Security
The Thinkwise Platform takes care of many of the technical security considerations when dealing with enterprise software development. The platform is designed with security in mind, following Security-by-Design principles. Besides handling authentication and applying model-driven access control, the high-quality runtime components also provide additional protection against abuse.
Read more about our model-driven security by design approach, download our latest penetration test summaries, or review our ISO 27001 and ISO 9001 certification, and more below.

Model-driven Security by Design
ISO 27001 & 9001 Certified
Regular pen-testing for vulnerabilities
Our commitment to security
As our platform is used for developing busines-criticial enterprise applications, data privacy and Security-by-Design have been the driving principles at Thinkwise from the start. To validate the security of our platform, the Thinkwise Platform is regularly tested for security leaks by independent ethical hackers.
Besides securing the platform itself, Thinkwise has also put processes and controls in place to manage or eliminate security risks in its own operations, enabling customers to trust that their confidential data is protected and ensuring that our customers get consistent, high-quality service.

Secure and future proof software
-
Authentication
-
Authorization
-
Runtime interpretation
-
Infrastructure
The process of authentication is fully managed by the Thinkwise Platform
Administrators configure user accounts in the Intelligent Application Manager, the management tool for production environments built using the Thinkwise Platform. There are various supported authentication types. Most types rely on external user stores to verify the user:
- Windows Active Directory
- Azure Active Directory
- Accounts managed by the database.
Mechanisms such as SSPI, Kerberos and OpenID are used by the runtime components to ensure this is done securely. Logging in through Single sign-on is supported out-of-the-box. The Thinkwise Platform can also act as an OpenID provider itself, allowing users to identify themselves to 3rd party applications using the account in the Intelligent Application Manager.
Role-Based Access Control grant users access to different features of the developed application
Roles are a part of the application model. They are coarse-grained bundles of rights on certain model objects. A single role is designed to fully support a certain business activity within the system that can be granted or revoked without side effects.
Furthermore, data filters can be configured for a role that limits the data available to the user. This can be in a static manner (for example, limit Sales invoices to only those with status draft) or in a dynamic manner (limit Sales invoices to only those assigned to the current user).
The Software Factory ensures each individual role is a consistent bundle of model objects. For example, the menu item Approve sales invoices may not be granted to the role while the Sales invoice entity has not been authorized to the role. To achieve this, roles are not limited to CRUD rights on data entities but include rights on UI model objects and process model objects as well. Built-in validations assist the developer in configuring a consistent, secure, and powerful set of roles.
The runtime components of the platform provide additional security
When a user accesses the application, the runtime GUI will load the available model for this user. This is the aggregated model of all assigned roles. This means that unauthorized segments of the model will not even be known to the UI. The UI is not laced with unauthorized, hidden elements.
The same goes for the runtime API. When a user accesses the API of the application, the services and endpoints will be initialized for this specific user based on the assigned roles. There will be no service for an unauthorized entity available to the user.
This model-driven authorization by design approach allows us to leak minimal information about the unauthorized segments of the application. The roles are applied consistently and automatically throughout all tiers of the application. The built-in flexibility to replace runtime components with new versions and even new technologies allows us to adapt to new security standards that are bound to be introduced over time.
The Thinkwise Platform allows customers to deploy their applications as they prefer
The platform is not exclusive to a certain cloud provider or operating system. You can choose to deploy on-premise on Linux servers, in AWS, Azure or Google cloud using their PaaS services or IaaS services. Or simply install the full Thinkwise Platform on your own Windows desktop.
This freedom allows providers of large enterprise systems to satisfy very specific SLA demands of their users. On the flip side, this comes with significant ramifications for the security of your environment. The infrastructure is not the responsibility of the Thinkwise Platform as it is not provided as an aPaas environment.
Security and compliance resources

Latest Pen-Test Report
Thinkwise has mandated IT security firm nSEC/Resilience to perform penetration tests on the platform. This penetration test was expanded with a number of audit-like checks. The results of this white box audit are also
included in this report.