessments.

Third Party Management

Third-party entities delivering services in Mendix-controlled facilities or on Mendix-managed equipment are obligated to adhere to Mendix’s data protection policies and standards.

Typically, third parties acting as processors for Mendix, processing personal data on Mendix’s behalf, undergo a comprehensive assessment, including a transfer risk evaluation. For instances where personal data is transferred outside the European Economic Area (EEA), specific precautions are implemented to ensure that data protection standards accompany the data. In case a third party, that is situated outside the EEA, processes or accesses personal data on behalf of Mendix, Mendix ensures the necessary transfer mechanisms, such as the adoption of EU Standard Contractual Clauses (controller-processor,) are in place.

Law Enforcement and Requests of Third Parties

As of now, Mendix has not received any law enforcement or third party requests for the provision or assistance in providing data. In the event that Mendix receives an order from any third party demanding the disclosure of personal data, Mendix commits to the following actions:

  1. Employ every reasonable effort to redirect the third party to request data directly from the customer;
  2. Promptly notify customer, unless prohibited by applicable law. If notification to the customer is prohibited, Mendix will use all lawful efforts to obtain the right to waive the prohibition, aiming to communicate as much information to the customer as soon as possible; and,
  3. Utilize all reasonable lawful efforts to challenge the order for disclosure based on any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the EEA or applicable EEA member state law.

Certifications

Mendix is dedicated to safeguarding and upholding the security and privacy of entrusted data. In pursuit of this commitment, Mendix maintains a robust control environment that aligns with legal requirements and industry standards. Regular independent audits are conducted to validate and ensure the effectiveness of these controls.

Mendix proudly holds ISO/IEC 27001 and ISO/IEC 27701 certifications. ISO/IEC 27701 serves as an extension of ISO/IEC 27001, with controls and principles that resonate with data protection legislation globally. The implementation of an ISO/IEC 27701 Privacy Information Management System aids Mendix in demonstrating compliance with data protection regulations.

 

See for more information also Siemens Data Privacy Page . This commitment of Siemens to protect personal data also applies for Mendix.