Is data encrypted at rest?
Yes, data is encrypted at rest withAES-256, block-level storage encryption
. Amazon manages the keys and individual volume keys are stable for the lifetime of the volume. More information can be found here.
Heroku doesn’t encrypt data at the Postgres level. Sensitive fields, like passwords, are encrypted at the Postgres level by our application using 256 bit + 390k stretch key lengths
.
If data is ever sent to S3 for exports, the files are short-lived and encrypted in S3. There is a 7-day object expiration rule applied to the entire S3 bucket.
Is data encrypted in transit?
Yes, the data is encrypted in transit withMutual TLS
or mTLS
. Heroku uses mTLS to create a secure and mutually authenticated channel between an external resource and our Heroku Postgres database. More information can be found here.
Heroku uses TLS 1.2 or 1.3
, more information can be found here.
How is unauthorized access to code repositories and cloud hosting platforms prevented?
- These platforms can only by accessed by authorized Explo employees.
- Only Explo administrators can add additional employees to these platforms.
- All accounts added to our code repositories and cloud hosting platforms are required to have MFA enabled.