Mendix Technology Limited

Mendix Rapid Application Development Platform

Mendix is the fastest and easiest platform to build and continuously improve Mobile and Web apps at scale. It is the only high productivity application platform (hpaPaaS) that provides a comprehensive, integrated set of tools for the entire application life cycle(ALM), from ideation and development through deployment and operation.


  • Low Code - Deliver 10x faster than traditional methods
  • Mobile and Multi-Channel Apps- Build once, run across platforms.
  • Smart and Connected- Leverage new technologies, integrate any system.
  • DevOps- Continuous delivery with built-in DevOps and platform APIs
  • Cloud Native– Stateless architecture with self-service scaling and HA.
  • Multi-cloud Deployment- Deploy in your cloud of your choice.
  • Quality Assurance– Proactively monitor quality and automate functional testing.
  • Security– Build apps that automatically adhere to the highest standards
  • Openness– Benefit from APIs and open standards at every level.
  • Extensibility- Seamlessly extend your applications with custom code.


  • Achieve unprecedented time to value with 10x higher productivity.
  • Go fast without putting critical business functions at risk.
  • Build Web, Mobile, tablet apps that exceed business expectations
  • Build Smart Apps with actionable insights and increase business velocity
  • Employ openness at every level, reducing integration costs
  • Business users can create applications with no prior coding experience
  • Allow Business and IT to collaborate to speed app development


£7 per user per month

Service documents

G-Cloud 10


Mendix Technology Limited

Nick Spodofora


Service scope

Service scope
Service constraints None, please refer to system requirements.
System requirements
  • Desktop Browser: IE, Firefox, Chrome, Safari, Edge
  • Mobile Browser: iOS 9+, Android 4.4+, Windows Phone 8+
  • Mendix Modeler: Windows 7, 8, 10

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Priority Timeframe
Critical: < 1 hour
High: < 2 Extended Office Hours
Medium: End of next Business Day
Low: End of next Business Day
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Mendix Platform Support is offered 24/7, 52 weeks per year via the Mendix Support Portal, Mendix Community Forum and Telephone

Mendix also provides a Customer Success Manager who is responsible to ensure the success of clients implementations and projects.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Mendix provides a full on-boarding program with our Digital Execution Program to get clients up and running extremely quickly.

Mendix offers free online training for all platform users. Our Introduction Course will quickly get your team up to speed so you can build robust and adaptable Mendix applications in days. To explore more advanced features and topics there is free access to online documentation and a very active forum and community. To further build your expertise Mendix provides Expert Webinars that are given by community Experts around platform.

In addition to online training Mendix provides (on site) Classroom Training and Certification and Consulting services as detailed in the SFIA document.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats Video Training
End-of-contract data extraction Mendix protects your investment in model-driven development, with a fully documented formal meta model. Details can be found at

In addition to this, Mendix provides a Model API & SDK for exporting models including meta data, export to other RAD Platforms, 3GL programming languages (Java, .Net, Python, etc..) and Export to your target architecture (Spring, Hibernate, etc..)

Models can be exported at any time and reimported for later use; even after contract end, Mendix models will still run in the Mendix Free Edition
End-of-contract process The Mendix contract covers the Mendix platform and runtime services. Any model or application developed and deployed on the platform remains the IP of the customer and as such can be migrated as mentioned above should the contract end.
Even after this, the model could be imported and used on the Mendix free edition albeit with limitations on users and uptime.

Using the service

Using the service
Web browser interface Yes
Using the web interface The Mendix 'Home' Portal environment provides a set of capabilities for ideation, requirements capture, creation, deployment, monitoring and ongoing management of applications.
Designed to simplify every step of the application lifecycle through a collaborative, role based web portal, Mendix home provides tools for both business and IT users to deliver applications with unrivalled speed to market.
In addition to the platform itself, all apps created within Mendix are also accessible through web or mobile interfaces.
Web interface accessibility standard None or don’t know
How the web interface is accessible Mendix is committed to providing support for all users, including those with special needs. Due to the dynamic, client side nature of Mendix applications however, the WCAG standard is not apprropriate; our goal is to conform to the WAI-ARIA.

The Web Accessibility Initative for Accessible Rich Internet Applications (WAI-ARIA) has been an official W3C recommendation since March 2014.

In addition to the above, Mendix provides an implementation of the UK Government Front end Kit providing compliance to .gov UI/UX standards.
Web interface accessibility testing Mendix is committed to testing with assistive technology users, for example those with colour blindness or other eyesight impairments. This testing is typically delivered as part of the testing of applications developed on the platform and is therefore customer deployment specific.
What users can and can't do using the API Mendix provides 2 levels of API, both of which are completely public, open and fully documented.

Application-level APIs. Every application built using the Mendix platform has powerful API options and every element of the application model can be easily provided as part of the API through REST or SOAP services.

Platform-level APIs. The core platform functionality is accessible through APIs, which allow developers to access and integrate Mendix with other tools and applications—for example, build and deploy APIs to support continuous integration.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
  • Other
Other API automation tools Jenkins
API documentation Yes
API documentation formats
  • HTML
  • PDF
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
Using the command line interface Mendix offers a command line interface to many aspects of the platform. From installation to server management and monitoring, package build and deploy etc..

