rest – Is it a bad thing to delegate a legend to an external system, given that my current system can not do it?

The custom code written for the Salesforce platform is unable to make a PATCH request to an external server (PUT and POST are correct though) and I have to make a PATCH request to an external service (Microsoft Graph).

Although authentication can be handled with a POST request directly from SF to MSG, by obtaining the access token, I can not issue the second call, which is a PATCH. To do this, I wrote a simple Heroku-based Flask application that receives a POST request, and then uses the Requests library to send the PATCH request to MSG.

From a practical point of view, it works as expected. However, from a safety point of view, I would like to confirm whether it is reasonable to assume that this approach is equally safe.

The Heroku dyno receives a POST containing the token, the endpoint to call and a "payload" that matches the exact JSON that I would send directly to MSG. Of course, the connection to the dyno is secured via HTTPS and the SF administrator has access to the URL (but not the dyno code and repository). So, the Flask app knows who to call, which token to use, and what JSON data to send.

Since the dyno stores nothing and just transmits the legends, can this be considered a safe approach?