Siemens Industry Software Limited

Mendix Low Code / No Code Application Development Platform

Rapidly build, deploy, and operate any kind of app without constraint. Mendix abstracts and automates every step of the software development lifecycle to give unprecedented time to value. Break the business-IT silos and foster seamless collaboration throughout the development process using the platform's common visual model and effective collaboration tools.

Features

• Low-code IDE for professional developers and no-code for business users
• Built-in collaboration tools throughout the application lifecycle
• Integrate with existing core systems and data sources
• Manage the end-to-end app lifecycle
• Cloud-native architecture by default with high availability
• Multi-cloud portability with one-click
• Web, mobile (native, PWA, hybrid, mobile web), and chatbots
• (WCAG) 2.1 levels A and AA
• Built-in governance and security

Benefits

• Deliver new applications 6-10x faster
• Transition to digital channels with fewer resources and less cost
• Modernise legacy systems and build the flexibility to change
• Improve operational efficiency and exceed cost savings targets by digitising
• Manage shadow IT and meet compliance requirements
• Reduce operational cost with cloud-native architecture by default
• Accelerate decision-making with built-in collaboration tools
• Retain and grow IT talent with an innovative technology

£40 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at brendan.harley@mendix.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

710555741592344

Contact

Brendan Harley
+44 203 925 4060
brendan.harley@mendix.com

Service scope

• Service constraints: None
• System requirements:
  • No system requirements for deploying applications on Mendix Cloud
  • Downloadable Studio Pro IDE: 64-bit Windows 7, 8, and 10.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: For SLAs see: https://www.mendix.com/wp-content/uploads/Mx_ServiceLevelAgreement_v2018-01.pdf?locale=de
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Depending on the platform edition of choice customers will get Gold or Platinum ; ; Support. Support fees are included in the platform fee. ; ; For SLAs see: https://www.mendix.com/wp-content/uploads/Mx_ServiceLevelAgreement_v2018-01.pdf?locale=de ; ; Mendix also offers Premier support for mission critical systems with dedicated support engineers.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Mendix provides a full on-boarding program with our Digital Execution Program to get clients up and running extremely quickly. Mendix offers free online training for all platform users. Our Introduction Course will quickly get your team up to speed so you can build robust and adaptable Mendix applications in days. To explore more advanced features and topics there is free access to online documentation and a very active forum and community. To further build your expertise Mendix provides Expert Webinars that are given by community Experts around platform. In addition to online training Mendix provides (on site) Classroom Training and Certification and Consulting services as detailed in the SFIA document.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Mendix protects your investment in model-driven development, with a fully documented formal meta model. , Mendix provides a Model API & SDK for exporting models including meta data, export to other RAD Platforms, 3GL programming languages (Java, .Net, Python, etc..) and Export to your target architecture (Spring, Hibernate, etc..) Models can be exported at any time and reimported for later use; even after contract end, Mendix models will still run in the Mendix Free Edition
• End-of-contract process: The Mendix contract covers the Mendix platform and runtime services. Any model or application developed and deployed on the platform remains the IP of the customer and as such can be migrated as mentioned above should the contract end. Even after this, the model could be imported and used on the Mendix free edition albeit with limitations on users and uptime.

Using the service

• Web browser interface: Yes
• Using the web interface: The Mendix Platform provides unified access to a: ; - Developer portal for developers to define application projects, assign team members, manage scope and progress. ; - Cloud Portal for DevOps engineers and administrators to manage application deployment and operations.
• Web interface accessibility standard: WCAG 2.1 AAA
• Web interface accessibility testing: Mendix is committed to testing with assistive technology users, for example those with colour blindness or other eyesight impairments. This testing is typically delivered as part of the testing of applications developed on the platform and is therefore customer deployment specific.
• API: Yes
• What users can and can't do using the API: Mendix provides Platform APIs for all relevant steps in the application lifecycle. See: https://docs.mendix.com/apidocs-mxsdk/apidocs/; ; Mendix also provides a Model SDK to access application models from outside. See: https://docs.mendix.com/apidocs-mxsdk/mxsdk/
• API automation tools: Other
• Other API automation tools:
  • Jenkings
  • Microsoft Visual Studio Team Services
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
• Using the command line interface: For on-premises deployments Mendix offers a Windows and Linux console to manage application configuration and deployment.

