We were in the same situation as you with our startup. Heroku was killing us. Just bite bullet and go to AWS. It's not bad at all.
I did hit a snag with RDS - but found a helpful consultant who helped me for a few hours. He made good money and now we have a guy who can jump in and provide a direction when things get too complicated.
Costs are down dramatically and we are SOC 2 certified now. No regrets.
I've been on this journey many times with startups to large enterprises. In my experience going all in on a cloud provider of your choosing provides the best long term outcome. While IaC brings some complexity you can recreate a heroku like experience using AWS primitives fairly quickly.
Feel free to shoot me a note: jason at mantle dot systems
It was way too expensive last I checked. We needed SOC 2 for HIPAA audits, so we stuck with dedicated AWS instances.
Enterprise Heroku would have paid the salary of a decent devops person.
If you can afford it and pass the costs on to customers, that’s great.
Have you looked into Dokku?
(Disclaimer: I'm the founder of Aptible)
You might want to check us out: https://www.aptible.com/ . We built Aptible as an alternative to Heroku for startups that have more demanding requirements around security, compliance, reliability and scalability. Most of our customers look like yours: fast-growing startups who don't want to dedicate engineering resources to infrastructure.
Features required or useful for SOC 2 (like dedicated networking/load balancing/compute, SAML, granular RBAC) are core parts of the platform. Additional features like host/network IDS, vulnerability scanning and compliance dashboards/reporting are also available, at a much lower price than Heroku Enterprise.