Security Overview

Last Updated: August 27, 2025

Keeping user data safe and secure is a huge responsibility and a top priority for us. We are working hard to protect our users from the latest threats. This guide provides an overview of the steps and measures being taken to prevent, detect, and respond to information security, disaster protection, and recovery plans. The role of our system security program is to protect our users’ information by reducing the risk of loss of confidentiality, integrity, and availability of that information to an acceptable level.

Certifications & Compliance Standards

ISO/IEC 27001:2018

Mindomo is certified by TUV Austria, proving that an information security management system is in place, respecting the ISO 27001 standard's requirements. View the Certificate

ISO/IEC 27701:2019

Mindomo is a certified ISO 27701 service by TUV Austria and is entirely EU-GDPR compliant. This standard requires additional privacy requirements regarding information management systems. View the Certificate

Data Hosting, Encryption and Network Security

Data Location

Our primary data center is Hetzner Online GmbH, located in Germany, European Union.

Backups

A daily backup of Mindomo databases is stored at Amazon AWS in Frankfurt, Germany. Also, any user can opt to use the Google Drive, OneDrive, Dropbox, and FTP integrations to back up their data. They can connect their Mindomo account to their Google Drive, OneDrive, Dropbox, and/or FTP account and perform a daily backup of all diagrams.

Reliability

  • All Customer Content is instantly written to multiple servers.
  • Files that our customers upload are stored on multiple servers.
  • Our infrastructure is fully redundant and clustered.
  • We perform periodic Disaster Recovery testing.

Encryption in Transit

Over public networks, we only send data using strong encryption. We use SSL certificates issued by Sectigo RSA and RapidSSL CA. The connection uses 256-bit encryption. You can check our currently supported ciphers here.

Encryption at Rest

We provide industry-standard encryption for Customer Content as follows:

  • Customer content (files, diagram data, and messages) is encrypted with AES 256-bit at rest.
  • User passwords are hashed using bcrypt. Passwords created before Aug 2019, which were not updated, are hashed using md5.
  • Personnel workstations implement full-disk encryption.

Payments and Credit Card Data Storage

All payments made for Mindomo use https://stripe.com (PCI Certified). For additional information, please visit https://stripe.com/privacy . No credit card data or payment-related information is stored on Mindomo servers. We also use www.paypal.com for paying with your PayPal account.

Customer Content Access and Management

We have the following formal procedures in place to limit access to Customer Content:

  • Access to Customer Content is limited to Mindomo personnel on a need-to-know basis.
  • Mindomo personnel will require your explicit approval whenever they need to access your content.
  • Administrator access to Mindomo's production servers is limited and achieved with individually assigned Secure Socket Shell (SSH) keys.
  • Mindomo uses a multi-tenant architecture and maintains strict measures designed to prevent Customer Content from being exposed to or accessed by other users.

Network Security

  • Our software infrastructure is updated regularly with the latest security patches.
  • System access is only possible with public-key authentication.
  • Each system uses the safest ciphers and key algorithms available.
  • We implement properly configured firewalls, network access controls, and other technical measures designed to prevent unauthorized access to our systems.
  • We implement adequate controls to ensure that security patches for systems and applications used to provide the Service are properly assessed, tested, and applied.
  • We log privileged access to servers that process Customer Content.
  • Independent third-party security experts conduct annual penetration testing of Mindomo.

Physical Security

Our state-of-the-art servers are hosted at Hetzner Online GmbH, an ISO 27001 certified secure data center located in the heart of Nuremberg and in Falkenstein/Vogtland, Germany. Hetzner Online's two data center parks provide excellent, environmentally friendly infrastructure for our product. Multi-redundant network connections to meaningful Internet exchanges ensure fast website access. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides extra protection against unauthorized entry and security breaches.

The data center is protected by video-monitored high-security perimeter fencing around the entire data center park:

  • Entry via electronic access control terminals with a transponder key or admission card.
  • Ultra-modern surveillance cameras for 24/7 monitoring of access routes, entrances, security door interlocking systems, and server rooms.