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: Each application on the Mendix Cloud runs in an application environment on one or more containers and has dedicated resources allocated to the application environment. ; ; So, there is no 'noisy-neighbour' issue.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Application Model
  • Database
  • Backup controls
• Backup controls: A backup of all data (model and database) is made on a daily basis for the Acceptance, Test, and Production Environments. ; ; Backups are stored in secured locations that are geographically dispersed. Backups are available for restore as follows: Nightly Backups: maximum 2 weekshistory (counting from yesterday) Sunday Backups: maximum 3 monthshistory (counting from yesterday) Monthly Backups (1stSunday of each month): maximum 1 yearhistory (counting from yesterday) In addition to the Mendix backup schedule, users can initiate their own backups as desired.; Datacentre setup; Multiple datacentres with disaster recovery; Scheduling backups; Users schedule backups through a web interface; Backup recovery
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Mendix guarantees 99.5% availability of applications running on Mendix Cloud for customers that have bought the Pro edition of the platform.; ; Mendix guarantees 99.95% availability of applications running on Mendix Cloud for customers that have bought the Enterprise edition of the platform, and provided that the Cloud Resource Packs to run the application include the Fallback option for multiple Availability Zones (AZs)
• Approach to resilience: Mendix Cloud Runs on AWS globally, and we make use of AWS multi-AZ options for resilience.; ; In addition, for applications that are scaled horizontally, where the Mendix Runtime Engine runs on multiple containers within an application environment, applications will continue to run if one of the containers would go down.; ; Lastly, for all applications running on the Mendix Cloud, the health manager is checking application availability and will try to auto restart if an application environment would go down.
• Outage reporting: Mendix uses https://status.mendix.com which has an API and generates mail alerts.; ; Mendix has service monitoring per application which is a dashboard for project members and can receive email alerts on outages or issues specifically to your application.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: This can be extended using a customers IDP for authentication. Also within a Mendix Application customers can use any type of security controls before an authorised activity is performed.
• Access restrictions in management interfaces and support channels: IP Filters; MFA; Public key authentication for SSH; Username + password; Integration with SSO (Azure ID) with 2FA; User access review every quarter
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Devices users manage the service through:
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 06/21/2018
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 01042018
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: None
• PCI certification: Yes
• Who accredited the PCI DSS certification: Noordbeek B.V.
• PCI DSS accreditation date: 10/12/2019
• What the PCI DSS doesn’t cover: N/A
• Other security certifications: Yes
• Any other security certifications:
  • ISAE 3402 Type 2
  • ISAE 3000 Type 2
  • Cyber Essentials
  • SOC 1 Type 2
  • SOC 2 Type 2
  • SOC 3 Type 2
  • ISO/IEC 27001
  • ISO/IEC 27017
  • ISO/IEC 27018

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
• Other security governance standards: ISO/IEC 27017 Certification; ISO/IEC 27018 Certification; ISAE 3000 Type II Assurance Report; ISAE 3402 Type II Assurance Report; SOC 1 Type II Assurance Report; SOC 2 Type II Assurance Report; SOC 3 Type II Assurance Report; PCI DSS Level 1 Service Provider Attestation of Compliance; Cyber Essentials (UK)
• Information security policies and processes: CFO is responsible for information security within Mendix and the CISO has a dotted reporting line to the CFO as the CISO falls in the CTO office organization.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Any components used by customers in our cloud follows the change management process. Every change at least has:; - Manager approval; - Is tested; - Peer reviewed; - Has acceptance criteria from management; - Scanned using Veracode, Snyk and SonarQube.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Weekly vulnerability assessments, 13 penetration tests per year, HackerOne managed responsible disclosure and HackerOne managed bug bounty.; Times are aligned with NIST 800-53.; Multiple sources are used, US-CERT, Snyk, VeraCode, Tenable.IO, HackerOne.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Mendix uses AWS as service provider which has identification capabilities for potential compromises, Mendix deployed Wazuh on cloud nodes to identify potential compromises.; Mendix follows it's security incident management policy which is based on NIST 800-61.; Within 36 hours we report towards the customer about such incidents.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Mendix has multiple pre-defined processes in place for incident management which are part of our ISAE 3402 report.; Using our support portal.; Informing the technical contact of a Mendix Application.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: Mendix Cloud is based on Cloud Foundry technology that runs on the IaaS layer of Amazon Web Services. A Mendix application will run in an isolated container provided by Cloud Foundry.; ; See: https://www.mendix.com/evaluation-guide/enterprise-capabilities/cloud-architecture
• How shared infrastructure is kept separate: Within the Mendix Cloud, the logical term “environment” is used to describe the application isolation. Each application runs in an environment, and is fully separated from other apps for computing, memory, and storage. A Mendix app runs on one or more Mendix Runtime Engine instances within the environment (where the environment is dedicated to a single application). Also, for each application, a dedicated database and S3 bucket is provisioned, in order to have full isolation on the data level as well.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Mendix utilises AWS to host its platform. AWS states that hosting in the cloud represents an 84% reduction in the amount of power required.

Pricing

• Price: £40 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: When we say free, we mean free. No hidden fees, no commitment, no credit card required. The free edition includes everything you need to design, build, and deploy demos, prototypes, or small applications. It includes a deployment environment for each application with unlimited users.
• Link to free trial: https://signup.mendix.com/link/signup

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at brendan.harley@mendix.com. Tell them what format you need. It will help if you say what assistive technology you use.