IR-06 (02) Vulnerabilities Related To Incidents

Last modified: July 15, 2026

Introduction

This document describes how Private Mendix Platform fulfills the IR-06 (02) control.

Control ID IR-06 (02)
Control category IR - Incident Response
Requirement baseline IL4
Responsibility and ownership Mendix - Private Mendix Platform, Mendix - Operator, Customer - Infra

Control

The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles.

Responsibility

Mendix Responsibility

Mendix is responsible to address and respond to vulnerabilities and security incidents related to Mendix products that are reported to Mendix, in accordance with applicable regulations and following the Mendix security incident and vulnerability response policy.

Customer Responsibility

The customer is responsible for specifying the recipients to whom information system vulnerabilities and security incidents should be reported.

Guidance

Mendix Responsibility

Mendix will respond to information system vulnerabilities and incidents caused by Mendix products and reported to Mendix in compliance with appropriate regulations and in alignment with our security incident and vulnerability response policy.

Customer Responsibility

It is the responsibility of the customer to indicate who should receive reports about information system vulnerabilities and security incidents.

It is the responsibility of the Infra Implementer, App Implementer, Infra Operator, and App Operator to report information system vulnerabilities associated with reported security incidents to whomever the customer indicates.

Proof and Remarks

Details about the Mendix security incident response are available in Section IV of the SOC-2 report in Conveyor.