AES-256, block-level storage encryption
. Amazon manages the keys and individual volume keys are stable for the lifetime of the volume. More information can be found here.
Heroku doesn’t encrypt data at the Postgres level. Sensitive fields, like passwords, are encrypted at the Postgres level by our application using 256 bit + 390k stretch key lengths
.
If data is ever sent to S3 for exports, the files are short-lived and encrypted in S3. There is a 7-day object expiration rule applied to the entire S3 bucket.
Mutual TLS
or mTLS
. Heroku uses mTLS to create a secure and mutually authenticated channel between an external resource and our Heroku Postgres database. More information can be found here.
Heroku uses TLS 1.2 or 1.3
, more information can be found here.