Heroku Shield Helps Envoy Accelerate Delivery of High Compliance Apps

Growing workplace management using Heroku Private Spaces, Enterprise Teams, and a data layer on AWS

Many companies face a common dilemma: the job of running the workplace itself can distract employees from the main mission of the organization. Operational tasks, such as handling visitors and packages, or finding and managing meeting rooms, are important, but secondary to business-focused activities, whether it be fixing cars, teaching children, or making software.

In 2013, Envoy's founder Larry Gadea set out with a mission of his own: to free employees from the mundane tasks of running a workplace. The startup's first product — visitor management — was just the beginning of a platform that can be described as "the operating system of the office." Today, the Envoy workplace platform also takes care of inbound packages and meeting room management, with more capabilities to come. Envoy's approach struck a chord with companies as varied as Mazda, The Salvation Army, and The Golden State Warriors basketball team.

From the very beginning, Envoy’s apps have run on Heroku and today Heroku sits at the heart of a multi-platform architecture, taking advantage of Heroku’s low-ops, high compliance offering.

An office setting with two iPads showing the Envoy interface

Envoy and Heroku: helping teams to focus

Both Heroku and Envoy share a common philosophy. Each company is dedicated to helping its customers focus on what they do best by removing many of the mundane tasks that would otherwise be a time-consuming or costly distraction. While Envoy frees organizations from the operational tasks of running a workplace, Heroku frees developers from the burden of setting up and maintaining their own application infrastructure. In both cases, customers are better able to deliver the unique value of their business.

For the Envoy team, Heroku’s optimized developer experience has enabled them to structure their engineering culture around a singular goal: getting high quality features from drawing board to users as quickly as possible. By placing Heroku at the end point of their CircleCI development pipeline, Envoy’s developers can deliver code from pull request, through staging, and into production with virtually no time lost to ops.

Heroku has been a part of Envoy’s infrastructure since their MVP in 2013. Today, the Envoy product suite is made up of four apps –– visitor check-in, package delivery, and meeting room management, plus an admin tool –– each running on Heroku and built using a combination of Ruby, Python, NodeJS, and Elixir. On the front end, users interact with Envoy through a web app built using EmberJS and native apps for both iOS and Android users.

The iPad and iOS interfaces for Envoy

Heroku Enterprise Teams simplified auth and permissions for Envoy

As their products matured, the Envoy team found that their needs evolved. By converting their relationship with Heroku to a Heroku Enterprise account, Envoy gained access to the solution to each of these needs.

It started with simplifying the management of a growing engineering organization. In particular, manual onboarding and offboarding team members was not ideal. Each time a new person joined or left, a manager had to take time out to run through a checklist and ensure appropriate permissions were granted or removed.

To streamline the process, Envoy adopted an external authentication provider, Okta. As a Heroku Enterprise customer, Envoy was able to connect the Okta-based single sign-on to Heroku Teams through Heroku Enterprise Accounts. Now, thanks to that connection, the Envoy team can add or remove people from their Heroku Teams automatically.

Connecting Okta to their Heroku Enterprise account brings other benefits, too. In particular, the granular permissions management of Heroku Enterprise Teams ensures that each member of the Envoy team has access only to the data and functionality necessary to do their job. When it comes to demonstrating compliance of Envoy’s code, the audit trail logging provided by Heroku Enterprise Accounts has helped Envoy to gain SOC2 compliance.

Enterprise Accounts have been a great help for us getting SOC2 compliance. Enterprise Account permissions are also a big step in security allowing us to move towards the principle of least privilege for our organization while still being easy to use for our development team. Mike Chan, VP of Engineering, Envoy

Enhancing privacy and performance with Heroku Private Spaces

Hundreds of thousands of organizations run successfully on Heroku's shared platform, known as the Heroku Common Runtime. As uptake of the Envoy offering grew, the Envoy engineering team looked for ways to do more with Heroku. In particular, they wanted to ensure they had full access to the platform's underlying CPU and memory resources. As a Heroku Enterprise customer, Envoy was able to migrate its apps from the Common Runtime to their own Heroku Private Space.

Heroku Private Spaces work in the same familiar way as the rest of the Heroku platform, except that they offer a network isolated Heroku runtime that is dedicated to that one customer. That gives the Envoy team a private network in which to run their dynos, meaning they get exclusive use of the runtime’s resources as well as total control over external network connections.

With ever more privacy-aware customers, the team looked to strengthen their platform’s compliance capabilities. As a Heroku Enterprise customer running in a Heroku Private Space, Heroku Shield was the natural solution.

