Security and compliance: a shared responsibility model

Updated Nov. 16, 2022

Data security is a shared responsibility between Postman and users. Our company maintains security and regulatory compliance standards. We embed security into our product and ensure it is as safe and secure as possible. However, you also share responsibility for security by following safe practices with your data and credentials.

The shared responsibility model below covers some security best practices while using Postman. You should follow them to secure your account and data.

Avoid unintentional sensitive data exposure

Be careful when publishing a Postman element, such as workspaces, collections and environments, to avoid accidental data exposure. You can manage the visibility of workspaces, which are personal by default.

Update your Postman Client

Always use the latest version of the Postman desktop app to ensure the best experience. The app automatically downloads minor updates and bug fixes, helping keep your data secure. Also, protect access to your device, as the app saves a local copy of your data. You can leverage Postman Enterprise features to deploy Postman at scale securely.

Secure access to your Postman account and data

Your accounts should have adequate protection. Use a strong password, verify your email address, and enable two-factor authentication with Google or your single sign-on identity provider. Other account security measures include:

• Ensure that users invited to Partner Workspaces follow the same security standards to protect data.
• Remove any team member's account that you suspect has been compromised, and notify Postman if you need help.
• Prevent your Postman API keys from unintentionally exposing your account data by safely storing them as environment variables in Postman. Also, you can disable compromised API keys in your account settings.

Securely store sensitive data in Postman

Avoid storing sensitive data anywhere except within Postman Environments. We recommend using environment variables with a secret type to store sensitive data and credentials, including API keys and access tokens. You can also limit syncing of sensitive information with Postman servers.

Restrict data access based on user roles

You can define one or more role types for team members based on their required level of access. Doing so enables you to control who has access to your data. We recommend that you isolate workspaces where sensitive data is stored and limit access to only individuals who need it. Learn about using Postman's role-based access control system to restrict the visibility of team resources.

Safely use your account

Be vigilant about potential Postman imposters. We will never send you emails with attachments or request any sensitive information. Avoid opening an attachment or installing any software from an email that claims to be from us—it's not. ​​Also, be mindful of potential phishing web pages attempting to impersonate Postman. We won't ask you to download software by email or sign in to a non-Postman website—contact Postman Support for any account issues.

Securely use integrations to protect your data

The signed business associate agreements between you and Postman do not cover the use of third-party integrations. If you handle sensitive data, ensure that security and compliance agreements are implemented with the integration provider before use.

Audit your Postman account

Use Postman audit logs to review any unusual activity with your Postman team, including any unexpected changes to team settings. You can also use audit logs to ensure that only authorized members have accessed your team. Audit logs are also accessible through the Postman API, allowing you to integrate audit logs with your security information and event management (SIEM) tools.

Have oversight of your outgoing data

Ensure that email addresses receiving notifications on monitor run failures and errors are authorized to receive such messages.

Other data security measures

Below are further recommendations for handling sensitive data in Postman. We encourage users to explore the links, including the Leveraging Postman Security Features guide. It covers security and governance features that developers and administrators can use to secure accounts and data.

• Always make API calls over the internet using Transport Layer Security, and do not disable client-side Secure Sockets Layer (SSL) validations for the Postman app. Also, avoid disabling SSL certificate validations for Postman Monitors.
• Follow secure coding practices within scripts run as part of collections by not accidentally sending sensitive data to systems unauthorized to receive such data.
• Refrain from blindly trusting entities inside public workspaces, and review public entities such as collections and environments before using them.
• Have a peer review process of critical collections and merge changes using Postman's collection fork and merge feature.
• Postman enables the monitoring of APIs from a static IP address when testing them behind a restricted firewall. Allow the static IP address to limit access to your critical network-connected systems, especially when handling private data.

Questions?

Please explore our frequently asked questions and documentation, or contact Postman Support.