The security features you can configure can be found in the documentation and there aren't very many settings to configure. In my experience, Mendix doesn't comply fully with regulations in a technical way. For example, there is no four-eyes principle to change log levels. You would have to define a process (one person has username and password for an account, a second user has the phone with the two factor authentication key) to handle such situations. Using such an approach, you can create a Mendix application and deployment environment in the standard Mendix cloud that is very near compliant with regulations such as ISO 27002.

Database encryption: there is a single thread about Database Transparent Data Encryption here. It doesn't have an answer, but looking at Microsoft documentation (here - it also answers where your keys would be stored), it would seem this is possible without affecting Mendix. However, this is not possible in the standard Mendix cloud: you would have to create your own deployment environment. Finally, this is not a Mendix option, but a database option.

For specific columns in your database, you can use the Encryption module from the AppStore found here.

You can set session timeouts, see here.

You could fully log user activity, but this would be at the request level. For normal applications, this would have a huge impact on the performance and the size of the log file or database. Furthermore, this is logging on a technical level - if you would want logging at a functional level, you would have to create custom logic for this.