Security at Postman
Learn how our company prioritizes data protection through encryption, product and application security, and organizational measures. We also cover API governance and security features in Postman.
All customer data is stored on the Amazon Relational Database Service and configured securely. Data is stored with at least dual redundancy, with 15-day backups, and is accessible only in the private cloud. We have also instituted per-service access protection and data isolation.
We use cryptographic methods and industry standards to protect customer data in transit between Postman clients, the cloud, and at rest. For example, all communications and data in transit over the internet require the latest version of Transport Layer Security, a cryptographic protocol that provides end-to-end encryption. By default, encryption is also enabled on all our services that contain data at rest.
Also, your sensitive data at rest is encrypted on the server side before storage using AES-256-GCM. The Advanced Encryption Standard with Galois Counter Mode (AES-GCM) provides authenticated encryption, which ensures data confidentiality and integrity.
Other encryption methods include securing customer and company data at the application layer using AES-256-GCM. We encrypt sensitive data, including environment variables, access and refresh tokens, and Amazon Web Services (AWS) secret keys. Postman also encrypts your data using a key management service from AWS. In addition, we have key management capabilities to encrypt sensitive data at the application layer.
We maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data, meaning Postman does not distribute customer data for internal testing or validation purposes.
Key security features
API Governance and API Security
Customers, security teams, and developers can use configurable security rules and capabilities to improve API governance and security, such as identifying weaknesses and areas for improvement. Also, access our guide on security and governance features you can use to safeguard your accounts and data.
We use strong encryption standards to protect your data, both when it's in transit between Postman clients and the Postman cloud and when it's at rest in the production network.
You can track key activities related to billing, security, access, and team management with audit logs. Postman offers audit logs for 90 days to users on Professional plans and 180 days to users on Enterprise plans.
The Postman Secret Scanner examines your public workspaces, collections, environments, and documentation to find accidentally exposed tokens. Doing so protects your organization and reduces the risk of malicious users exploiting the tokens.
Role-based access control
Postman helps you to assign granular access to users in our product with roles and permissions. Such roles define user permissions within a Postman team and a user's level of access to a Postman element, such as a collection or an API, helping you secure your data.
Two-factor authentication (2FA)
You can enable 2FA for your Postman account to add an extra layer of security when you log in using a password.
For our hardware, we contract with cloud providers that adhere to global privacy and security regulations and standards. We also have a rigorous process to minimize cybersecurity risk while onboarding and offboarding vendors.
Our infrastructure runs on data centers provided by Amazon Web Services (AWS). We leverage several security and privacy-focused features. Also, our infrastructure runs on stable, regularly patched versions of Amazon Linux. It has configured security groups and isolated virtual private cloud environments with well-defined network segmentation, role-based access control, and advanced web-application firewall protection.
Physical and environmental security
Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security; our company's product data and backups are hosted in the U.S. on AWS servers.
Our internal security program covers physical security at our offices around the world.
Our applications run on the latest stable version of Node.js, an open-source programming language.
Postman has controls at every layer and phase to secure its applications. We protect our applications during the software development lifecycle, deployment, and operation phases. We also minimize risks to our applications by isolating them through containerization, which keeps software in safe containers. We also set architectural security guidelines and perform code reviews.
In addition, our company's automated and manual code review processes search for any code that could potentially violate corporate security policies. Importantly, we also train our software developers to follow best security practices around coding and collaboration.
We secure our product and applications through various activities, including performing Vulnerability Assessment and Penetration Testing (VAPT) for all releases and managing potential vulnerabilities. All issues found are assigned a score using the Common Vulnerability Scoring System (CVSS), an owner, and a deadline based on an internal Service Level Agreement (SLA) for fixing vulnerabilities.
We also conduct vulnerability scans on the network, application, and operating system layers, enabling us to patch vulnerabilities across Postman's computing devices and applications. We also may remove and disable services, as well as have visibility into what software is installed on systems and can mitigate issues.
In addition to our regular security reviews, we partner with trusted third-party companies to perform annual penetration tests across our product ecosystem.
Bug bounty program
We invite anyone to identify and report potential security vulnerabilities in the API Platform. Postman runs a private bug bounty program with HackerOne.
Please review our security reporting guidelines and policy.
Attack prevention and mitigation
We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage.
Our company further implements measures to detect and prevent log tampering or interruptions. To determine security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us in case of an anomaly. In addition, we run automated scans on each feature release to ensure we reduce any security issues from third-party libraries.
Also, our leadership team is notified automatically in the event of a customer-reported breach. In accordance with Postman's corporate policies, we respond to the report within a few hours.
Our company has incident response policies and procedures to help mitigate cyber risks around service availability, integrity, security, privacy, and confidentiality. As a result, we train our Postman teams to:
- Promptly respond to alerts of potential incidents
- Analyze and assess the severity of potential incidents
- Execute mitigation and containment measures
- Communicate with relevant internal and external stakeholders. Doing so includes notifying affected customers and meeting contractual obligations around breach or incident notifications.
- Gather and preserve forensic evidence for investigative efforts
- Conduct and document a postmortem while developing a permanent triage plan
The incident response policies and processes are audited as part of our System and Organization Controls (SOC 2) and other security assessments.
Explore our status page for service availability information.
Shared responsibility model
Data security is a shared responsibility between Postman and users. We strongly recommend you avoid storing sensitive data anywhere except within Postman environments. You should also use environment variables with a secret type to store sensitive data and credentials, including API keys and access tokens.
Learn more about the best practices you should follow to secure data and credentials in Postman.
How and why do I need to request access?
You can request full access by providing a valid full name, work email, and company name. Users who want access are typically existing or prospective customers who seek information about Postman's security posture to satisfy due diligence requirements.
How long would the access remain for authorized users?
Once you've been authorized, you retain full access indefinitely.
How can I reclaim access?
Use the reclaim access tab to gain access if you've lost it. You'll need to type in your information, such as your corporate email, and then request a login link.
Postman Security Workspace
The Postman Security Workspace on the Postman API network is where we publish security-specific API and collection templates. This public workspace provides you with templates to solve specific security use cases.
For example, Postman Security has created a collection that will help you to get secrets from the vault using pre-request scripts. You can fork collections and start using them. Before using a collection, we encourage you to read the documentation and verify that you've selected the right environment.