Conclusions. Google's SLA is the best. This alone is why many companies we've worked with have chosen App Engine. Also, App Engine is mature. However, App Engine might not be our first choice for a legacy app, considering the amount of work we might have to do. We'd be even more concerned about lock-in for new apps. We'd want to do a lot more due diligence to prove we weren't stuck. When your stock price is $718 per share, investors are going to look to you to provide that value somewhere. Companies who base their entire infrastructure on you and can never leave would be one way you could do that in the long run.
In development since 2007, Heroku is one of the original PaaS offerings. It was acquired by Salesforce.com in 2008. Heroku employs Yukihiro "Matz" Matsumoto, the creator of the Ruby programming language. In addition to Ruby, Heroku supports Java, Python, Node.js, Clojure, Grails, Gradle, Scala, and Play.
Differentiators. Heroku's key differentiator is its maturity. It has been publicly available for a number of years, and it enjoys a large marketplace of plug-ins. The company said more than 2.35 million apps are running live on the platform today. It noted that its official support for nine languages, and its many more community contributed languages and frameworks, differentiate Heroku from other PaaS offerings.
Lock-in. Heroku describes its PaaS as a 100% open platform that offers a native developer experience for both IDE-centric and command-line centric developers. In response to the lock-in question, the company said that code written to run on Heroku around modern best practices can easily run on any other standards-based platform, in-house or in the cloud.
Indeed the risks of lock-in do not seem more significant than with other PaaS offerings. We were able to deploy the Granny application without significant changes. However, it would be interesting to see how easy or difficult it is to dump data from a PostgreSQL or MySQL instance on Heroku.
Security. Heroku publicly lists its security compliance, noting mainly that it sits on Amazon Web Services infrastructure and Amazon is compliant with ISO 27001, SOC 1/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX). PCI compliance is provided by offloading credit card processing to a compliant third-party service.
Who's using it? Heroku said that it sees adoption from small startups through the largest enterprise customers in the world. It lists a good number of reference accounts, including social and Facebook apps, digital media sites, corporate marketing sites, city government sites, and more. In addition to those listed on the website, the company pointed to "exciting adoption" by Macy's, which is building Java apps on Heroku.