oTree Forum >

Heroku, Data Protection, and GDPR

#1 by Victor (edited )

Hello everyone,

Some of us in Europe have been struggling with increased data protection regulations. A typical question we often get is whether Heroku is ‘safe-to-use’ according to E.U. regulations. After many discussions with my I.T. department and data protection officer, I found a way for my institution to use Heroku without worrying about European data protection requirements. In this post, I share some details for those looking to resolve data protection questions with their academic institution.

Can I use Heroku when I am working for a European Institution?
It may depend on how flexible your institution is! Some institutions no longer want the hassle of working with third parties like Heroku for (temporary) data storage and cloud services. They will probably prefer that you use their internal services or another third party with which they have a contract or Data Protection Agreement (DPA). However, other instructions (like mine) are more flexible and will be willing to set up a contract and DPA with Salesforce (the company behind Heroku). Salesforce seems dedicated to working with (European) institutions to set these things up. 

What is the problem that everyone seems to be so worried about?
I am no lawyer, but I have been told that (predominantly European) institutions are concerned about using third parties headquartered in jurisdictions like the U.S. to host applications and data on. The problem is that such third parties are often obliged to share their data with others like the U.S. government. Salesforce (the company behind Heroku) is located in California, U.S., and may have to share data if the government requests it. When the data in question originates from Europe and involves personally identifiable information (PII), it clashes with European data protection regulations. European institutions seem to deal with this potential liability differently. Some institutions put internal regulations in place preventing or otherwise encouraging their people from using third parties like Heroku. Others try to sign DPAs and contracts with such parties, ensuring that the data sharing policies are consistent with European regulations. One other option (in theory) could be for an institution to require that their people never collect and store PII on participants. However, the definition of PII is ambiguous, and I have yet to find an institution that puts so much trust in its people 😉.

So, what should I do if I am in Europe and want to use Heroku?
The issue I described seems to affect (academic) institutions in Europe. If you work for such an institution, it will not hurt to check with your I.T. department and data protection officer about data protection and Heroku. Ask them if they already have a DPA or contract with Salesforce. If not, you can ask them if you can set one up and ask whether they can set up a Heroku enterprise account for your team, department, or school. 

I hope this helps! Please be my guest to correct me if I made a mistake above. I am no expert on this topic at all. Thus, it is likely I do not understand these problems in detail. I just wanted to help people use Heroku if they had similar challenges at their institution.



Write a reply

Set forum username