Heroku Security, Privacy, and Compliance
Last updated 20 January 2021
Table of Contents
When you build and operate a mission critical application on Heroku, you are entrusting Salesforce with critical and sensitive data about your business and about your customers. Nothing is more important to us than protecting the privacy of your data and that is why Trust is our number one value.
Shared responsibility model
Developers around the world entrust sensitive data to Heroku, and nothing is more important to Salesforce than trust and protecting this data. However, protecting your data is a shared responsibility between Salesforce and you, our customer.
Salesforce’s responsibility is to architect systems for optimal security. This means implementing and enforcing effective practices and processes controlling how our team accesses and operates Heroku Services. Salesforce is also responsible for regularly hosting third-party audits of Heroku Services and critical vendors, and maintaining certifications to verify the security of our systems and processes.
As a Heroku customer, you are part of the team that keeps your apps safe. You are responsible for implementing strong security measures in your applications and for properly managing access to your Heroku account and resources. Heroku offers many security features to help you with this responsibility.
Audits and Certifications
Heroku regularly performs audits and maintains a number of certifications to further strengthen our trust with customers and to enable Heroku customers to build certified applications on the platform. The detailed list of audits and certifications is maintained in the Security Privacy and Architecture (“SPARC”) document for Heroku, which is part of the Heroku Enterprise Master Subscription Agreement, and compliance resources are available on the Salesforce Trust website (Salesforce Services login required) or via logging a ticket here. These include:
Salesforce has an Attestation of Compliance as a PCI Level 1 Service Provider covering Heroku Shield Services offered as part of Heroku Enterprise. Customers can contact the Heroku sales team for additional information on Heroku’s PCI compliant offerings.
Customers who want to build healthcare applications on Heroku that comply with US HIPAA can contact the Heroku sales team regarding a Business Associate Addendum to the Master Subscription Agreement that is required for HIPAA compliance.
Please see the GDPR Dev Center article for details on how EU General Data Protection Regulation is relevant for apps on Heroku.
ISO 27001, 27017, and 27018 Certification
Salesforce has been certified against this set of widely recognized and internationally accepted information security standards that specifies security management best practices and comprehensive security controls following ISO 27002. These certifications also cover information security specific to the cloud the protection of Personally Identifiable Information (PII).
SOC 1, 2, and 3 Attestation Reports
Salesforce has been issued SOC1, 2 and 3 reports by an independent auditor. The SOC1 Type II is an independent examination of the IT General controls and controls around availability, confidentiality and security of customer data processed by the Heroku Platform relevant for the financial reporting of customers. The SOC2 Type 2 is a restricted to use report and independent examination of the fairness of presentation and the suitability of the design of controls relevant to security, availability and confidentiality of the customer data processed by the Heroku Platform. The general use SOC3 report is an independent examination of the fairness of presentation and the suitability of the design of controls relevant to security, availability and confidentiality of the customer data processed by the Heroku Platform.
Heroku Security Features
Heroku has a number of customer configurable features that help you keep your Heroku deployments secure. You can find more information regarding these features in the article Heroku Security & Compliance Resources and Features.
Heroku Enterprise customers are encouraged to contact the Customer Solutions Architects team who can provide guidance for how to best implement security measures and how to govern application deployment on Heroku.