Power Supply

  • AC: 230V, 16A
  • Redundant UPS facilities
  • Battery mode: Approx. 15 minutes
  • Standby power system
  • Diesel power generator for autonomous mode
  • Power is supplied via a raised floor system

Climate control

  • Energy-efficient direct free cooling
  • N+2 redundancy
  • Cold aisle containment
  • Under-floor air conditioning
  • Higher-than-average raised floor system
  • Monitoring of air temperature and server/distribution cabinets

DDoS Protection

  • Latest hardware appliances
  • Sophisticated perimeter security technologies
  • An automated system that can protect your web applications, websites, servers, and IT infrastructure
  • Attempted botnet communications thwarted

Application Security

Code Security

Our development team carefully reviews all code before release. Developers inspect the logic and data flows of new features to ensure no security vulnerabilities are introduced. We use automated code-checking tools to identify and resolve quality and security issues. Multiple testing methods are employed to ensure the application behaves as expected.

Redundancy and Clustering

Load balancer

To ensure high availability in the event of a disaster, Mindomo offers load balancer failover capability. If a configured load balancer fails, its IP address is transferred to a backup load balancer. External system services manage the transfer of the IP address from the failed load balancer to the backup node.

Application layer

The load balancer distributes user load across multiple application servers. It continuously monitors the servers, and if one fails, it automatically redirects users to an available server. This process is fully automated and requires no user intervention.

Database layer

We utilize three types of data storage, ensuring safe and timely access to user-generated content. We utilize an in-memory datastore for fast loading of user data, a MariaDB database (https://mariadb.org) and a Cassandra (https://cassandra.apache.org) cluster.

MariaDB is configured with a Master-Master architecture. If one of the master nodes fails, the database driver will automatically reroute the traffic to another master node.

By design, Cassandra is a replicated and fault-tolerant system.

Systems Monitoring

Website performance monitoring

For website performance monitoring, we use Pingdom https://www.pingdom.com . Our public status page for uptimes and response times is available at https://secure-stats.pingdom.com/xja2xu2u4o0b/430732.

System monitoring

System monitoring is provided by Prometheus https://prometheus.io, a powerful monitoring tool that detects and alerts our system administrators before they affect end-users and customers.

By using Prometheus, we:

  • Plan for infrastructure upgrades before outdated systems cause failures.
  • Respond to issues at the first sign of a problem.
  • Automatically fix problems when they are detected.
  • Coordinate technical team responses.

How the monitoring system works:

  • We configure Prometheus to monitor critical IT infrastructure components, including system metrics, network protocols, applications, services, servers, and network infrastructure.
  • Prometheus sends alerts when critical infrastructure components fail and recover, providing us with notifications of important events via email, SMS, or a custom script. Our staff can acknowledge alerts and begin resolving outages and investigating security alerts immediately. Alerts can be escalated to different groups if they are not acknowledged in a timely manner.
  • Reports provide a historical record of outages, events, notifications, and alert responses for later review.
  • Scheduled downtime prevents alerts during scheduled maintenance and operating system upgrades.
  • Trending and capacity planning graphs and reports allow us to identify the necessary infrastructure upgrades before failures occur.

Personnel Management

Mindomo performs employment verification, including proof of identity validation, verification of education records and employment history, and criminal background checks for new hires in positions requiring access to systems and applications storing Customer Content in accordance with applicable Law.

Security Training

Periodic training occurs on security issues and how to prevent/mitigate them for continuous improvement.

Employee Termination

Upon employee termination, whether voluntary or involuntary, Mindomo immediately disables all employee access to Mindomo’s infrastructure.

Conclusion

Over the past 10 years, we’ve seen many companies come and go. It appears that security is no longer just about technology, but also about earning the user’s trust. At Mindomo, we are committed to meeting the needs of our customers and working diligently every day to maintain their trust in our product and services. Longevity and stability are core to our mission at Mindomo.

Want to know more?

Please contact us at support@mindomo.com if you have any other security concerns, and we’ll respond as soon as possible.