Heroku Shield delivers HIPAA and PCI compliance

Envoy is built to handle and protect sensitive data. The comings and goings of visitors can hint at a company’s alliances, investments, and other undisclosed plans. Inbound packages could contain prototype products or sensitive legal documents. And as Envoy adds more products to its platform, it will continue to be a priority to closely protect any proprietary corporate information.

For the Envoy team, that means prioritizing data security at every level of their tech stack. Right across Heroku, each aspect of the platform meets strict data security and privacy standards, from organizations such as ISO and SOC, with frequent audits to ensure compliance.

Heroku Shield takes that compliance a step further by simplifying the building and deployment of high compliance applications for regulated industries. Through Heroku Shield versions of Heroku's core offerings, such as Shield Private Spaces and Shield Private Dynos, customers such as Envoy know that the platform beneath their code meets HIPAA and PCI standards in addition to the SOC and ISO compliance of the overall platform.

Security is vital to our customers. With Heroku Shield we know that compliance is taken care of at the platform level, so we can focus on our own code. Mike Chan, VP of Engineering, Envoy

Bring the best of Heroku and AWS together

After five years in business on Heroku, the team at Envoy began to wonder if they should follow in the footsteps of unicorn startups, such as Netflix, and move their infrastructure to Amazon Web Services. That sparked a year long, company-wide project to re-engineer its codebase in order to make the move.

As the re-platforming project got underway, it became clear that Envoy would not get a return on its engineering investment. The move to AWS would be costly in two ways. First, there was the one-off engineering effort required to adapt their codebase to AWS. Longer-term, though, the Envoy team realised that AWS would make it harder for them to execute. Bringing new features to market would take longer, as developers would have to make time for specifying, testing, and implementing infrastructure changes. Similarly, day-to-day running of the platform would cost more as dedicated DevOps specialists would be needed to take care of the increased complexity of working with AWS.

Although time consuming, the project to move to AWS was not a waste. The Envoy team successfully migrated their data layer from Heroku Postgres to AWS RDS, enabling them to tune niche environmental aspects of their databases while retaining the operational simplicity of deploying their code to Heroku.

Today, that puts Heroku at the heart of a hybrid architecture where application code runs in Heroku Private Dynos, relying on a data layer provided by AWS. Two distinct Heroku characteristics make that possible.

The first is Heroku’s flexibility: Heroku makes no demands about where services should run. The second is Heroku’s dedication to simplifying compliance. Not only are Envoy’s Heroku Shield Private Dynos highly compliant, but the connection between the Heroku apps and the AWS data layer is also secure. Heroku Private Spaces feature a number of ways to make secure network connections to external networks, whether that be a corporate VPN or services provided by another cloud service. In Envoy’s case, there is a secure network connection via VPC peering directly between their Heroku Private Dynos and their AWS data layer.

Using Heroku saves Envoy 15% in headcount costs

During their evaluation of AWS, the Envoy team calculated the total cost of staying with Heroku versus migrating away. They were struck by just how much money Heroku saved them, in comparison to an equivalent deployment on AWS. While some of the list pricing for Heroku was higher than running the same workloads in AWS, the additional headcount required to maintain their apps in AWS would wipe out any potential savings. In fact, migrating to AWS would require a 15 percent increase in team size.

Hiring experienced engineers is both hard and expensive. By reducing their headcount needs, Heroku not only saves Envoy money but, perhaps more importantly, it helps Envoy to execute faster with a smaller team.

You can either spend 15% of your headcount on DevOps people, or you can use Heroku. In today's market, it’s a lot smarter to make your engineering team 15% more efficient. Mike Chan, VP of Engineering, Envoy

Envoy’s future is with Heroku

Heroku is central to enabling Envoy’s long-term strategy by streamlining feature development, reducing operational costs, and simplifying compliance. And for the future, Heroku will be key to Envoy’s plan to expand internationally.

With many European countries requiring that their citizens’ data reside in EU-based data centers, Envoy expects to take full advantage of the location flexibility that Heroku Private Spaces offers. With a Private Space, Envoy can specify the particular EU city where they want to run their Private Dynos and then use a private network connection to link those dynos to their Europe-based data layer.

Envoy has grown up with Heroku from its first MVP in 2013 to a multi-product offering used by some of the world’s best known organizations. In considering a move to AWS, Envoy recognized that Heroku was more than just a deployment platform. Instead, Heroku is a vital aspect of what has made Envoy a success.

Inside Envoy on Heroku

Envoy offers a platform of workplace management tools, using a mix of Ruby on Rails, Node.js, Python, and Elixir. To ensure the security compliance demanded by its customers, workloads run in Heroku Shield Private Spaces, which are linked by VPC peering to Envoy's AWS-hosted data layer. Heroku Enterprise Teams, linked to Okta identity management, enables the Envoy team to onboard and offboard engineers easily.