...
Security Assessments and Compliance
Data Centers
Heroku’s Our physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
...
We use PCI compliant payment processor Braintree for encrypting and processing credit card payments. Heroku’s Our infrastructure provider is PCI Level 1 compliant.
...
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Heroku The Infrastructure utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
...
Stored data can be encrypted by customer applications in order to meet data security requirements. Customers can implement data storage, key management, and data retention requirements when developing their application.
Add-ons
Customers can extend the functionality of applications by using Heroku Add-ons. Add-ons are offered and managed by 3rd party companies and implement their own security controls and processes.
For additional information see: https://addons.heroku.com
System Security
System Configuration
...
Our vulnerability management process is designed to remediate risks without customer interaction or impact. Heroku is and Atlassian are notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to Heroku’s environment, ranked based on risk, and assigned to the appropriate team for resolution.
...
Your configuration and meta-information is backed up every minute to the same high-durability, redundant infrastructure used to store your database information. These frequent backups allow capturing changes made to the running application configuration added after the initial deployment.
...
Platform
From our instance images to our databases, each component is backed up to secure, access-controlled, and redundant storage. Our platform allows for recovering databases to within seconds of the last known state, restoring system instances from standard templates, and deploying customer applications and data. In addition to standard backup practices, Heroku’s infrastructure is designed to scale and be fault tolerant by automatically replacing failed instances and reducing the likelihood of needing to restore from backup.
...
Our platform automatically restores customer applications and Heroku Postgres databases in the case of an outage. The Heroku platform is designed to dynamically deploy applications within the Heroku cloud, monitor for failures, and recover failed platform components including customer applications and databases.
...
Platform
The Heroku platform is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups. Heroku We reviews platform issues to understand the root cause, impact to customers, and improve the platform and processes.
...
We take steps to protect the privacy of our customers and protect data stored within the platform. Some of the protections inherent to Heroku’s products include authentication, access controls, data transport encryption, HTTPS support for customer applications, and the ability for customers to encrypt stored data. For additional information see: https://www.heroku.com/policy/privacy
Access to Customer Data
Heroku Our staff does not access or interact with customer data or applications as part of normal operations. There may be cases where Heroku is we are requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by Heroku our staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.
...
Our security team is lead by the Chief Information Security officer (CISO) and includes staff responsible for application and information security. The security team works closely with the entire Heroku organization and customers to address risk and continue Heroku’s our commitment to trust.
Customer Security Best Practices
...
Apply development best practices for your chosen development language and framework to mitigate known vulnerability types such as those on the OWASP Top 10 Web Application Security Risks.
...
To prevent unauthorized account access use a strong passphrase for both your Heroku user account and SSH keys, store SSH keys securely to prevent disclosure, replace keys if lost or disclosed, and use Heroku’s RBAC model to invite contributors rather than sharing user accounts.
Logging
Logging is critical for troubleshooting and investigating issues. We provide you with three main options for interacting with their system, application, and API logs. Customers can receive all 3 types of logs via syslog from the Heroku platform, choose to send logs to a Heroku add-on, or interact with logs in real-time through the Heroku client.
For additional technical information see: https://devcenter.heroku.com/articles/logging
Use of Third-Party Solutions
In developing your application on Heroku you may choose to use third party services for added functionality such as Amazon’s S3, an email service provider, or any of our add-on partners. Be mindful of the data shared with these providers and their security practices just as you would be with Heroku.