Security at Postman

Learn how our company prioritizes data protection through encryption, product and application security, and organizational measures. We also cover API governance and security features in Postman.

Postmanaut showing A P I platform graphic. Illustration.

Data security

All customer data is stored on the Amazon Relational Database Service and configured securely. Data is stored with at least dual redundancy, with 15-day backups, and is accessible only in the private cloud. We have also instituted per-service access protection and data isolation.

We use cryptographic methods and industry standards to protect customer data in transit between Postman clients, the cloud, and at rest. For example, all communications and data in transit over the internet require the latest version of Transport Layer Security, a cryptographic protocol that provides end-to-end encryption. By default, encryption is also enabled on all our services that contain data at rest.

Also, your sensitive data at rest is encrypted on the server side before storage using AES-256-GCM. The Advanced Encryption Standard with Galois Counter Mode (AES-GCM) provides authenticated encryption, which ensures data confidentiality and integrity.

Other encryption methods include securing customer and company data at the application layer using AES-256-GCM. We encrypt sensitive data, including environment variables, access and refresh tokens, and Amazon Web Services (AWS) secret keys. Postman also encrypts your data using a key management service from AWS. In addition, we have key management capabilities to encrypt sensitive data at the application layer.

We maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data, meaning Postman does not distribute customer data for internal testing or validation purposes.

To download assurance reports, access the Postman Security and Trust Portal.

Key security features

Postman Vault

Postman Vault lets you store sensitive data as vault secrets in your local instance of Postman. Only you can access and use your vault secrets, and they aren't synced to the Postman cloud.

Postman API key management

You can manage the Postman API keys that your team creates at scale, ensuring you maintain compliance and security across your organization. Teams can control the creation of API keys, their expiration dates, and revoke keys when needed.

API Governance and API Security

Customers, security teams, and developers can use configurable security rules and capabilities to improve API governance and security, such as identifying weaknesses and areas for improvement.

Audit logs

Audit logs display events related to your team, users, and billing. You can track key activities related to security access and team management for the past 180 days. Visit the Postman Learning Center to learn more.

Secret Scanner

The Postman Secret Scanner examines your public workspaces, collections, environments, and documentation to find accidentally exposed secrets. Learn how to use the Secret Scanner, which is turned on by default.

Role-based access control

Postman helps you to assign granular access to users in our product with roles and permissions. Such roles define user permissions within a Postman team and a user's level of access to a Postman element, such as a collection or an API, helping you secure your data.

Two-factor authentication (2FA)

You can enable 2FA for your Postman account to add an extra layer of security when you log in using a password.

Infrastructure security

For our hardware, we contract with cloud providers that adhere to global privacy and security regulations and standards. We also have a rigorous process to minimize cybersecurity risk while onboarding and offboarding vendors.

Our infrastructure runs on data centers provided by Amazon Web Services (AWS). We leverage several security and privacy-focused features. Also, our infrastructure runs on stable, regularly patched versions of Amazon Linux. It has configured security groups and isolated virtual private cloud environments with well-defined network segmentation, role-based access control, and advanced web-application firewall protection.

Physical and environmental security

Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security; our company's product data and backups are hosted in the U.S. on AWS servers.

Our internal security program covers physical security at our offices around the world.

Software security

Our applications run on the latest stable version of Node.js, an open-source programming language.

Postman has controls at every layer and phase to secure its applications. We protect our applications during the software development lifecycle, deployment, and operation phases. We also minimize risks to our applications by isolating them through containerization, which keeps software in safe containers. We also set architectural security guidelines and perform code reviews.

In addition, our company's automated and manual code review processes search for any code that could potentially violate corporate security policies. Importantly, we also train our software developers to follow best security practices around coding and collaboration.

Payment processing

We process all payments using Stripe, which has been certified as a Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service provider.

Vulnerability management

We secure our product and applications through various activities, including performing Vulnerability Assessment and Penetration Testing (VAPT) for all releases and managing potential vulnerabilities. All issues found are assigned a score using the Common Vulnerability Scoring System (CVSS), an owner, and a deadline based on an internal Service Level Agreement (SLA) for fixing vulnerabilities.

We also conduct vulnerability scans on the network, application, and operating system layers, enabling us to patch vulnerabilities across Postman's computing devices and applications. We also may remove and turn off services, as well as have visibility into what software is installed on systems and can mitigate issues.

Penetration testing

In addition to our regular security reviews, we partner with trusted third-party companies to perform annual penetration tests across our product ecosystem.

Bug bounty program

We invite anyone to identify and report potential security vulnerabilities in the API Platform. Postman runs a private bug bounty program with HackerOne.

Please review our security reporting guidelines and policy.

Attack prevention and mitigation

We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage.

Our company further implements measures to detect and prevent log tampering or interruptions. To determine security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us in case of an anomaly. In addition, we run automated scans on each feature release to ensure we reduce any security issues from third-party libraries.

Also, our leadership team is notified automatically in the event of a customer-reported breach. In accordance with Postman's corporate policies, we respond to the report within a few hours.

Incident response

Our company has incident response policies and procedures to help mitigate cyber risks around service availability, integrity, security, privacy, and confidentiality. As a result, we train our Postman teams to:

  • Promptly respond to alerts of potential incidents
  • Analyze and assess the severity of potential incidents
  • Execute mitigation and containment measures
  • Communicate with relevant internal and external stakeholders. Doing so includes notifying affected customers and meeting contractual obligations around breach or incident notifications.
  • Gather and preserve forensic evidence for investigative efforts
  • Conduct and document a postmortem while developing a permanent triage plan

The incident response policies and processes are audited as part of our System and Organization Controls (SOC 2) and other security assessments.

Explore our status page for service availability information.

Shared responsibility model

Data security is a shared responsibility between Postman and users. We strongly recommend you avoid storing sensitive data anywhere except within Postman environments. You should also use environment variables with a secret type to store sensitive data and credentials, including API keys and access tokens.

Learn more about the best practices you should follow to secure data and credentials in Postman.

Postman Security Workspace

The Postman Security Workspace on the Postman API network is where we publish security-specific API and collection templates. This public workspace provides you with templates to solve specific security use cases.

For example, Postman Security has created a collection that will help you to get secrets from the vault using pre-request scripts. You can fork collections and start using them. Before using a collection, we encourage you to read the documentation and verify that you've selected the right environment.

View Security Workspace

Security and Trust FAQ

Find answers to some of our company's most common security questions.

Read the FAQs

500,000 companies use Postman

Many of the world's top organizations, including 98% of the Fortune 500, are using the Postman API Platform today.

Postman v11 is here!

It's jam-packed with updates to help you collaborate on your APIs, augment yourself with AI, and more.