[holografix]

Disclaimer: I work for Salesforce, Heroku’s parent company.

Heroku Shield is a service added on top of Heroku Private spaces.

You usually don’t need Shield unless you want to be compliant with things like HIPAA, etc

Which of course could be your case here.

[ukd1]

It is and we needed HIPAA. For me, it's priced aggressively (~600%, compared to zero for GCP) and wasn't ready when we looked - i.e. caused a few SEVs.

[shay_ker]

> ~600%, compared to zero for GCP

I've always been curious. What do you need to do to be HIPAA compliant, from a technology standpoint? I figured it's similar to PCI compliance, but I'm not sure.

From what I've heard, though, the cost isn't quite zero, it's just that you have to own & implement all the work to be HIPAA compliant. But perhaps it's not that bad?

[holografix]

I’m not in product or legal so take this with a grain of salt:

I know that for a customer I spoke to, keystroke logging on running dynos was something they were really interested in, from a compliance point of view.

I think being able to spin up Postgres DBs with rollbacks, fork and follow, HA etc etc (don’t want to sound like a sales rep) in this highly compliant environment also involves some serious infra wrangling.

[oskari]

FWIW, Aiven PostgreSQL (http://aiven.io/postgresql) runs latest PG versions and is available in HIPAA compliant configurations on AWS and GCP. We don't charge extra for it, but have a minimum monthly commitment to justify the small setup overhead.