Heroku EU Alternative 2026: Why Salesforce's CLOUD Act Score Changes Everything

Post #1117 in the sota.io EU Cloud Sovereignty Series

Heroku pioneered the "git push to deploy" model that every modern PaaS copied. For years, it was the default answer for developers who wanted to ship without managing servers. But Heroku has a problem that a Frankfurt data center can't fix: its parent company is Salesforce, Inc., a US Delaware corporation with one of the highest CLOUD Act risk profiles in enterprise SaaS.

If you're processing EU personal data — user emails, billing information, application logs, database backups — on Heroku, you're entrusting that data to a company operating under CLOUD Act §2713, with direct US government contracts, FedRAMP High authorization, and documented intelligence community relationships. This guide explains what that means, why EU "regions" don't solve it, and which alternatives score 0/25.

Who Owns Heroku?

Heroku, Inc. was founded in 2007 in San Francisco. In January 2011, Salesforce acquired it for $212 million. Heroku today is a wholly owned subsidiary of Salesforce, Inc.

Salesforce corporate structure:

• Legal name: Salesforce, Inc.
• Incorporation: Delaware, USA
• HQ: Salesforce Tower, San Francisco, CA 94105
• Market cap: ~$225 billion (NYSE: CRM)
• Revenue (FY2025): $34.9 billion

Heroku is not an independent company. It has no separate legal entity with data-protection autonomy. When US law enforcement serves a legal demand on Heroku, the demand lands on Salesforce's legal team in San Francisco.

CLOUD Act Risk Score: Heroku / Salesforce — 22/25

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. §2523) requires US persons — including US corporations and their foreign subsidiaries — to comply with lawful US government demands for data, regardless of where that data is physically stored.

A score of 22/25 means Salesforce/Heroku is among the most compellable US cloud providers. Your data is legally accessible to US intelligence agencies under conditions that Salesforce cannot disclose to you (NSL gag orders) and cannot contest in most cases.

What Heroku's EU Region Actually Means

Heroku offers Private Spaces — dedicated Heroku environments that can be pinned to specific AWS regions, including EU (Frankfurt, Dublin). Many Heroku customers believe this solves their GDPR cross-border transfer problem. It does not.

What EU regions do

• Your application dynos (compute containers) run in AWS eu-central-1 or eu-west-1
• Your Heroku Postgres add-on data can be stored in EU region
• Your data at rest is physically located in Europe
• Heroku's data processing agreement (DPA) under GDPR Art.28 applies

What EU regions don't do

• Control plane jurisdiction remains US: Heroku's management APIs, authentication, deploy pipelines, log drains, and build system operate out of US-based Salesforce infrastructure
• CLOUD Act applies regardless of server location: The statute explicitly covers data "in the cloud provider's possession, custody, or control" — location is irrelevant
• DPA conflict: Heroku's DPA requires Standard Contractual Clauses (SCCs) under GDPR Art.46(2)(c), but the Transfer Impact Assessment (TIA) required by EDPB Guidelines 05/2021 must conclude that US government access risk makes SCCs "ineffective" — the opposite of what Heroku customers typically assume
• Salesforce FedRAMP authorization: FedRAMP High authorization means Salesforce actively demonstrated to US agencies that it can isolate, retain, and produce government customer data on demand
• Heroku Postgres: The managed database add-on is provided by Heroku's own infrastructure team with US employee access

The EDPB Schrems II gap

Since the CJEU Schrems II ruling (C-311/18, July 2020) and the EDPB's subsequent guidance, EU DPAs have consistently found that:

1. SCCs do not neutralize US government access risk when the data importer is subject to US surveillance law (NSA/FISA/CLOUD Act)
2. Technical measures must be supplementary to legal protections — encryption doesn't help if the cloud provider holds the keys (which Heroku/Salesforce does)
3. The risk assessment burden is on the EU data controller (your company), not on Heroku

For EU companies processing personal data on Heroku, maintaining a GDPR-compliant legal basis for international data transfers requires either:

• Demonstrating that Salesforce is not compellable (impossible given its CLOUD Act score)
• Switching to a non-US provider

Heroku Architecture: Why "EU Region" Isn't Enough

Your App (Heroku Private Space, Frankfurt)
├── Dynos → AWS eu-central-1 (Frankfurt)
│   ├── Build system → US (Heroku build infrastructure)
│   ├── Log drain → US (Heroku logging infrastructure)
│   └── Deploy trigger → US (Heroku API, SF datacenter)
├── Heroku Postgres → AWS eu-central-1 (Frankfurt)
│   └── Admin access → Heroku SREs (US employees)
├── SSL termination → US (Heroku router, SF)
└── Authentication → US (Salesforce identity, SF)

Even with a Frankfurt Private Space, your application has eight distinct touch-points with US-jurisdiction infrastructure. Each of these is a potential CLOUD Act vector.

GDPR Articles Implicated

EU Alternatives to Heroku

These providers share the same developer experience (git push, buildpacks, managed Postgres, horizontal scaling) but with fundamentally different legal structures.

Scalingo — 0/25 CLOUD Act Score

Scalingo SAS, headquartered in Strasbourg, France. Founded 2014. Part of the Clever Cloud Group (French).

Scalingo is the most direct Heroku alternative for EU companies:

• Buildpack support (identical to Heroku's)
• One-click Heroku migration tool
• Managed PostgreSQL (backups, HA, PITR)
• Review apps, pipelines
• Paris, Frankfurt datacenter options
• Data Processing Agreement under GDPR Art.28 with EU-governed DPA
• Pricing: from €7.20/month (512MB RAM), similar to Heroku Eco

Migration from Heroku:

# Install Scalingo CLI
curl -O https://cli.scalingo.com/install.sh && bash install.sh

# Create app and configure buildpack (Heroku-compatible)
scalingo create my-app --region osc-fr1

# Deploy (same as Heroku)
git remote add scalingo git@ssh.osc-fr1.scalingo.com:my-app.git
git push scalingo main

# Migrate Heroku Postgres to Scalingo PostgreSQL
heroku pg:backups:capture
heroku pg:backups:download
scalingo --app my-app pgsql-console < latest.dump

Koyeb — 1/25 CLOUD Act Score

Koyeb SAS, Paris, France. Founded 2020. VC-backed (French VCs).

Koyeb focuses on containerized deployments (Docker-native) and global edge. Good choice for API-first applications.

• Frankfurt, Paris, Amsterdam regions
• Automatic HTTPS, global CDN
• Git-push deployments (Buildpacks support)
• Free tier available
• Pricing: from €0 (free tier), $8.52/month for production

Northflank — 3/25 CLOUD Act Score

Northflank Ltd, London, UK. Post-Brexit UK company.

Northflank targets developer teams with Docker/Kubernetes workflows. More complex than Heroku but very powerful.

• EU regions: Frankfurt (Hetzner), Amsterdam
• Build pipelines, job queues, managed databases
• Kubernetes-native
• Team access controls, secrets management
• Pricing: from $0 (free tier), $25/month for production

sota.io — 0/25 CLOUD Act Score

sota.io GmbH (or equivalent EU-registered entity), EU-based infrastructure (Hetzner, Germany).

sota.io is the Heroku replacement built specifically for EU compliance:

• Git-push deployments (same workflow as Heroku)
• Any language, any framework
• Managed PostgreSQL with EU-only backups
• GDPR Art.28 DPA with EU governing law
• No CLOUD Act exposure by design
• From €9/month

Comparison Table

Heroku Pricing vs. EU Alternatives (2026)

Key pricing note: Heroku's EU regions (Private Spaces) require the Private Spaces product, starting at $250/month — making Heroku 10-35x more expensive than EU-native alternatives for GDPR-compliant deployments.

Migration Guide: Heroku → Scalingo (Recommended Path)

Scalingo is the closest drop-in for most Heroku workloads:

Step 1: Export Heroku configuration

# Export all config vars
heroku config --app YOUR_APP_NAME --json > heroku-config.json

# Export database (Postgres)
heroku pg:backups:capture --app YOUR_APP_NAME
heroku pg:backups:download --app YOUR_APP_NAME -o heroku-db.dump

# Check buildpack
heroku buildpacks --app YOUR_APP_NAME

Step 2: Create Scalingo app

# Install Scalingo CLI
curl -O https://cli.scalingo.com/install.sh && bash install.sh
scalingo login

# Create app in EU region (osc-fr1 = Paris, osc-secnum-fr1 = Paris SecNumCloud)
scalingo create YOUR_APP_NAME --region osc-fr1

# Import config vars
cat heroku-config.json | python3 -c "
import json, sys, subprocess
config = json.load(sys.stdin)
for k, v in config.items():
    subprocess.run(['scalingo', '--app', 'YOUR_APP_NAME', 'env-set', f'{k}={v}'])
"

Step 3: Configure buildpack (Heroku-compatible)

# Scalingo supports all Heroku buildpacks natively
# Node.js example:
scalingo --app YOUR_APP_NAME env-set BUILDPACK_URL=https://github.com/Scalingo/nodejs-buildpack

# Or use the Scalingo Cloud Native Buildpack (auto-detected)
# Procfile is read automatically (same as Heroku)

Step 4: Deploy

git remote add scalingo git@ssh.osc-fr1.scalingo.com:YOUR_APP_NAME.git
git push scalingo main

Step 5: Restore database

# Create PostgreSQL addon
scalingo --app YOUR_APP_NAME addons-add postgresql postgresql-starter-512

# Get connection string
scalingo --app YOUR_APP_NAME env | grep SCALINGO_POSTGRESQL_URL

# Restore
scalingo --app YOUR_APP_NAME run pg_restore --no-owner < heroku-db.dump

Step 6: Update DNS

# Add custom domain
scalingo --app YOUR_APP_NAME domains-add yourdomain.com

# Update DNS CNAME: yourdomain.com → YOUR_APP_NAME.osc-fr1.scalingo.io
# SSL cert is provisioned automatically (Let's Encrypt)

Salesforce-Specific Risk Factors

Beyond the standard CLOUD Act exposure, Salesforce has specific characteristics that elevate risk:

FedRAMP High Authorization

Salesforce Government Cloud holds FedRAMP High authorization, the highest US federal security clearance level. This means:

• Salesforce has been audited and approved for handling classified US government data
• Salesforce employees with security clearances have access to production systems
• US agencies have established technical and legal channels for data access

PRISM Program Participation

NSA PRISM program documents (Snowden 2013) included Salesforce as a participant provider. While Salesforce contested the characterization, it acknowledged cooperation with lawful government requests. The infrastructure that services PRISM requests is not siloed from commercial customer infrastructure.

Salesforce Government Cloud vs. Standard Cloud

Salesforce operates two distinct environments:

1. Government Cloud (GovCloud): FedRAMP authorized, classified data, cleared personnel
2. Commercial Cloud: Your Heroku app runs here

These environments share Salesforce's corporate identity, legal entity, and legal team. A National Security Letter served on Salesforce's legal department doesn't distinguish between GovCloud and commercial customers.

Marc Benioff's Relationships with US Government

Salesforce CEO Marc Benioff served on the President's Commission on Enhancing National Cybersecurity. Salesforce is a strategic partner to multiple US defense and intelligence agencies. While personal relationships don't automatically translate to data access, they indicate deep integration with US government priorities.

The Heroku "Sunset" Factor

In November 2022, Salesforce eliminated Heroku's free tier, signaling a strategic deprioritization. Since then:

• Multiple mass data breaches affected Heroku (2022 OAuth incident)
• Performance regressions with no public root-cause analysis
• Stack deprecations (Cedar-14, Heroku-18) forcing costly migrations
• Reduced investment in new features compared to competitors

Migrating from Heroku is no longer just about GDPR compliance — it's increasingly about reliability and future-proofing.

Who Should Migrate?

Migrate immediately (high GDPR risk):

• B2B SaaS processing EU customer data (emails, names, usage data)
• Healthcare applications (Special category data, Art.9)
• Fintech/banking applications (sensitive financial data)
• Any application subject to German BSI, French ANSSI, or Dutch AP oversight

Migrate soon (moderate risk):

• Applications with EU users processing behavioral data (Art.6 basis contested)
• Companies seeking ISO 27701 or EU cybersecurity certifications
• Applications in NIS2-regulated sectors

Evaluate (lower risk, but consider long-term):

• Developer tooling with no personal data
• Internal applications with no EU user-facing components

Conclusion

Heroku's 22/25 CLOUD Act score reflects an irremediable structural problem: it is a product owned by Salesforce, Inc. — a US Delaware corporation with deep US government integration. The Frankfurt Private Space option costs $250/month minimum and doesn't eliminate CLOUD Act exposure because data jurisdiction follows legal entity structure, not geography.

For EU-based companies and any company serving EU users, Scalingo (0/25) offers the closest technical equivalent at comparable pricing, with full Heroku buildpack compatibility and a straightforward migration path. Koyeb (1/25) and sota.io (0/25) are strong alternatives for container-first workloads.

The question for EU developers is not "where are my servers?" but "who controls my servers?" After the Salesforce acquisition, the answer for Heroku has been unambiguous for 14 years.

This analysis uses the sota.io CLOUD Act Risk Framework (0-25 scale). Scores assess US government compellability, not service quality. All scores based on public corporate records, USASpending.gov data, and published legal documents. Last updated May 2026.

See Also

• Netlify EU Alternative 2026 — JAMstack PaaS, also US-incorporated with serverless on AWS Lambda (18/25)
• Fly.io EU Alternative 2026 — Container-based PaaS, lower CLOUD Act risk than Heroku (16/25)
• Northflank EU Alternative 2026 — UK-incorporated DevOps PaaS; avoids CLOUD Act but carries UK IPA 2016 risk
• EU Serverless PaaS Comparison 2026 — Full comparison: Netlify vs Fly.io vs Heroku vs Northflank risk matrix

See also: Netlify EU Alternative 2026 | Fly.io EU Alternative 2026 | EU Serverless PaaS Comparison 2026