Siemens Industry Software Limited

Mendix Rapid Application Development Platform

Mendix is the fastest and easiest platform to build and continuously improve Mobile and Web apps at scale. It is the only high productivity application platform (hpaPaaS) that provides a comprehensive, integrated set of tools for the entire application life cycle(ALM), from ideation and development through deployment and operation.


  • Low Code - Deliver 10x faster than traditional methods
  • Mobile and Multi-Channel Apps- Build once, run across platforms.
  • Smart and Connected- Leverage new technologies, integrate any system.
  • DevOps- Continuous delivery with built-in DevOps and platform APIs
  • Cloud Native– Stateless architecture with self-service scaling and HA.
  • Multi-cloud Deployment- Deploy in your cloud of your choice.
  • Quality Assurance– Proactively monitor quality and automate functional testing.
  • Security– Build apps that automatically adhere to the highest standards
  • Openness– Benefit from APIs and open standards at every level.
  • Extensibility- Seamlessly extend your applications with custom code.


  • Achieve unprecedented time to value with 10x higher productivity.
  • Go fast without putting critical business functions at risk.
  • Build Web, Mobile, tablet apps that exceed business expectations
  • Build Smart Apps with actionable insights and increase business velocity
  • Employ openness at every level, reducing integration costs
  • Business users can create applications with no prior coding experience
  • Allow Business and IT to collaborate to speed app development


£7 per user per month

Service documents


G-Cloud 11

Service ID

5 2 4 5 9 4 6 7 5 9 5 3 7 6 7


Siemens Industry Software Limited

Nick Spodofora


Service scope

Service constraints
None, please refer to system requirements.
System requirements
  • Desktop Browser: IE, Firefox, Chrome, Safari, Edge
  • Mobile Browser: iOS 9+, Android 4.4+, Windows Phone 8+
  • Mendix Modeler: Windows 7, 8, 10

User support

Email or online ticketing support
Email or online ticketing
Support response times
As a standard Mendix Support operates between 9am and 5pm Monday to Friday. Response times are determined by the criticality of the issue. Critical issues will be resolved within 4 hours, High impact issues within 8 hours and Medium Impact issues by the next working day. 24/7 Support is available.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
Our web chat functionality is provided by Details of their testing can be found here:
Onsite support
Yes, at extra cost
Support levels
Mendix Platform Support can offer 24/7, 52 weeks per year via the Mendix Support Portal, Mendix Community Forum and Telephone

Mendix also provides a Customer Success Manager who is responsible to ensure the success of clients implementations and projects.
Support available to third parties

Onboarding and offboarding

Getting started
Mendix provides a full on-boarding program with our Digital Execution Program to get clients up and running extremely quickly.

Mendix offers free online training for all platform users. Our Introduction Course will quickly get your team up to speed so you can build robust and adaptable Mendix applications in days. To explore more advanced features and topics there is free access to online documentation and a very active forum and community. To further build your expertise Mendix provides Expert Webinars that are given by community Experts around platform.

In addition to online training Mendix provides (on site) Classroom Training and Certification and Consulting services as detailed in the SFIA document.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Mendix protects your investment in model-driven development, with a fully documented formal meta model. Details can be found at

In addition to this, Mendix provides a Model API & SDK for exporting models including meta data, export to other RAD Platforms, 3GL programming languages (Java, .Net, Python, etc..) and Export to your target architecture (Spring, Hibernate, etc..)

Models can be exported at any time and reimported for later use; even after contract end, Mendix models will still run in the Mendix Free Edition
End-of-contract process
The Mendix contract covers the Mendix platform and runtime services. Any model or application developed and deployed on the platform remains the IP of the customer and as such can be migrated as mentioned above should the contract end.
Even after this, the model could be imported and used on the Mendix free edition albeit with limitations on users and uptime.

Using the service

Web browser interface
Using the web interface
The Mendix 'Home' Portal environment provides a set of capabilities for ideation, requirements capture, creation, deployment, monitoring and ongoing management of applications.
Designed to simplify every step of the application lifecycle through a collaborative, role based web portal, Mendix home provides tools for both business and IT users to deliver applications with unrivalled speed to market.
In addition to the platform itself, all apps created within Mendix are also accessible through web or mobile interfaces.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Mendix is committed to providing support for all users, including those with special needs. Due to the dynamic, client side nature of Mendix applications however, the WCAG standard is not apprropriate; our goal is to conform to the WAI-ARIA.

The Web Accessibility Initative for Accessible Rich Internet Applications (WAI-ARIA) has been an official W3C recommendation since March 2014.

In addition to the above, Mendix provides an implementation of the UK Government Front end Kit providing compliance to .gov UI/UX standards.
Web interface accessibility testing
Mendix is committed to testing with assistive technology users, for example those with colour blindness or other eyesight impairments. This testing is typically delivered as part of the testing of applications developed on the platform and is therefore customer deployment specific.
What users can and can't do using the API
Mendix provides 2 levels of API, both of which are completely public, open and fully documented.

Application-level APIs. Every application built using the Mendix platform has powerful API options and every element of the application model can be easily provided as part of the API through REST or SOAP services.

