Data policies enable organizations to classify sensitive data across their Mendix application portfolio and continuously validate access rights.
April 13, 2026 – Blue Storm, the leading provider of Mendix governance solutions, today announced the release of AppControl v2026.3, introducing Data Policy Management — a new capability that enables organizations to classify sensitive data across their Mendix application portfolio and continuously validate that access rights are correctly configured and enforced.
As low-code and AI-driven development accelerates, the risk of accidental data exposure grows with it. Recent research by the Dutch Institute for Vulnerability Disclosure (DIVD) confirmed what many in the Mendix community already knew: authorization misconfiguration — overly permissive anonymous access, incorrect role mappings, and insufficiently constrained entity access — is a structural and widespread problem across Mendix applications. These are not platform vulnerabilities. They are governance failures, and they require a governance solution.
AppControl has long provided policy checks targeting exactly these failure modes — validating entity access rules, module role assignments, and user role configurations as part of its continuous governance framework. With v2026.3, these capabilities are significantly expanded.
Introducing Data Policy Management
Data Policy Management gives development and platform teams a structured way to classify data at the entity and attribute level, and to continuously validate that access rights are consistent with those classifications. Organizations can define data sensitivity levels — from public to highly confidential — flag personal data, and let AppControl enforce that no role grants access beyond what the data classification allows.
This means that misconfigured anonymous access to sensitive entities, overly broad default user rights, and excessive system administrator permissions are no longer discovered in a pentest. They are caught automatically, continuously, and before they reach production.
“The DIVD findings were a wake-up call for many Mendix teams, but not a surprise to us,” said Andrew Whalen, founder of Blue Storm. “We’ve been telling our customers for years that authorization governance needs to be continuous — not a quarterly checkbox. With Data Policy Management, we’re giving every Mendix organization the tooling to make that a reality. You define what sensitive looks like in your context, and AppControl makes sure your apps stay that way.”
New Policy Checks in v2026.3
Six new automated policy checks ship with this release, directly addressing the authorization patterns identified in the DIVD research:
- APP_0014 — Data is classified
- DOM_0009 — Module roles are validated
- APP_0015 — User roles are validated
- APP_0007 — Anonymous role is restricted
- APP_0016 — Default user role is restricted
- APP_0008 — System administrator role is restricted
These checks run continuously across the entire Mendix landscape, providing real-time assurance that access controls remain correctly configured as applications evolve.
Release Highlights
- Data Policy Management — Classify data at entity and attribute level and validate access rights against classification rules across the entire application portfolio.
- Six New Policy Checks — Automated, continuous validation of anonymous access, default user rights, system administrator scope, module roles, and user roles.
- Hardened Entity Access — Internal entity access in AppControl itself has been reviewed and tightened.
- Manually Acknowledge Alerts — Users can now acknowledge alerts directly, providing greater control over alert management workflows.
- Re-check Revisions on Demand — Users can now manually trigger a re-check on any revision, providing immediate feedback without waiting for the next scheduled scan.
About AppControl
AppControl is the continuous governance platform for low-code and AI development. Built for platform, governance, and DevOps teams, AppControl simplifies oversight, enforces compliance, and provides end-to-end visibility across the full low-code application lifecycle: Develop, Deploy, Monitor, and Control. Purpose-built for Mendix and designed to scale across the modern low-code and AI landscape, AppControl’s real-time governance controls and fine-grained access roles empower organizations to answer once and for all: “Are you in control?“
For more information, visit www.bluestorm.io/appcontrol.
About Blue Storm
Blue Storm specializes in continuous governance solutions for low-code and AI development, empowering platform, governance, and DevOps teams to manage application portfolios with confidence, control, and compliance. With deep roots in the Mendix ecosystem, Blue Storm delivers innovative tooling designed to meet the evolving needs of enterprises building at scale with low-code and AI.
Recent Comments