Heroku Shield graphic

What is Heroku Shield?

Heroku Shield is a set of Heroku platform services that offer additional security features needed for building high compliance applications. Use Heroku Shield to build HIPAA or PCI* compliant apps for regulated industries, such as healthcare, life sciences, or financial services. Heroku Shield simplifies the complexity associated with regulatory compliance, so you can enjoy same great developer experience when building, deploying, and managing your high compliance apps.

How Heroku Shield works

Heroku Shield is available to Heroku Enterprise customers as an additional package. Your Heroku Shield apps run in your own network isolated Heroku Shield Private Space using Shield Private Dynos to further enhance security at runtime.

You have the option to add Shield Postgres for highly-compliant data management and Shield Connect to safely sync data between your Shield apps and Salesforce. In addition, Heroku Shield gives you enhanced trust controls, such as Private Space Logging, that greatly simplify compliance auditing while still giving you full control of app configuration and deployment.

An example of setting up a shield space

Why build with Heroku Shield?

Simplify the complexities of regulatory compliance.

Designed to meet industry regulations

Build engaging healthcare apps, fintech apps*, or life sciences apps with secure data services and meet complex regulatory requirements, including HIPAA and PCI*.

Fast set up & deployment

Spin up a HIPAA or PCI* compliant environment in minutes and start deploying your apps with all the ease of the Heroku developer experience using git push heroku master.

Out-of-the-box trust controls

Get additional trust controls, such as: keystroke logging for production access auditing, logging at the space level that you control, encryption at rest for ephemeral data, and strict TLS enforcement.

Securely share data with Salesforce

Extend your CRM capabilities to your Heroku apps and safely share PII data or PHI data with your Salesforce instance, including contacts, account data, and other custom objects.


Components of Heroku Shield

A suite of services with enhanced trust and security.

Shield Private Spaces

Get all the benefits of a network isolated Heroku Private Space with additional trust controls to deliver high compliance apps with confidence. Learn more >>

Shield Private Dynos

Shield Private Dynos include an encrypted ephemeral file system and restricts SSL termination from using TLS 1.0 (which is considered vulnerable). Learn more >>

Shield Postgres

Shield Postgres further extends Heroku Postgres to guarantee that your sensitive data is always encrypted both in transit and at rest. Learn more >>

Shield Connect*

Using Heroku Connect's bi-directional synchronization between Salesforce and Shield Postgres, you can share sensitive PII data or PHI data in a high compliance environment. Learn more >>

Learn more about Heroku Shield

Please tell us more about your project and we'll be in touch.

Dev Center Documentation
Webinars

Building High Compliance Apps using Heroku Shield

See how Heroku Shield helps developers solve many of the challenges of HIPAA compliant app development.

Architecting HIPAA and High Compliance Apps Using Heroku Shield

Learn how to configure a compliance-ready environment and data center in the cloud using Heroku Shield.

From the Blog

Introducing Heroku Shield: Continuous Delivery for High Compliance Apps

Heroku Shield, a new addition to our Heroku Enterprise line of products, offers developers the power and productivity of Heroku for strictly regulated apps.

Announcing PCI Compliance for Heroku Shield

Heroku’s PCI Level 1 Service Provider designation* helps our customers understand how Heroku's systems and human processes work together to safeguard customer data.


*Important note: Heroku Shield Connect is currently not PCI compliant. If you require bi-directional, PCI compliant sync between Heroku Postgres and Salesforce, please contact us and we can help you find the right solution for your needs.