“Cybersecurity is a key ingredient for trust from our customers. It is also the basis for sustainable success and a strong ecosystem.”
—Roland Busch, President & CEO of Siemens AG
Mendix Platform Security
We’ve made security, governance, data privacy, and compliance a priority in every aspect, from our platform and the applications built on it, to our security operations. And because new threats never rest, neither do we.
With a combination of reactive, preventative, and defensive controls, we are continuously making our platform the kind of secure environment you can count on to help you remain competitive.
Compliance is key
A global clientele means understanding and developing our platform with an eye toward maintaining compliance with rules and regulations both internationally as well as locally. We maintain an extensive roster of certifications, reports, and standards that are available to customers and prospects upon request, such as:
Mendix has a certified Business Continuity Management System in place to safeguard the uptime agreed upon with our customers. Available to customers with an enterprise license, this ensures zero downtime in the case of a Mendix Runtime outage.
How do we do it? Mendix Cloud enables auto-recovery and failover within the same availability zone while user load is balanced over two runtime containers. If a single runtime container were to ever crash, the other runtime container would automatically take over all user requests while the Cloud Foundry Health Manager replaced the crashed runtime container with a new runtime container. Because Mendix has stateless architecture, end users aren’t impacted, and the period of disruption is shortened.
Mendix Platform Status
Transparency is vital in maintaining customer trust and for that reason, we have a dedicated page for monitoring Mendix Cloud, Mendix Services, and announcing scheduled maintenance dates. Bookmark and check back regularly for the latest updates.
How to Achieve Effective Governance
Generating business value while mitigating risks and overseeing creators seems like a tall order, but it’s entirely possible within the Mendix Platform.
With tools like the Application Quality Monitor (AQM), Automated Test Suite (ATS), and the Application Performance Monitor (APM), you can ensure that your organization is headed in the right direction.
Albaraka Bank chose Mendix because “...with Mendix Security Certifications, we would be able to build with confidence.”
Additional security and compliance resources
Frequently Asked Questions
When will the new SOC2 report be published?
The Mendix SOC2 audit period runs from November 1st till October 31st of the following year. The report is then published the first week of December following the audit period. Other reports that run on the same schedule include the SOC1, SOC3, ISAE3000, and ISAE3402 reports.
What’s the difference between SOC 1, 2, and 3?
To put it plainly, a SOC 1 report is going to tell you how accurate a company’s description of their safety and security controls are surrounding the handling of financial information. There are two types of SOC 1 reports – Type 1, which is the accuracy of that information as of a certain date – sort of like a one-time snapshot – and Type 2 which is the accuracy of that information and effectiveness of those controls over a certain period of time. Mendix holds the Type 2 report for SOC 1, SOC 2, and SOC 3 assurance reports.
A SOC 2 report on the other hand is going to cover information on the controls surrounding data security as well as how confidential and private the information processed is. Much like the SOC 1, there are two types of reports – the Type 1 acting as more of a snapshot in time, whereas Type 2 is how effective those controls are over a period of time.
A SOC 3 report is essentially the for-general-use version of the SOC 2 report. It covers the same material as a SOC 2 in less detail, but it can be freely distributed to the public whereas the SOC 2 report is restricted in who it can be distributed to and goes more in-depth on the details.
How does Mendix encrypt my data?
The Mendix Platform encrypts data at rest and data in transit out of the box. Customers who would like to encrypt their Mendix application data can download the Encryption module available in the marketplace which uses Advanced Encryption Standard (AES).
In what regions is my data stored?
Mendix permits customers to specify the particular geography where their customer data will be stored. Data may be replicated for backup within a selected geographic area for redundancy, but will not be replicated elsewhere, so customer data will stay under local law and data privacy protection acts.
Customers can choose from the following regions. New regions are added based on customer demand:
EU (Frankfurt, Germany)
EU (Dublin, Ireland)
US East (North Virginia)
US West (Oregon)
How is security handled in a Mendix app?
Out-of-the-box role-based user access is provided to all applications built on the Mendix platform. And because apps in Mendix can consist of one or more modules with each module containing a functional scope (e.g., orders, customers, items, etc) while being self-contained so that it can be reused in multiple apps, security aspects can be defined on both levels.
Security settings defined on the application level will apply to all modules within the application, while module-level settings will be specific to each individual module.
Where do you manage the overall security settings for a project in Mendix?
You can manage the security settings for each application in Mendix by navigating to App Explorer > App > Security, where a dialog box will open allowing you to switch on app security. From there you can determine the security needed for modules, entities, etc.