Security at Postman

Postman is a cloud-based platform trusted by nearly 500,000 organizations to protect sensitive API data at scale. Learn how we prioritize security with encryption, robust platform and product safeguards, and features that help you enforce API governance across your organization. To view and download compliance documents, visit the Postman Customer Trust Portal.

Postmanaut showing A P I platform graphic. Illustration.

Key security features

  • Bring your own key (BYOK) enables teams to manage and control their own encryption keys, ensuring full ownership of sensitive API data in the Postman Cloud.
  • Postman Vault includes Postman Local Vault and Postman Vault integrations. Postman Local Vault ensures sensitive data you store in your local Postman instance never syncs to the cloud, while Postman Vault Integrations allow you to integrate with external vaults, such as 1Password, AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault.
  • Postman API key management enables you to maintain compliance and security. Create API keys, set expiration dates, and revoke API keys as needed.
  • Audit logs track key activities related to security access and team management for the past 180 days.
  • Secret Scanner includes two features that help safeguard your organization from potential threats. Cloud Secret Detection examines your public and private workspaces as well as collections, environments, and documentation to find exposed secrets. Local Secret Protection enables you to selectively control which secrets can leave your company network.
  • Role-based access control lets you assign granular access with different roles and permissions.
  • Two-factor authentication (2FA) adds an extra layer of security when you log in using a password.
  • Single Sign On (SSO) allows you to manage Postman access via a supported Identity Provider (iDP).
  • SCIM Provisioning enables you to automate user provisioning and deprovisioning via your Identity Provider (iDP).

Bug bounty program

We invite anyone to identify and report potential security vulnerabilities in the API Platform. Postman runs a private bug bounty program with HackerOne.

Please review our security reporting guidelines and policy →

Shared responsibility model

Through our shared responsibility model, we rely on our users to help safeguard their data and credentials in Postman. We strongly encourage customers, security teams, and developers to use Postman securely.

For more information, read the best practices to help you keep your sensitive data secure and private in Postman.

Regulatory compliance and standards

We comply with industry standards and regulations to protect our corporate and customer data. To download compliance documents, visit the Postman Customer Trust Portal.

SOC 2 and 3

PCI DSS

GDPR

CCPA

The Cloud Security Alliance's STAR Registry

Privacy at Postman

At Postman, we have implemented policies and programs to manage privacy appropriately and securely.

Privacy policy

Our privacy policy explains what information we collect, how we share/store/secure that information, and how to access and control your information.

Review the Postman privacy policy →

Global data privacy frameworks

Postman complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the DPF (UK DPF Extension), and the Swiss-U.S. Data Privacy Framework (Swiss DPF). We have received certification approval from the U.S. Department of Commerce. This confirms our adherence to the EU-U.S. DPF Principles concerning the processing of personal information uploaded or created by customers on our platform services.

Learn more about Postman's certification →

Postman Reliability

We design with reliability in mind so you and your team can use Postman with confidence.

Postman's cloud infrastructure

Our infrastructure is based on redundancy across the storage, network, and compute layers, with a fail-safe across availability zones for lower latency through better reliability and intelligent, elastic scaling. Within this framework, we use RDS Aurora for our storage needs. All user data is encrypted and stored across six copies in three locations.

Availability

With a 99.9% SLA on our Enterprise plan, your team can focus on your company's needs. For information about scheduled maintenance, disruptions, and the latest uptime details, see our status page.

Additional Security Resources

Western Governors University case study illustration showing test automation success

Postman Security: Playing Chess, Because Every Move Matters

Read blog post

Reputation case study illustration showing CI/CD automation benefits

5 Key Features to Level Up Your API Security with Postman

Watch video

Forrester TEI report cover illustration showing ROI from API testing automation

Customer Trust Portal: Compliance and Policy Documents

Learn more

Frequently Asked Questions

What are Postman's data encryption and key management practices?

Postman uses strong encryption (AES-256-GCM) for data at rest and TLS for data in transit. All sensitive data, including environment variables, secrets, and access tokens, is encrypted at the application layer and managed via a key management system (KMS).

