Your mock data stays on your machine. Mockoon is local-first, open source, and built with security and privacy at its core.
01 · Architecture
Mockoon is a desktop application. By default, your mock APIs, request data, and responses stay on your computer, they never touch our servers. Cloud sync is opt-in, and you remain in control of what gets synced.
Mockoon runs entirely on your machine. Your mock APIs, request data, and responses live on your computer, they never touch our servers.
Zero telemetry in your apps. The data flowing through your mocks and the responses you build are never reported to us.
Mockoon Cloud is optional. By default you work locally and nothing syncs. Opt in to sync environments across devices and collaborate with your team.
02 · Desktop app
Security practices built into the application itself, protecting every user regardless of plan.
Mockoon desktop and CLI are MIT-licensed. The source code is public and community-auditable, you can verify exactly what runs on your machine.
View on GitHubAutomated dependency scanning on every repository. Critical vulnerabilities are patched promptly and tracked to remediation.
Windows binaries are signed with a certificate, macOS builds are notarized with Apple, and Linux packages are checksum-verified. Your OS can verify authenticity automatically.
No mock content, request bodies, or response data is ever reported to us, and we have no telemetry in the app. We never see your data, and we never track how you use the app.
Privacy PolicyThe desktop app and CLI work with no internet connection. No external servers are required to run your mocks, and you can work fully offline without an account.
All changes to the desktop app, CLI, and cloud services are authorized, tested, reviewed, and approved before being released to production.
03 · Cloud services
For our optional cloud services, accounts, billing, and environment sync, we maintain these practices.
TLS everywhere. Sensitive customer data is encrypted at rest using industry-standard protocols. Secure transmission protocols protect data sent over public networks.
MFA required on all production systems. Privileged access to databases, OS, and networks is restricted to authorized personnel with a business need. Access is reviewed quarterly and revoked on termination.
Documented security and privacy incident response procedures. Incidents are logged, tracked, resolved, and communicated to affected parties. The incident response plan is tested at least annually.
Security PolicyAutomated backups with documented retention. Business Continuity and Disaster Recovery plans are in place and tested at least annually.
Continuous infrastructure and security monitoring with real-time alerting. Intrusion detection, log management, and host-based vulnerability scans are performed regularly.
Penetration testing is performed at least annually. Identified vulnerabilities are tracked to remediation in accordance with defined SLAs.
04 · Sub-processors
Our cloud footprint is deliberately small. We rely on a curated set of trusted, audited providers.
Hosting & Infrastructure
Google Cloud Platform
Managed cloud platform hosting Mockoon Cloud services.
Authentication & Database
Firebase
User authentication and database services. Data encrypted at rest.
Payments
Paddle
Merchant of record for subscriptions. PCI-DSS compliant. We never store card numbers.
AWS SES
Transactional email delivery for account notifications and customer communications.
CDN, DDoS, Security & DNS
Cloudflare
Content delivery network, DDoS protection, web application firewall, and DNS management for our public-facing services.
Source Code, CI/CD & Releases
GitHub
Private repositories with branch protection and code review. Also used for continuous integration, build pipelines, and hosting of release artifacts.
Docker Image Distribution
Docker Hub
Public hosting and distribution of the official Mockoon CLI Docker images.
Windows App Distribution
Microsoft Store
Distribution channel for the Mockoon desktop application on Windows.
Linux App Distribution
Snap Store (Canonical)
Distribution channel for the Mockoon desktop application as a Snap package on Linux.
05 · Compliance
We support customers operating under these privacy and data-protection frameworks.
European Union
California
United Kingdom
Canada
06 · Security controls
The comprehensive set of controls we maintain and monitor to protect your data and ensure the integrity of our service.
Encryption key access restricted
The company restricts privileged access to encryption keys to authorized users with a business need.
Firewall access restricted
The company restricts privileged access to the firewall to authorized users with a business need.
Remote access MFA enforced
The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.
Intrusion detection system utilized
The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.
Unique production database authentication enforced
The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.
Unique account authentication enforced
The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.
Production application access restricted
System access restricted to authorized access only.
Access control procedures established
The company's access control policy documents the requirements for adding new users, modifying users, and removing an existing user's access.
Production database access restricted
The company restricts privileged access to databases to authorized users with a business need.
Production OS access restricted
The company restricts privileged access to the operating system to authorized users with a business need.
Production network access restricted
The company restricts privileged access to the production network to authorized users with a business need.
Access revoked upon termination
The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.
Unique network system authentication enforced
The company requires authentication to the production network to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.
Remote access encrypted enforced
The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Log management utilized
The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.
Infrastructure performance monitored
An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.
Network segmentation implemented
The company's network is segmented to prevent unauthorized access to customer data.
Network firewalls reviewed
The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.
Network firewalls utilized
The company uses firewalls and configures them to prevent unauthorized access.
Network and system hardening standards maintained
The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.
Service infrastructure maintained
The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.
Asset disposal procedures utilized
The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.
Portable media encrypted
The company encrypts portable and removable media devices when used.
Anti-malware technology utilized
The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
Employee background checks performed
The company performs background checks on new employees.
Performance evaluations conducted
The company managers are required to complete performance evaluations for direct reports at least annually.
Password policy enforced
The company requires passwords for in-scope system components to be configured according to the company's policy.
Production inventory maintained
The company maintains a formal inventory of production system assets.
Code of Conduct acknowledged by contractors
The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.
Code of Conduct acknowledged by employees and enforced
The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.
Confidentiality Agreement acknowledged by contractors
The company requires contractors to sign a confidentiality agreement at the time of engagement.
Confidentiality Agreement acknowledged by employees
The company requires employees to sign a confidentiality agreement during onboarding.
MDM system utilized
The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.
Penetration testing performed
The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.
Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.
Control self-assessments conducted
The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings.
Data transmission encrypted
The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
Vulnerability and system monitoring procedures established
The company's formal policies outline the requirements for vulnerability management and system monitoring.
Change management procedures enforced
The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.
System changes externally communicated
The company notifies customers of critical system changes that may affect their processing.
System changes communicated
The company communicates system changes to authorized internal users.
Access reviews conducted
The company conducts access reviews at least quarterly for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.
Access requests required
The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.
Incident management procedures followed
The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.
Risk assessments performed
The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed.
Third-party agreements established
The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.
Vendor management program established
The company has a vendor management program in place including critical third-party vendor inventory, vendor's security and privacy requirements, and review of critical third-party vendors at least annually.
Vulnerabilities scanned and remediated
Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.
Continuity and Disaster Recovery plans established
The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.
Continuity and disaster recovery plans tested
The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.
Configuration management system established
The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
Production deployment access restricted
The company restricts access to migrate changes to production to authorized personnel.
Development lifecycle established
The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.
Backup processes established
The company's data backup policy documents requirements for backup and recovery of customer data.
Security policies established and reviewed
The company's information security policies and procedures are documented and reviewed at least annually.
Support system available
The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.
Incident response plan tested
The company tests their incident response plan at least annually.
Incident response policies established
The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.
Service description communicated
The company provides a description of its products and services to internal and external users.
Risk assessment objectives specified
The company specifies its objectives to enable the identification and assessment of risk related to the objectives.
Risk management program established
The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.
Data retention procedures established
The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.
Customer data deleted upon leaving
The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.
Data classification policy established
The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.
07 · Documentation
08 · Talk to us
Whether you have questions, need to report a vulnerability, or want to discuss compliance requirements for your organization, we're here to help.