Platform-level APIs. The core platform functionality is accessible through APIs, which allow developers to access and integrate Mendix with other tools and applications—for example, build and deploy APIs to support continuous integration.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
  • Other
Other API automation tools
API documentation
API documentation formats
  • HTML
  • PDF
Command line interface
Command line interface compatibility
  • Linux or Unix
  • Windows
Using the command line interface
Mendix offers a command line interface to many aspects of the platform. From installation to server management and monitoring, package build and deploy etc..

The m2ee command line tool can be used to connect to the Mendix Runtime, issuing commands like setting loglevels, asking how many users are logged in, show currently running actions inside the application, or even telling it to shut down.

The MxBuild command line can be used to deploy and build a Mendix Deployment Package from a Mendix Project. MxBuild can be used to manually instigate a package build or run 'as a service' waiting for a post message instructing it what to build.


Scaling available
Scaling type
Independence of resources
Resources are independent for each customer.
Usage notifications
Usage reporting
  • Email
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
Application metrics are configurable and exposed through OData
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
  • Application Model
  • Database
Backup controls
A backup of all data (model and database) is made on a daily basis for the Acceptance, Test, and Production Environments. Backups are stored in secured locations that are geographically dispersed. Backups are available for restore as follows:

Nightly Backups: maximum 2 weekshistory (counting from yesterday)
Sunday Backups: maximum 3 monthshistory (counting from yesterday)
Monthly Backups (1stSunday of each month): maximum 1 yearhistory (counting from yesterday)

In addition to the Mendix backup schedule, users can initiate their own backups as desired.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Mendix guarantees 99.9% availability of the Cloud Services on which the Application Model runs in Production. Maintenance windows, force majeure, disruptions in third party webservices, internet outages and other circumstances beyond Mendix’s reasonable control are excluded.
Approach to resilience
Mendix Cloud hosting is built upon multiple datacenters and/or IaaS providers to provide resilience. Furthermore, disaster recovery procedures and testing are in place and part of Mendix security framework which is independently assessed by an external auditor (ISAE3402).
Outage reporting
Mendix provides a public dashboard and email alerts to report outages. This dashboard can be found at

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels
The Cloud Portal allows administrators to manage users (defined in MxID) and configure role-based access for users to environments to deploy and manage apps. The Cloud Portal security interface is integrated into the project dashboard, so you have a 360° view of all access rights for a specific person within the context of an app. Mendix enforces the segregation of duties between (at least) the developer and application administrator, whose roles are both safeguarded using personal accounts. Mendix will not allow you to configure a general management account, to ensure that all actions are traceable to a person.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through
Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Please be referred to Mendix ISO/IEC27001:2013 certificate, which is made available to Mendix customers and prospects upon request and under NDA.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISAE 3402 Type II Assurance Report
  • SOC1 Type II Assurance Report

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Mendix has adopted 46 security controls from the ISO27001:2013 ISMS (Information Security Management System). These security controls are assessed by an independent auditor and disclosed in an ISAE3402 Type II assurance report.
Information security policies and processes
All employment and contractor agreements shall include a clause for the employee or contractor to comply with Mendix policies, including Mendix Information Security Policy

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Code changes are peer-reviewed first including mandatory unit tests. Then automated tests are run and manual exploratory testing is done by a tester. If all tests pass, the change is merged to master.
Mendix monthly releases follow a two-week process where a nightly build is followed by a code freeze on day 1 and then 1 week of regression, performance and security testing. On day 7 a new nightly build is created and labeled as Release Candidate. This RC goes through one week of integration testing and manual exploratory testing before it is released to public on day 14.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Mendix performs regular vulnerability scans on Mendix Cloud infrastructure and Mendix corporate network.
To allow for pro-active vulnerability management product managers and the Information Security Officer follow multiple security RSS-feeds, newsletters, websites of information security interest groups.
Furthermore, the Mendix Platform and Mendix Cloud hosting infrastructure undergoes regular penetration tests performed by a third-party vendor specialised in information security. Mendix issues these penetration tests at least once per year to ensure it meets the highest security standards and is part of the Mendix security controls, which are independently assessed and disclosed in our ISAE3402 Type II report.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Mendix detective security controls include, but are not limited to: active monitoring of log files, configuration changes and network anomalies.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Incidents need to be reported by submitting tickets via the Mendix Support Portal. This enables for all required information to be properly logged and incidents can be addressed in the fastest and most efficient manner. The support portal provides all information about the progress and status of reported incidents. In addition to the portal, the support phone is available to directly communicate regarding any support related questions. Critical incidents reported in the Mendix Support Portal have to be followed by a phone call to the support phone in order to immediately determine the best communication line while handling the ticket.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
Other virtualisation technology used
How shared infrastructure is kept separate
Each Mendix Application consists of an acceptance and production environment (and optional a test environment). All these environments are a Mendix App Environment. A Mendix App Environment is a grouping of an dedicated virtual application server (Mendix Business Server) and a dedicated virtual database server. This Mendix App Environment includes host-based firewalls, web server, and database services and are logically isolated from other environments.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
Mendix utilises AWS for its cloud services. More details regarding their sustainability can be found here


£7 per user per month
Discount for educational organisations
Free trial available
Description of free trial
The Mendix free trial version contains the full capability to gather ideas, plan and model applications through 1-click deployment and operation.
It contains up to 10 users with a small container and the application goes dormant after 1.5hrs. of inactivity, and automatically resumes when the application is launched. Excludes add-ons.
Link to free trial

Service documents

Return to top ↑