BBAA Atlas

Is Heroku (Salesforce) HIPAA compliant?

Application hosting (PaaS) · vendor site ↗

BAA on select plansPHI with conditionsSOC 2 Type II
Will Heroku (Salesforce) sign a HIPAA BAA?
Sometimes — Heroku (Salesforce) signs a HIPAA BAA only on specific plans or add-ons.
Heroku supports HIPAA only via Heroku Shield (Shield Private Spaces, Shield Dynos, Shield Postgres), available as an add-on to Heroku Enterprise. Customers create a support ticket to complete a Business Associate Addendum to the Master Subscription Agreement; the BAA is not available on self-serve plans.
PHI eligibility
PHI may only be processed on Heroku Shield runtime/services under a signed Business Associate Addendum via an Enterprise contract; non-Shield runtimes (Common Runtime, standard Private Spaces) are not in HIPAA scope.
SOC 2
SOC 2 Type II
Trust center
heroku.com
Sub-processors
Notes
HIPAA requires Heroku Shield (Enterprise add-on); the BAA is a Business Associate Addendum to the Salesforce/Heroku MSA. Signing the BAA does not by itself make an app HIPAA compliant.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Heroku (Salesforce) before storing PHI.

Get notified when this changes

We track Heroku (Salesforce)'s BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Heroku (Salesforce)

Sometimes — Heroku (Salesforce) signs a HIPAA BAA only on specific plans or add-ons.

Request routeSelf-serve — enable it in your account
  1. 1
    Get on a qualifying plan
    Heroku supports HIPAA only via Heroku Shield (Shield Private Spaces, Shield Dynos, Shield Postgres), available as an add-on to Heroku Enterprise. Customers create a support ticket to complete a Business Associate Addendum to the Master Subscription Agreement; the BAA is not available on self-serve plans.
  2. 2
    Request the Business Associate Agreement
    Heroku (Salesforce) lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI may only be processed on Heroku Shield runtime/services under a signed Business Associate Addendum via an Enterprise contract; non-Shield runtimes (Common Runtime, standard Private Spaces) are not in HIPAA scope. Match your configuration to this scope before putting protected health information into Heroku (Salesforce).
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Heroku (Salesforce) before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Heroku (Salesforce) sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — Heroku (Salesforce) signs a HIPAA BAA only on specific plans or add-ons. Heroku supports HIPAA only via Heroku Shield (Shield Private Spaces, Shield Dynos, Shield Postgres), available as an add-on to Heroku Enterprise. Customers create a support ticket to complete a Business Associate Addendum to the Master Subscription Agreement; the BAA is not available on self-serve plans.
Is Heroku (Salesforce) HIPAA compliant?
Heroku (Salesforce) can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI may only be processed on Heroku Shield runtime/services under a signed Business Associate Addendum via an Enterprise contract; non-Shield runtimes (Common Runtime, standard Private Spaces) are not in HIPAA scope.
Can you store PHI (protected health information) in Heroku (Salesforce)?
PHI may only be processed on Heroku Shield runtime/services under a signed Business Associate Addendum via an Enterprise contract; non-Shield runtimes (Common Runtime, standard Private Spaces) are not in HIPAA scope.
Is Heroku (Salesforce) SOC 2 certified?
Heroku (Salesforce) reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Heroku (Salesforce)?
Heroku (Salesforce) lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with Heroku (Salesforce) before storing PHI.
What plan do I need to sign a BAA with Heroku (Salesforce)?
Heroku supports HIPAA only via Heroku Shield (Shield Private Spaces, Shield Dynos, Shield Postgres), available as an add-on to Heroku Enterprise. Customers create a support ticket to complete a Business Associate Addendum to the Master Subscription Agreement; the BAA is not available on self-serve plans.

Sources

Heroku's ISO, SOC, HIPAA, PCI Compliance and Certifications
https://www.heroku.com/compliance/
Supports: HIPAA supported via Shield Private Spaces/Dynos/Postgres; complete a Business Associate Addendum via support ticket; SOC 2 Type 2 report and ISO 27001/27017/27018dated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Heroku (Salesforce) before processing protected health information.

Check another vendor

NetlifyBAA on select plansRenderBAA on select plansVercelBAA on select plansActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plans

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →