| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-0 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-0 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | Heroku is a wholly owned subsidiary of Salesforce, Inc., a US company headquartered in San Francisco; no EU/EEA legal entity controls it (src: https://en.wikipedia.org/wiki/Heroku). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Heroku is already controlled by a large US public company (Salesforce); transfer to a NON-EU sovereign entity is very unlikely as it is already non-EU and a stable parent (the rubric measures takeover by a non-EU sovereign actor). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Heroku has a public GitHub roadmap and customer feedback channels, but governance is fully Salesforce-controlled; EU actors have only voice-of-the-customer influence. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funding comes entirely from Salesforce, a US-based public corporation; effectively no EU capital. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | low | Salesforce has substantial EU operations and offices, but Heroku's value capture and R&D are predominantly US-based; some EU economic contribution at most. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of Heroku/Salesforce participation in Gaia-X, IPCEI-CIS or other EU strategic sovereignty programs for this product. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No evidence of a Heroku-specific action plan aligned with EU industrial/sovereignty strategies. |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | medium | no own_stack (PaaS on non-EU hyperscaler AWS): on a vendor cut-off the service would stop with only a delay for customers to migrate; no independent EU continuity -> opt2 (seal 0). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | Heroku's terms are governed by Salesforce/US law; the contracting and controlling entity is non-EU only (src: https://www.salesforce.com/company/legal/agreements/). |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | no immunity (US parent Salesforce): GDPR DPA/SCCs/BCRs are mitigation clauses only; full exposure to extraterritorial US law (CLOUD Act, FISA 702) remains -> opt2 (seal 1) (src: https://compliance.salesforce.com/en/documents/a005A00000kFeKeQAK). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | consistency (cluster norm 2.3=opt2): foreign_parent (Salesforce US) under CLOUD Act/FISA 702 can be compelled to grant access without customer notification in specific national-security cases (gag orders) -> opt2 (seal 1). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | consistency (cluster norm 2.4=opt2): US export-control regime (EAR/OFAC) applies; no EU-MS-targeted shielding and no >50% EU revenue dominance -> opt2 (restrictions towards EU citizens/intl orgs, seal 1). |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Heroku's platform IP is developed and owned by Salesforce in the US; IP originates entirely outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | The IP holder (Salesforce) sits under US law in a single non-EU country. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | medium | Heroku/AWS manage encryption at rest; customers do not have exclusive customer-managed keys that prevent provider access, so control is primarily provider though some Postgres/data encryption options exist. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Heroku provides app/platform logs and add-on logging, but data-access/usage logs are vendor-controlled and not independently auditable in real time. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows Salesforce/AWS internal policy and contractual commitments, but no independent cryptographic proof of irreversible erasure is offered to customers. |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | medium | no eu_exclusive: global-default US product; an EU (Ireland) region exists but Heroku states region selection does not guarantee confinement and the control plane, add-ons and support involve third-country (US) processing -> opt2 (significant third-country reliance, seal 0) (src: https://devcenter.heroku.com/articles/security-privacy-compliance). |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | Heroku Managed Inference proxies non-EU models (Anthropic Claude, OpenAI-compatible, open-weights) on US hyperscaler/foreign accelerator infrastructure; mostly non-EU licensed AI with chip dependency. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Heroku offers standard documented data export, pg:backups, and OCI-compliant Cloud Native Buildpacks that produce portable container images runnable on other platforms. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | Critical platform operations, engineering and control plane are delivered by Salesforce/AWS US-based teams; cannot operate without non-EU dependencies. |
| SOV-4.3 | Skill availability in the EU | 1. Global team, mainly non-EU | 0/167 | SEAL-1 | low | consistency (US-parented cluster norm 4.3=opt1): Heroku/Salesforce engineering and SRE staff are a global, predominantly US team; EU skill availability is a minority -> opt1 (seal 1). |
| SOV-4.4 | Support channels | 1. Global, majority outside EU | 0/167 | SEAL-1 | medium | Heroku support is a global, follow-the-sun model run by Salesforce, with the majority of support staff outside the EU. |
| SOV-4.5 | Documentation & knowledge transfer | 1. Global/non-EU exposure | 0/167 | SEAL-0 | medium | Documentation (Dev Center) and knowledge repositories are global/US-hosted with non-EU exposure; no EU-only knowledge transfer guarantees. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | medium | Heroku depends on AWS (US) as primary subcontractor; if cut off the service would stop with only a delay for customer reaction, no readily substitutable EU alternative. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 1. No disclosure | 0/143 | SEAL-1 | low | Heroku runs on AWS; the physical component origins of underlying servers are not disclosed to Heroku customers. |
| SOV-5.2 | Manufacturing location | 1. Fully foreign, black box | 0/143 | SEAL-1 | low | Underlying hardware is AWS-operated and foreign-manufactured, effectively a black box to Heroku and its customers. |
| SOV-5.3 | Embedded code/firmware provenance | 1. No disclosure | 0/143 | SEAL-4 | low | Firmware/embedded code provenance of the underlying AWS hardware is not disclosed. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | high | consistency (cluster norm 5.4=opt2): core platform/control plane is closed US-developed Salesforce software, but Heroku open-sources its Buildpacks/Cloud Native Buildpacks giving partial disclosure of foreign-origin software, same profile as the other self-developed US PaaS -> opt2 (seal 2) (src: https://github.com/heroku/buildpacks). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build and release are controlled and executed by Salesforce in the US; non-EU control and execution. |
| SOV-5.6 | Single point of dependency | 1. Only non-EU vendors/facilities | 0/143 | SEAL-1 | high | Heroku depends entirely on non-EU vendors (Salesforce, AWS) for the platform and infrastructure. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | A sub-processor list and SOC reports exist, but only some suppliers are independently auditable by customers; full supply-chain audit rights are not provided. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Heroku exposes a documented REST Platform API and OCI/CNB images (partial openness) but the managed PaaS itself is proprietary with significant lock-in. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Heroku adopts several open standards (OCI images, buildpacks, standard language runtimes, OpenAI-compatible API) but only partially across core services. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | Buildpacks and CNBs are open source, but the core Heroku platform/control plane is closed-source and vendor-controlled by Salesforce. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Heroku publishes extensive Dev Center documentation and architecture descriptions (some public insight) but customers cannot inspect or modify the underlying platform. |
| SOV-6.5 | HPC sovereignty | 1. Imported black-box HPC | 0/200 | SEAL-0 | low | Heroku offers no sovereign HPC; any high-performance/accelerator compute is imported black-box capacity via AWS. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | high | certs: Heroku holds ISO 27001/27017/27018 + SOC 1/2/3 (no SecNumCloud/EUCS/Common Criteria EAL); per key ISO 27001 + SOC 2 maps to opt3 (EAL2-equiv, seal 2) (src: https://www.heroku.com/compliance/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Salesforce/Heroku provide GDPR DPA, SCCs/BCRs and security attestations (partial compliance to most EU regimes), but full DORA/NIS2 conformance is not independently demonstrated for this product. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Salesforce SOC/incident response is a global, hybrid EU/non-EU function; not an EU-resident SOC with EU threat intel. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get app/platform logging and a monitoring portal/add-ons, but security monitoring of the underlying platform is provider-controlled; basic customer visibility. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Salesforce has GDPR/NIS2-aligned breach notification obligations and contractual SLAs for incident disclosure (moderate compliance). |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | low | Heroku schedules platform maintenance; customers have limited autonomy and follow vendor maintenance windows for the underlying platform. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | no audit_rights: independent audit limited to shared SOC/ISO reports; customers cannot have arbitrary entities audit the platform directly -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Heroku runs on AWS, whose data centres report PUE around/below 1.5 with efficiency roadmaps; Heroku itself does not publish a verified figure -> opt3 (PUE<1.5 + roadmap) (src: https://sustainability.aboutamazon.com/products-services/aws-cloud). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | AWS (the underlying operator) runs documented hardware reuse and recycling programs; Heroku inherits this rather than certifying its own EU lifecycle -> opt3 (documented program) (src: https://sustainability.aboutamazon.com/products-services/aws-cloud). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Salesforce publishes an annual stakeholder-impact/sustainability report covering its operations and infrastructure, though not under an EU-specific audited methodology for Heroku -> opt3 (annual report) (src: https://www.salesforce.com/company/sustainability/). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Underlying AWS regions use a mix of EU and non-EU energy supplies; AWS targets renewable matching but the supply mix is not exclusively EU/green for Heroku workloads (src: https://sustainability.aboutamazon.com/products-services/aws-cloud). |