Security and Trust FAQ
Find answers to some of our company's most common security questions.
FAQ
Does Postman adhere to information security standards?
Postman complies with global industry standards on data security and privacy, including the European Union's General Data Protection Regulation and the California Consumer Privacy Act.
We also undergo annual compliance assessments to validate our practices, including the System and Organization Controls (SOC 2) and Microsoft's Supplier Security and Privacy Assurance (SSPA). These assessments cover our company's security, availability, and confidentiality practices.
Download SOC 2 and 3 reports on the Postman Security and Trust Portal. Also, please access our compliance and security pages for more information about our practices.
What is customer data and personal data?
Customer data includes content you upload or create using our Services. You can find your rights regarding "Your Content" in our Terms of Service.
In addition, our privacy program protects personal data in accordance with global privacy regulations, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as the growing body of privacy laws in U.S. states and around the world.
We minimize the personal data we collect to what is needed for business purposes, including provisioning user seats and authentication. We also prohibit the upload of sensitive personal information and other highly regulated data into our development platform and discourage the use of personal data for testing.
Please read our Privacy Policy to learn how Postman collects, uses, transfers and shares your data.
What are Postman's data encryption and key management practices?
We protect customer data using cryptographic methods and industry standards. All data in transit is encrypted using modern Transport Layer Security encryption algorithms. At rest, data is encrypted by default using AES-256-GCM, ensuring confidentiality and integrity. We also secure sensitive data, such as environment variables and tokens, at the application layer with AES-256-GCM and manage encryption keys through AWS.
For more information, read our security page.
How does Postman secure its applications?
Postman secures its applications at every layer and phase, from development to deployment and operation. We use containerization to isolate software, set architectural security guidelines, and perform code reviews. Industry standards and security frameworks are applied throughout the software development lifecycle, with testing for OWASP vulnerabilities. Annually, third-party firms validate our ecosystem's security, and our bug bounty program allows anyone to report potential vulnerabilities in the Postman API Platform.
Learn about Postman's software security practices.
What are Postman's vulnerability management processes?
We conduct vulnerability scans on the network, application, and operating system layers, enabling us to patch vulnerabilities across Postman's computing devices and applications. We also may remove and turn off services.
We also oversee what software is installed on Postman systems and can mitigate issues. For example, any software installed is reported to a central repository for analysis. We also have patching mechanisms built into the operating systems to update devices automatically.
Read about our vulnerability management practices.
How does Postman respond to potential security incidents?
Our company has policies and procedures for handling potential incidents and responding adequately, including conducting investigations, containment, and mitigation measures. Learn more about Postman's incident response practices.
How does Postman protect data centers?
Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security. Our company's product data and backups are hosted on AWS servers in the EU and U.S., which offer strong security and privacy-focused features.
How does Postman respect privacy?
Our comprehensive privacy program implements best practices for collecting, using, sharing, international transfers, and deleting personal information. We believe that your personal information is your property, and we respect your privacy rights and preferences, including through up-to-date cookie controls and other collection mechanisms.
We also require the execution of standard Data Privacy Agreements (DPAs), which include security requirements and Technical and Organizational Measures (TOMs) for customers and vendors we contract with.
How can I access the Postman Data Processing Addendum?
Prospective customers can request access through our Security and Trust Portal.
Is Postman a member of the EU-U.S. Data Privacy Framework?
Postman received early certification approval from the U.S. Department of Commerce as a participant in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the DPF (UK DPF Extension), and the Swiss-U.S. Data Privacy Framework (Swiss DPF). This approval acknowledges that Postman is compliant with the EU-U.S. data privacy requirements pursuant to the European Commission's July 2023 adoption of the adequacy decision.
Read Postman's certification.
How does Postman manage customers' data after they stop using the product?
We keep your data in secure offline backups for 15 days after you delete your account or end your relationship with us. After that period, Postman permanently deletes your data from the product.
Does Postman share customer data with any of its third-party partners or sub-processors?
We only share information with third parties to help us operate, support, and market our services. We do not sell your data for commercial purposes or "share" data as defined under the CCPA and CPRA. All third-party vendors, including our sub-processors, undergo a privacy risk assessment and are required to execute our standard vendor DPA.
Please view the complete list of Postman sub-processors.
Does Postman sell my data?
No. We do not sell any customer data.
How do I delete my Postman account?
View the instructions on the Postman Learning Center to delete your account.
Are API responses stored in logs?
No. Postman does not log API responses by default. However, you can keep responses in your Postman History if you want to save responses.
How does Postman secure its workforce and corporate environment?
Postman has HR processes to secure its workforce. For example, all new workers complete a background screening and verification before employment or access to any systems. Plus, during onboarding, we've implemented technical controls assigning role-based access to applications and systems, enabling us to restrict accounts and customer data.
We also have procedures that protect data by revoking access to tools, accounts, and applications for workers who have been terminated or left Postman.
All new hires and workers complete privacy and cybersecurity training annually.
What if I have other questions?
Contact Postman Support after reading our security, privacy, compliance, reliability, and legal pages.
Explore the Postman Learning Center for documentation and support resources.
Postman Security and Trust Portal
Access Postman's security and compliance documents on our Security and Trust Portal, such as penetration testing and audit reports.