Security and Trust FAQ

Customer data definitions can vary by user and contract. Your data includes any materials, software, data, personal information, or other information, including API keys, that you upload or submit through our services. Your data is your property. Access our privacy policy to learn how Postman collects, uses, and shares your data.

We use cryptographic methods and industry standards to protect customer data in transit between Postman clients, the cloud, and at rest. For example, all communications and data in transit over the internet require the latest version of Transport Layer Security, a cryptographic protocol that provides end-to-end encryption. By default, encryption is also enabled on all our services that contain data at rest.

Also, your sensitive data at rest is encrypted on the server side before storage using AES-256-GCM. The Advanced Encryption Standard with Galois Counter Mode (AES-GCM) provides authenticated encryption, which ensures data confidentiality and integrity.

Other encryption methods include securing customer and company data at the application layer using AES-256-GCM. We encrypt sensitive data, including environment variables, access and refresh tokens, and AWS secret keys. Postman also encrypts your data using a key management service from Amazon Web Services (AWS). In addition, we have key management capabilities to encrypt sensitive data at the application layer.

Postman has controls at every layer and phase to secure its applications. We protect our applications during the software development lifecycle, deployment, and operation phases. We also minimize risks to our applications by isolating them through containerization, which keeps software in safe containers. We also set architectural security guidelines and perform code reviews.

Furthermore, we use security frameworks and industry standards throughout our software development life cycle. We uncover any OWASP vulnerabilities during software security testing. In addition, Postman's product ecosystem's security is validated annually by working with third-party firms. We also have a private bug bounty program, in which security researchers can report potential software vulnerabilities in our services.

Learn about Postman's software security practices.

We conduct vulnerability scans on the network, application, and operating system layers, enabling us to patch vulnerabilities across Postman's computing devices and applications. We also may remove and turn off services.

We also have visibility into what software is installed on systems and can mitigate issues. For example, any software installed is reported to a central repository for analysis. We also have patching mechanisms built into the operating systems to update devices automatically. Access our vulnerability management practices.

Our company has policies and procedures for handling potential incidents and responding adequately, including conducting investigations, containment, and mitigation measures. Learn more about Postman's incident response practices.

Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security; our company's product data and backups are hosted in the U.S. on AWS servers.

We are committed to data privacy and protection. Postman only collects and retains customer information for business purposes. We respect your privacy and give you control over your data. Learn more about privacy at Postman.

Yes. We provide a Data Processing Agreement to customers under regulatory requirements.

We keep your data in secure offline backups for 15 days after you delete your account or end your relationship with us. After that period, Postman permanently deletes your data from the product.

We share information with third parties that help us operate, support, and market our services. Before onboarding, all third parties and sub-processors undergo a security and risk assessment. Please view the complete list of Postman sub-processors.

No. We do not sell any customer data.

Send us an email at security@postman.com.

View the instructions on the Postman Learning Center to delete your account.

No. Postman does not log API responses by default. However, you can keep responses in your Postman History if you want to save responses.

Postman has HR processes to secure its workforce. For example, all new workers complete a background screening and verification before employment or access to any systems. Plus, during onboarding, we've implemented technical controls assigning role-based access to applications and systems, enabling us to restrict accounts and customer data.

We also have procedures that protect data by revoking access to tools, accounts, and applications for workers who have been terminated or left Postman.

All new hires and workers complete privacy and cybersecurity training annually.

Contact Postman Support or explore our security, privacy, compliance, and reliability pages.