Heroku Security, Privacy, and Compliance
Last updated 30 September 2019
Table of Contents
When you build and operate a mission critical application on Heroku, you are entrusting Salesforce with critical and sensitive data about your business and about your customers. Nothing is more important to us than protecting the privacy of your data and that is why Trust is our number one value.
Shared responsibility model
It takes a team to keep your data safe. Your Heroku applications are stored and executed in a collection of systems operated by a team of people at Heroku. It is Salesforce’s responsibility to architect these systems for optimal security and to implement and enforce effective practices and processes for how our team accesses and operates the systems. Salesforce is also responsible for auditing our vendors to verify their security controls and ensuring that our use of vendor services meet our security standards. Salesforce regularly performs audits and maintains certifications to verify the security of our systems and processes.
As a Heroku customer you are part of the team that keeps your apps safe. You are responsible for implementing strong security measures in your applications and for properly managing access to your Heroku account and resources. Heroku offers a number of security features to help you with this responsibility.
Audits and Certifications
Heroku regularly performs audits and maintains a number of certifications to further strengthen our trust with customers and to enable Heroku customers to build certified applications on the platform. The detailed list of audits and certifications is maintained in the Security Privacy and Architecture (“SPARC”) document for Heroku which is part of the Heroku Enterprise Master Subscription Agreement. These include:
Salesforce has an Attestation of Compliance as a PCI Level 1 Service Provider covering Heroku Shield Services offered as part of Heroku Enterprise. Please contact us at firstname.lastname@example.org to receive more information about Heroku’s PCI certification.
Customers who want to build healthcare applications on Heroku that comply with US HIPAA can contact the Heroku sales team regarding a Business Associate Addendum to the Master Subscription Agreement that is required for HIPAA compliance.
Please see the GDPR Dev Center article for details on how EU General Data Protection Regulation is relevant for apps on Heroku.
ISO 27001, 27017, and 27018 Certification
Salesforce has been certified against this set of widely recognized and internationally accepted information security standards that specifies security management best practices and comprehensive security controls following ISO 27002. These certifications also cover information security specific to the cloud the protection of Personally Identifiable Information (PII). For more information, please log a support ticket.
SOC 1, 2, and 3 Attestation Reports
Salesforce has been issued SOC1, 2 and 3 reports by an independent auditor. The SOC1 Type II is an independent examination of the IT General controls and controls around availability, confidentiality and security of customer data processed by the Heroku Platform relevant for the financial reporting of customers. The SOC2 Type 2 is a restricted to use report and independent examination of the fairness of presentation and the suitability of the design of controls relevant to security, availability and confidentiality of the customer data processed by the Heroku Platform. The general use SOC3 report is an independent examination of the fairness of presentation and the suitability of the design of controls relevant to security, availability and confidentiality of the customer data processed by the Heroku Platform. For more information, please log a support ticket.
Heroku Security Features
Heroku has a number of basic and advanced features that help you keep your application secure.
Heroku offers basic security features on Personal and Team accounts, including:
- Account-level 2-factor authentication (also available on the free tier)
- Transport security via TLS/SSL and Automated Certificate Management
- Team and basic role-based access for users and applications
- Postgres logical and physical backups and rollback (also available on the free tier)
Additional features are available for Enterprise and Premium tier users, such as:
- More refined access control and roles in Heroku Enterprise
- Single sign-on (SSO) integrated with your organization’s SAML Identity Provider.
- Postgres encryption at rest on Standard, Premium, Private and Shield plans
- Secure transport of Salesforce data to Heroku Postgres via Heroku Connect
- Network level isolation and access control based on source IP for apps running in Private Spaces
- Geographic isolation of applications and databases running in Private Spaces
- Isolated and space-enforced log collection in Shield Private Spaces
- Stricter TLS requirements for Heroku apps receiving HTTPS requests in Shield Private Spaces
- Keystroke logging when running interactive heroku run sessions in Shield Private Spaces
Heroku Enterprise customers are encouraged to contact the Customer Solutions Architects team who can provide guidance for how to best implement security measures and how to govern application deployment on Heroku.