Heroku apps and amazon cloud. I need to update a privacy policy to include where data is stored and how its protected. Can anyone shed some light on this for me? For instance, is DB information cloud based or both in the cloud and stored on the heroku app and who is responsible for securing data?
Where are the threats to data mostly likely to come from?
All the "cloud" is computers. When data is stored to the "cloud", it will be stored to one or more of these computers. Amazon runs a service called "Amazon Web Service" which allows programs and websites to store data on computer systems that they manage.
Heroku stores their data on amazon's computers, which amazon runs in large data centers. Any data that you give them will simply be stored on amazon's computers. These data centers have been accredited under:
Quoting Heroku:
Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Heroku states that they will not access your data unless required by law:
Heroku staff does not access or interact with customer data or applications as part of normal operations. There may be cases where Heroku is requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by Heroku staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.
You can find more information from heroku's security policy and amazon's security center.