The m2ee command line tool can be used to connect to the Mendix Runtime, issuing commands like setting loglevels, asking how many users are logged in, show currently running actions inside the application, or even telling it to shut down.

The MxBuild command line can be used to deploy and build a Mendix Deployment Package from a Mendix Project. MxBuild can be used to manually instigate a package build or run 'as a service' waiting for a post message instructing it what to build.


Scaling available Yes
Scaling type Manual
Independence of resources Resources are independent for each customer.
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics Application metrics are configurable and exposed through OData
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Application Model
  • Database
Backup controls A backup of all data (model and database) is made on a daily basis for the Acceptance, Test, and Production Environments. Backups are stored in secured locations that are geographically dispersed. Backups are available for restore as follows:

Nightly Backups: maximum 2 weekshistory (counting from yesterday)
Sunday Backups: maximum 3 monthshistory (counting from yesterday)
Monthly Backups (1stSunday of each month): maximum 1 yearhistory (counting from yesterday)

In addition to the Mendix backup schedule, users can initiate their own backups as desired.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users schedule backups through a web interface
Backup recovery Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Mendix guarantees 99.9% availability of the Cloud Services on which the Application Model runs in Production. Maintenance windows, force majeure, disruptions in third party webservices, internet outages and other circumstances beyond Mendix’s reasonable control are excluded.
Approach to resilience Mendix Cloud hosting is built upon multiple datacenters and/or IaaS providers to provide resilience. Furthermore, disaster recovery procedures and testing are in place and part of Mendix security framework which is independently assessed by an external auditor (ISAE3402).
Outage reporting Mendix provides a public dashboard and email alerts to report outages. This dashboard can be found at

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels The Cloud Portal allows administrators to manage users (defined in MxID) and configure role-based access for users to environments to deploy and manage apps. The Cloud Portal security interface is integrated into the project dashboard, so you have a 360° view of all access rights for a specific person within the context of an app. Mendix enforces the segregation of duties between (at least) the developer and application administrator, whose roles are both safeguarded using personal accounts. Mendix will not allow you to configure a general management account, to ensure that all actions are traceable to a person.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Ernst&Young
ISO/IEC 27001 accreditation date 09/02/2018
What the ISO/IEC 27001 doesn’t cover Please be referred to Mendix ISO/IEC27001:2013 certificate, which is made available to Mendix customers and prospects upon request and under NDA.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISAE 3402 Type II Assurance Report
  • SOC1 Type II Assurance Report

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Mendix has adopted 46 security controls from the ISO27001:2013 ISMS (Information Security Management System). These security controls are assessed by an independent auditor and disclosed in an ISAE3402 Type II assurance report.
Information security policies and processes All employment and contractor agreements shall include a clause for the employee or contractor to comply with Mendix policies, including Mendix Information Security Policy

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Code changes are peer-reviewed first including mandatory unit tests. Then automated tests are run and manual exploratory testing is done by a tester. If all tests pass, the change is merged to master.
Mendix monthly releases follow a two-week process where a nightly build is followed by a code freeze on day 1 and then 1 week of regression, performance and security testing. On day 7 a new nightly build is created and labeled as Release Candidate. This RC goes through one week of integration testing and manual exploratory testing before it is released to public on day 14.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Mendix performs regular vulnerability scans on Mendix Cloud infrastructure and Mendix corporate network.
To allow for pro-active vulnerability management product managers and the Information Security Officer follow multiple security RSS-feeds, newsletters, websites of information security interest groups.
Furthermore, the Mendix Platform and Mendix Cloud hosting infrastructure undergoes regular penetration tests performed by a third-party vendor specialised in information security. Mendix issues these penetration tests at least once per year to ensure it meets the highest security standards and is part of the Mendix security controls, which are independently assessed and disclosed in our ISAE3402 Type II report.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Mendix detective security controls include, but are not limited to: active monitoring of log files, configuration changes and network anomalies.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Incidents need to be reported by submitting tickets via the Mendix Support Portal. This enables for all required information to be properly logged and incidents can be addressed in the fastest and most efficient manner. The support portal provides all information about the progress and status of reported incidents. In addition to the portal, the support phone is available to directly communicate regarding any support related questions. Critical incidents reported in the Mendix Support Portal have to be followed by a phone call to the support phone in order to immediately determine the best communication line while handling the ticket.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used Other
Other virtualisation technology used Xen
How shared infrastructure is kept separate Each Mendix Application consists of an acceptance and production environment (and optional a test environment). All these environments are a Mendix App Environment. A Mendix App Environment is a grouping of an dedicated virtual application server (Mendix Business Server) and a dedicated virtual database server. This Mendix App Environment includes host-based firewalls, web server, and database services and are logically isolated from other environments.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £7 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The Mendix free trial version contains the full capability to gather ideas, plan and model applications through 1-click deployment and operation.
It contains up to 10 users with a small container and the application goes dormant after 1.5hrs. of inactivity, and automatically resumes when the application is launched. Excludes add-ons.
Link to free trial


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