Security and Trust FAQ

Find answers to some of our company's most common security questions.

Postmanaut teaching another Postmanaut. Illustration.

FAQ

Does Postman adhere to information security standards?

Postman complies with global industry standards on data security and privacy, including the European Union's General Data Protection Regulation and the California Consumer Privacy Act.

We also undergo annual compliance assessments to validate our practices, including the System and Organization Controls (SOC 2) and Microsoft's Supplier Security and Privacy Assurance (SSPA). These assessments cover our company's security, availability, and confidentiality practices.

Download SOC 2 and 3 reports on the Postman Security and Trust Portal. Also, please access our compliance and security pages for more information about our practices.


What is customer data?

Customer data definitions can vary by user and contract. Your data includes any materials, software, data, personal information, or other information, including API keys, that you upload or submit through our services. Your data is your property. Access our privacy policy to learn how Postman collects, uses, and shares your data.


What are Postman's data encryption and key management practices?

We use cryptographic methods and industry standards to protect customer data in transit between Postman clients, the cloud, and at rest. For example, all communications and data in transit over the internet require the latest version of Transport Layer Security, a cryptographic protocol that provides end-to-end encryption. By default, encryption is also enabled on all our services that contain data at rest.

Also, your sensitive data at rest is encrypted on the server side before storage using AES-256-GCM. The Advanced Encryption Standard with Galois Counter Mode (AES-GCM) provides authenticated encryption, which ensures data confidentiality and integrity.

Other encryption methods include securing customer and company data at the application layer using AES-256-GCM. We encrypt sensitive data, including environment variables, access and refresh tokens, and AWS secret keys. Postman also encrypts your data using a key management service from Amazon Web Services (AWS). In addition, we have key management capabilities to encrypt sensitive data at the application layer.


How does Postman secure its applications?

Postman has controls at every layer and phase to secure its applications. We protect our applications during the software development lifecycle, deployment, and operation phases. We also minimize risks to our applications by isolating them through containerization, which keeps software in safe containers. We also set architectural security guidelines and perform code reviews.

Furthermore, we use security frameworks and industry standards throughout our software development life cycle. We uncover any OWASP vulnerabilities during software security testing. In addition, Postman's product ecosystem's security is validated annually by working with third-party firms. We also have a private bug bounty program, in which security researchers can report potential software vulnerabilities in our services.

Learn about Postman's software security practices.


What are Postman's vulnerability management processes?

We conduct vulnerability scans on the network, application, and operating system layers, enabling us to patch vulnerabilities across Postman's computing devices and applications. We also may remove and turn off services.

We also have visibility into what software is installed on systems and can mitigate issues. For example, any software installed is reported to a central repository for analysis. We also have patching mechanisms built into the operating systems to update devices automatically. Access our vulnerability management practices.


How does Postman respond to potential security incidents?

Our company has policies and procedures for handling potential incidents and responding adequately, including conducting investigations, containment, and mitigation measures. Learn more about Postman's incident response practices.


How does Postman protect data centers?

Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security; our company's product data and backups are hosted in the U.S. on AWS servers.


How does Postman respect privacy?

We are committed to data privacy and protection. Postman only collects and retains customer information for business purposes. We respect your privacy and give you control over your data. Learn more about privacy at Postman.


Does Postman offer a Data Processing Agreement?

Yes. We provide a Data Processing Agreement to customers under regulatory requirements.


How does Postman manage customers' data after they stop using the product?

We keep your data in secure offline backups for 15 days after you delete your account or end your relationship with us. After that period, Postman permanently deletes your data from the product.


Does Postman share customer data with any of its third-party partners or sub-processors?

We share information with third parties that help us operate, support, and market our services. Before onboarding, all third parties and sub-processors undergo a security and risk assessment. Please view the complete list of Postman sub-processors.


Does Postman sell my data?

No. We do not sell any customer data.


How do I report a privacy incident?

Send us an email at security@postman.com.


How do I delete my Postman account?

View the instructions on the Postman Learning Center to delete your account.


Are API responses stored in logs?

No. Postman does not log API responses by default. However, you can keep responses in your Postman History if you want to save responses.


How does Postman secure its workforce and corporate environment?

Postman has HR processes to secure its workforce. For example, all new workers complete a background screening and verification before employment or access to any systems. Plus, during onboarding, we've implemented technical controls assigning role-based access to applications and systems, enabling us to restrict accounts and customer data.

We also have procedures that protect data by revoking access to tools, accounts, and applications for workers who have been terminated or left Postman.

All new hires and workers complete privacy and cybersecurity training annually.


What if I have other questions?

Contact Postman Support or explore our security, privacy, compliance, and reliability pages.


Postman Security and Trust Portal

Access Postman's security and compliance documents on our Security and Trust Portal, such as penetration testing and audit reports.

Visit our Security and Trust Portal
POST/CON 2024 Banner

Postman's annual user conference

Gain new skills through hands-on workshops, hear from industry leaders, and join conversations about innovation, APIs, and the future of software.