Heroku data services now accept customer-managed encryption keys
Change effective on 06 May 2020
With Bring Your Own Key (BYOK), create a key in your AWS KMS account to encrypt your Heroku Private or Shield data service, its backups, and any forks and followers. Disable the key to render your data inaccessible.
Use of this feature is optional. Heroku continues to create and manage the key lifecycle for our data services.