Is Heroku HIPAA Compliant? BAA, Shield Tier, and What You Need to Know (2026)

Overview of Heroku Shield Tier

Heroku can support HIPAA-eligible workloads when you deploy on the Heroku Shield tier and execute a Business Associate Agreement (BAA). Shield is a hardened, enterprise runtime designed to help you handle Protected Health Information (PHI) by combining Shield Private Spaces, HIPAA-eligible data services, and operational safeguards aligned to the HIPAA Security Rule.

It’s important to note that HIPAA is not a “Compliance Certification.” There is no official HIPAA seal. Instead, Heroku provides technical and administrative controls—such as Network Isolation and Data Encryption—that you configure and operate to meet your obligations under the HIPAA Security Rule.

In short: with Shield plus a signed BAA and correct configuration, Heroku is suitable for processing, storing, and transmitting Protected Health Information (PHI). Without those, it is not.

Business Associate Agreement Requirements

A BAA is mandatory before any PHI touches your Heroku environment. The BAA sets roles and responsibilities, defines permitted uses and disclosures of PHI, and establishes requirements for safeguards, breach notifications, and subcontractor management.

What the BAA typically covers

• Scope limited to HIPAA-eligible Shield services and components.
• Heroku’s responsibilities for platform security controls and incident response.
• Your responsibilities for application-layer controls, access management, and data governance.

What it does not cover

• Non-Shield services, community add-ons, or external systems lacking their own BAAs.
• Misconfigurations that expose PHI (for example, logging PHI or using public endpoints unnecessarily).

How the BAA process usually works

• Engage your Salesforce/Heroku account team as an Enterprise customer.
• Review and execute the BAA and related enterprise terms.
• Enable Shield features and restrict PHI only to Shield-designated services after signature.

Shield Tier Services and Features

Core Shield services

• Shield Private Spaces: dedicated, isolated runtime providing Network Isolation and private routing.
• Shield Dynos: application containers that run inside Shield Private Spaces with additional operational safeguards.
• Shield Postgres: HIPAA-eligible managed database with encryption at rest, automated backups, and restricted access paths.
• Shield Connect: secure data synchronization between Heroku Postgres and Salesforce for PHI-bearing integrations.

Security and compliance capabilities

• Data Encryption in transit and at rest for eligible services and connections.
• Private networking, static egress IPs, and options for private connectivity to external systems.
• Enterprise access controls, including SSO, role-based permissions, and auditability.
• Centralized logging via encrypted log drains to your HIPAA-eligible SIEM; ability to minimize PHI in logs.
• Support for implementing HIPAA Security Rule safeguards across administrative, physical, and technical domains.

Add-ons and integrations

• Use only HIPAA-eligible add-ons and third-party services that provide their own BAA.
• Keep PHI within Shield services; do not transmit PHI to non-BAA tools, test sandboxes, or non-Shield add-ons.

Configuring Applications for HIPAA Compliance

Foundational steps

• Execute a BAA and confirm Enterprise entitlements before handling PHI.
• Create a Shield Private Space and run apps on Shield Dynos; use Shield Postgres for PHI storage.

Secure design and data handling

• Enforce TLS for all external connections; prefer private connectivity for system-to-system traffic.
• Minimize PHI; tokenize or pseudonymize where practical; segregate PHI from non-PHI datasets.
• Keep PHI out of logs, metrics, and error traces; implement field-level redaction and request scrubbing.
• Avoid writing PHI to the ephemeral file system; use HIPAA-eligible storage services with a BAA.

Identity, access, and secrets management

• Use SSO, strong MFA, and least-privilege roles for all users and automations.
• Store secrets in config vars; rotate keys regularly; restrict and audit access to config and data.

Operations and monitoring

• Forward logs over encrypted channels to a HIPAA-eligible SIEM; review audit trails routinely.
• Harden CI/CD: signed artifacts, dependency scanning, and repeatable builds on supported stacks.
• Back up and test restore of Shield Postgres; document retention and disaster recovery procedures.
• Document policies and procedures that align with HIPAA Security Rule safeguards.

Enterprise Customer Eligibility

Heroku Shield is available to Enterprise customers. Eligibility generally includes an enterprise agreement, the execution of a BAA, and access to Shield features within your organization. Pricing and availability are enterprise-specific; work with your account team to scope capacity, regions, and support.

If you use Standard or Basic tiers, you must not process PHI. Migration to Shield plus a signed BAA is required before onboarding regulated data.

Network Isolation and Security Controls

Shield Private Spaces provide Network Isolation by running apps in a dedicated, logically isolated environment. Internal app-to-app traffic stays within the private network, and you can expose services externally only where necessary, protected by TLS and allowlists.

For outbound traffic, static egress IPs enable IP allowlisting on partner systems. Where higher assurance is required, use private connectivity options to keep PHI off the public internet. Data Encryption protects PHI at rest in Shield Postgres and in transit across approved connections.

Combine these technical controls with enterprise identity, least privilege, and continuous monitoring to implement the HIPAA Security Rule’s access control, transmission security, and audit requirements.

Limitations and Shared Responsibility Model

Heroku secures the platform; you secure your data and application. Only Shield-designated services are in scope for PHI under the BAA. Non-Shield services and many marketplace add-ons are out of scope unless they provide their own BAAs and private connectivity.

Operational limitations to plan for include an ephemeral application file system, limited OS-level customization, regional availability constraints, and the need to prevent PHI from entering logs or non-eligible services. You are responsible for vendor management, workforce training, incident response, and validating that your end-to-end architecture meets HIPAA Security Rule requirements.

FAQs.

What is included in Heroku’s Shield tier?

Heroku Shield includes Shield Private Spaces for Network Isolation, Shield Dynos for running applications in that isolated runtime, Shield Postgres for encrypted data storage, and Shield Connect for secure synchronization with Salesforce. Collectively, these services provide Data Encryption, access controls, logging, and operational safeguards suitable for Protected Health Information.

How do I sign a BAA with Heroku?

Engage your Salesforce/Heroku account team as an Enterprise customer, request a Business Associate Agreement, and execute it alongside your enterprise terms. After signature, enable Shield services and restrict PHI to Shield-designated components only. Do not upload or process PHI on Heroku until the BAA is fully executed.

Can basic or standard Heroku tiers be HIPAA compliant?

No. Handling PHI requires both a signed BAA and deployment on the Shield tier. Standard or Basic tiers are not eligible for PHI. Move to Heroku Shield, implement required controls, and verify that only HIPAA-eligible services touch PHI.

What responsibilities do users have for maintaining HIPAA compliance on Heroku?

Users must configure and operate controls that satisfy the HIPAA Security Rule: enforce least-privilege access and SSO/MFA, keep PHI out of logs, encrypt data in transit and at rest, manage vendors and BAAs for any integrated services, monitor and audit systems, and maintain policies for incident response, backups, and workforce training. Heroku provides the platform controls; you must implement them correctly and continuously.