Heroku is a cloud platform-as-a-service (PaaS) that enables developers to deploy, manage, and scale applications without dealing with the complexities of infrastructure management.

Secureframe scans various Heroku resources and configurations to ensure compliance and automatically gather evidence.

Setup & Configuration

To integrate Heroku with Secureframe, navigate to Integrations and search for “Heroku” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form. (If you have the Custom Integration feature, click on "Add native connection"). 

Permissions, Fields, Controls & Automated Tests

1. Click the provided link or navigate to the “Integration” page.
2. Select the “Available” tab.
3. Search for the integration.
4. Click “View Details”.

Frequently Asked Questions (FAQ)

Does CJIS compliance require Heroku Private Spaces?

• Not by name, but CJIS SC-7 Boundary Protection requires that public-facing components be placed in subnetworks that are logically or physically separated from internal networks. On Heroku, the practical way to meet this requirement is through Heroku Private Spaces (or Shield Private Spaces) because they provide isolated networks, private routing, and VPC-level controls. The Common Runtime does not offer this level of segmentation.

Can I be CJIS compliant on Heroku without Private Spaces?

• It’s unlikely unless you can get written confirmation from Heroku that your current runtime provides equivalent network isolation and boundary protection. The Common Runtime uses shared routing and infrastructure, making it difficult to meet SC-7 without Private Spaces.

What’s the difference between Heroku Private Spaces and Shield Private Spaces?

• Private Spaces: Isolated runtime, private network, VPN/VPC peering, stable outbound IPs.

• Shield Private Spaces: All Private Spaces features plus stricter TLS enforcement, keystroke logging, space-level logging, and encrypted ephemeral storage—designed for higher compliance environments like HIPAA and PCI, and useful for CJI.

If I don’t want to use Heroku Private Spaces, what are my options?

• You can deploy to other platforms that allow you to configure VPCs, subnets, and firewall rules directly—such as Azure App Service Environment (ASE v3), Azure Kubernetes Service (AKS), AWS Elastic Beanstalk, or AWS ECS/EKS. These services let you place public entry points in a DMZ subnet and keep your application and data on private subnets.

How does CJIS define “boundary protection”?

• Under CJIS Security Policy SC-7, boundary protection means separating public-facing components from internal systems, and controlling traffic between them. This typically involves using separate subnets/VPCs, firewall rules (NACLs, security groups), and logging access to and from these boundaries.

If I store or process Criminal Justice Information (CJI) on Heroku, what should I do?

1. Confirm with your CJIS Systems Agency (CSA) what controls are required.

2. Use Heroku Private Spaces or Shield for network isolation.

3. Apply strong authentication and encryption.

4. Document how your configuration meets SC-7 and other applicable CJIS controls.