Enterprise customers can also opt for Postman's Bring Your Own Key (BYOK) encryption feature, which enables them to manage and control their own encryption keys. These keys are never accessible by Postman, and all encryption events are logged for compliance and auditing.

Postman does not use customer data in internal testing. All validation and QA efforts are conducted on a production-mirrored internal stack using fictitious data only.

We keep your data in secure offline backups for 15 days after you delete your account or end your relationship with us. After that period, Postman permanently deletes your data from the product.

How does Postman protect data centers?

Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security. Our company's product data and backups are hosted on AWS servers in the EU and the U.S., which offer strong security and privacy-focused features.

How does Postman secure its applications?

Postman secures its applications at every layer and phase, from development to deployment and operation. Our applications run on the latest stable version of Node.js, an open-source programming language. We use containerization to isolate software, set architectural security guidelines, and perform code reviews. Industry standards and security frameworks are applied throughout the software development lifecycle, with testing for OWASP vulnerabilities. Annually, third-party firms validate our ecosystem's security, and our bug bounty program allows anyone to report potential vulnerabilities in the Postman API Platform.

Our company's automated and manual code review processes search for any code that could potentially violate corporate security policies. We also have patching mechanisms built into the operating systems to update devices automatically.

What are Postman's vulnerability management processes?

We monitor the security of our products and applications through various ongoing activities, including regularly scheduled Vulnerability Assessment and Penetration Testing (VAPT) for all product releases.

We also conduct vulnerability scans on the network, application, and operating system layers at regular intervals throughout the year, enabling us to patch vulnerabilities across Postman's computing devices and applications.

All issues found are assigned a score using the Common Vulnerability Scoring System (CVSS), an owner, and a deadline based on an internal Service Level Agreement (SLA) for fixing vulnerabilities. We may also remove and turn off services.

Additionally, we use an automated tool for source code analysis, which runs before every production release. This tool covers vulnerabilities in open-source software and libraries. You can view applicable third-party licenses and a list of open-source software.

Does Postman share customer data with any of its third-party partners or sub-processors?

We only share information with third parties to help us operate, support, and market our services. We do not sell your data for commercial purposes or "share" data as defined under the CCPA and CPRA. All third-party vendors, including our sub-processors, undergo a privacy risk assessment and are required to execute our standard vendor DPA. Prospective customers can request access through our Customer Trust Portal. You can also view the complete list of Postman sub-processors.

How does Postman manage attack prevention and mitigation?

We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage.

Our company further implements measures to detect and prevent log tampering or interruptions. To detect security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us to any anomalies. In addition, we run automated scans on each feature release to ensure we reduce any security issues from third-party libraries.

Also, our leadership team is notified automatically in the event of a customer-reported breach. In accordance with Postman's corporate policies, we respond to the report within a few hours.

What is Postman's incident response policy?

Our company has incident response policies and procedures to help mitigate cyber risks around service availability, integrity, security, privacy, and confidentiality. As a result, we train our Postman teams to:

  • Promptly respond to alerts of potential incidents
  • Analyze and assess the severity of potential incidents
  • Execute mitigation and containment measures
  • Communicate with relevant internal and external stakeholders. Doing so includes notifying affected customers and meeting contractual obligations around breach or incident notifications.
  • Gather and preserve forensic evidence for investigative efforts
  • Conduct and document a postmortem while developing a permanent triage plan

The incident response policies and processes are audited as part of our System and Organization Controls (SOC 2) and other security assessments.

How can I contact Postman Security to report potential abuse or vulnerabilities?

Please contact our customer support team or security@postman.com to report potentially abusive behavior or malicious activity involving Postman accounts or resources.

To report a vulnerability, check out our reporting page on HackerOne. Security researchers should also review our security guidelines and policy for reporting security vulnerabilities through our bug bounty program.

If you want additional information about our security policies, please contact us at security@postman.com. You can use our PGP public key to encrypt your communications with us.