For organizations that build, deploy, or process customer data on Heroku, reviewing Heroku’s SOC 2 report is an important part of vendor risk management. The report helps security, legal, procurement, and compliance teams understand how Heroku’s controls are designed and operated over time. Because SOC 2 reports contain sensitive control information, access is typically restricted and may require authentication, customer status, and confidentiality terms.
TLDR: A Heroku SOC 2 report is generally accessed through Salesforce or Heroku compliance channels, such as a compliance document portal, support request, or account representative. You may need to be an active customer, accept confidentiality terms, or have an NDA in place. The report typically includes the auditor’s opinion, system description, tested controls, testing results, exceptions, subservice organizations, and customer responsibilities. Always confirm that the report period, scope, and included Heroku services match your organization’s use case.
What a SOC 2 Report Is
A SOC 2 report is an independent assurance report prepared by a licensed CPA firm. It evaluates a service provider’s controls against the Trust Services Criteria established by the American Institute of Certified Public Accountants. These criteria commonly relate to security, availability, confidentiality, processing integrity, and privacy, although not every SOC 2 report covers all five categories.
For Heroku customers, the SOC 2 report can provide evidence that relevant operational and security controls were reviewed by an independent auditor. It is not a guarantee that every application deployed on Heroku is compliant. Rather, it describes the controls operated by Heroku for the systems and services included in the report’s scope.
How to Access a Heroku SOC 2 Report
Because Heroku is part of Salesforce, compliance documentation for Heroku is often managed through Salesforce’s compliance and trust channels. The exact access path may vary depending on your contract, account type, region, and relationship with Salesforce or Heroku. In most cases, you should follow a structured process.
- Confirm your eligibility. SOC 2 reports are usually made available to current customers, prospective enterprise customers, auditors, or authorized third parties with a legitimate business need.
- Check Salesforce or Heroku compliance resources. Start with official Salesforce Trust, compliance, or documentation portals. These portals may require login credentials and acceptance of confidentiality terms before documents can be downloaded.
- Contact your account representative. If your organization has a Salesforce or Heroku account executive, customer success manager, or enterprise contact, request the latest Heroku SOC 2 report through that channel.
- Submit a support request if needed. If you do not have an assigned representative, open a support case through the appropriate Heroku or Salesforce support process. Include your organization name, account information, and the reason for the request.
- Complete confidentiality requirements. SOC 2 reports are confidential. You may be asked to accept online terms, sign a nondisclosure agreement, or confirm that the report will be used only for internal assessment purposes.
When requesting the report, be specific. Ask for the latest available SOC 2 Type II report for Heroku, and, if relevant, specify the Heroku services you use, such as Heroku runtime, data services, Private Spaces, or other platform components. This helps avoid receiving a report that does not cover your actual deployment model.
SOC 2 Type I vs. SOC 2 Type II
It is important to understand the difference between a Type I and Type II report. A SOC 2 Type I report evaluates whether controls were suitably designed at a specific point in time. A SOC 2 Type II report evaluates both design and operating effectiveness over a defined review period, often six to twelve months.
For vendor risk reviews, the Type II report is usually more valuable because it shows whether controls operated consistently over time. If your security team asks for Heroku’s SOC 2 report, they likely expect the most recent SOC 2 Type II version unless they state otherwise.
What the Heroku SOC 2 Report Typically Includes
While the exact contents depend on the report and audit period, a Heroku SOC 2 report will generally contain several standard sections. These sections should be reviewed carefully rather than treated as a simple checkbox for compliance.
- Independent auditor’s opinion: This section states whether the auditor believes the controls were fairly presented, suitably designed, and operating effectively during the review period.
- Management assertion: Heroku or Salesforce management provides an assertion about the accuracy of the system description and the suitability of controls.
- System description: This explains the Heroku services, infrastructure, boundaries, governance processes, operational practices, and security environment covered by the report.
- Trust Services Criteria mapping: The report maps controls to the applicable criteria, such as security, availability, or confidentiality.
- Control activities: These are the specific controls Heroku uses, such as access management, change management, incident response, monitoring, vulnerability management, and backup practices.
- Auditor testing and results: The auditor describes how controls were tested and whether the tests passed, failed, or included exceptions.
- Exceptions or deviations: If a control did not operate as expected, the report should describe the issue, timing, and potential significance.
- Subservice organizations: The report may identify important third-party providers, such as cloud infrastructure or operational vendors, and explain whether they are included or carved out of the audit scope.
- Complementary user entity controls: These are controls that customers must operate themselves for the overall control environment to be effective.
What to Review Before Relying on the Report
Do not rely on the report solely because it says “SOC 2.” First, confirm the report period. A report that ended many months ago may need to be supplemented with a bridge letter or updated confirmation. Second, confirm the scope. The report should cover the Heroku services your organization actually uses.
Third, review any exceptions. Not all exceptions are equally serious. Some may be isolated and low risk, while others may require follow-up questions. Fourth, read the complementary user entity controls. These are especially important because they define what your organization is responsible for, such as configuring access permissions, protecting credentials, managing application-level security, encrypting sensitive data where appropriate, and monitoring your own application activity.
What the Report Does Not Cover
A Heroku SOC 2 report does not automatically certify your application, your code, your data model, or your internal procedures. If your team deploys an insecure application, misconfigures access, exposes secrets, or fails to manage user permissions, those risks remain your responsibility.
The report also may not cover every Heroku add-on, third-party integration, or external service connected to your application. If your environment depends on marketplace add-ons, external databases, payment processors, or analytics tools, you may need separate compliance evidence from those providers.
How Security Teams Should Use the Report
A practical review should combine the SOC 2 report with your own risk assessment. Security teams should document which Heroku services are used, compare them to the report scope, review noted exceptions, and identify customer control responsibilities. Procurement and legal teams should also confirm that confidentiality, data processing, and contractual terms align with organizational requirements.
If anything is unclear, ask Heroku or Salesforce for clarification. Reasonable follow-up questions may include whether a specific service is in scope, whether a more recent bridge letter is available, how subservice organizations are monitored, or how a reported exception was remediated.
Final Considerations
Accessing a Heroku SOC 2 report is usually a controlled process because the document contains confidential details about Heroku’s security and operational controls. The most reliable path is to use official Salesforce or Heroku compliance channels, your account representative, or support. Once obtained, the report should be reviewed carefully for scope, dates, criteria, exceptions, and customer responsibilities.
Used properly, the Heroku SOC 2 report can be a valuable part of your cloud vendor due diligence. It provides independent assurance about Heroku’s control environment, but it should be treated as one component of a broader security and compliance program, not as a substitute for your own governance, secure configuration, and application-level controls.
