Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Heroku is a Platform as a Service that has been hosting Ruby, Node.js, Python, PHP, Java, Go and Clojure applications since 2007. Acquired by Salesforce in 2010, Heroku runs on AWS with a European region (eu-west-1 Ireland) and Private Spaces in Frankfurt and Dublin. Heroku itself does not set cookies on the public visitors of a hosted application; the application owner remains responsible for any cookies and analytics it deploys on top of Heroku.
Heroku is one of the oldest Platforms as a Service, founded in 2007 and acquired by Salesforce in 2010. It hosts Ruby, Node.js, Python, PHP, Java, Go and Clojure applications on dynos that run on AWS infrastructure, with built in CI/CD, an extensive add on marketplace (Heroku Postgres, Heroku Redis, Heroku Connect, Heroku Data for Redis, third party data and observability tools) and Heroku Shield for HIPAA and PCI workloads. Most customers operate APIs, internal tools and B2B SaaS on Heroku.
Heroku processes the IP address, request URL, HTTP method, headers and TLS handshake parameters needed to route requests to the application dynos. Logs (Logplex) include request metadata and any log line emitted by the application. Heroku Postgres and Heroku Data add ons store the application data the customer chooses to persist. Heroku itself does not set cookies on the public visitors of customer applications.
IP addresses processed by the Heroku Router are personal data under the GDPR. Heroku is a processor for the customer application and a controller for limited operational purposes. Pure hosting does not write information to the visitor device, so the ePrivacy consent rule is not triggered. The application owner remains the controller for any cookies, analytics or marketing scripts it loads inside the dyno responses.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Heroku Common Runtime offers a European region (eu-west-1 Ireland); Heroku Private Spaces extend coverage to Frankfurt and Dublin for full EU residency. The control plane, customer support and account data operate from the United States. Transfers rely on the Salesforce Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3, encryption at rest, ISO 27001, SOC 2 Type II and Heroku Shield offerings for HIPAA and PCI DSS workloads.
Sign the Salesforce Data Processing Addendum, deploy your applications in the European region (or in a Private Space in Frankfurt or Dublin) for EU residency, configure log retention rules on Logplex, encrypt sensitive columns in Heroku Postgres and consider Heroku Shield for HIPAA and PCI workloads. Document Heroku as a processor in your record of processing activities and mention the US transfer to Salesforce in the privacy notice.
Websites using Heroku must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a standard SaaS hosted on Heroku. A DPIA is recommended when the application performs systematic profiling, when Heroku Postgres and Heroku Connect store large volumes of EU personal data, when Heroku Shield is used for HIPAA workloads or when the customer operates in a regulated sector.
Sample consent text
This application is hosted on Heroku, a Platform as a Service operated by Heroku Inc. (a Salesforce company, USA) on AWS in the Ireland region. Heroku processes the IP address, request URL and headers needed to route the traffic. By accepting, you allow this transfer to Heroku and Salesforce servers, including in the United States, under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
heroku.comherokuapp.comheroku-app.comsalesforce.comThis service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Heroku is a hosting platform and does not set any cookies on the public visitors of customer applications. Cookies on a site hosted on Heroku come from the application code itself or from third party scripts that the application loads.
No. Pure hosting and HTTP routing do not write information to the device, so the ePrivacy consent rule is not triggered. Consent obligations come from the application running on Heroku, not from Heroku itself.
For hosting and routing the application, the legal basis is legitimate interest under Article 6(1)(f) GDPR. The contract with Heroku is processed under Article 6(1)(b) GDPR. Personal data stored in Heroku Postgres or Heroku Connect follows the legal basis chosen by the application owner.
Heroku is operated by Salesforce. Salesforce signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Supplementary measures include TLS 1.3, encryption at rest, ISO 27001 and SOC 2 Type II, with Heroku Shield for HIPAA and PCI workloads.
A DPIA is not required for a standard application on Heroku. A DPIA is recommended when the hosted application performs systematic profiling of EU users, when Heroku Postgres stores large volumes of personal data, when Heroku Shield is used for HIPAA workloads or when the application targets regulated sectors.
Sign the Salesforce Data Processing Addendum, run production in the eu-west-1 region or in a Frankfurt or Dublin Private Space, configure log retention, encrypt sensitive columns in Heroku Postgres and document Heroku as a processor in your record of processing activities. Mention the US transfer to Salesforce in the privacy notice and audit any add on that processes personal data.
European or open source alternatives include Scaleway Serverless (France), Clever Cloud (France), OVHcloud Web PaaS (France), Render with EU regions, Fly.io with European regions, Coolify (self hosted, open source) and self hosted Kubernetes on Hetzner or Scaleway clusters.
List Heroku (Salesforce) as the hosting processor, mention that the application is deployed in the EU Ireland region or in a Private Space, state that data including IP addresses may be transferred to the United States under SCCs and the EU US Data Privacy Framework, and link to the Salesforce Privacy Policy.