Security at Postman
Postman is a cloud-based platform trusted by nearly 500,000 organizations to protect sensitive API data at scale. Learn how we prioritize security with encryption, robust platform and product safeguards, and features that help you enforce API governance across your organization.
Data security
Postman is built to protect customer data at every layer. All data is stored securely and with high redundancy using a relational database service configured for dual redundancy and 15-day backups, reducing the risk of data loss and ensuring continuous availability. Data remains isolated within Postman's private cloud and protected with per-service access controls.
Postman uses modern cryptographic methods, including AES-256-GCM encryption, to secure data in transit and at rest. All internet traffic requires TLS encryption, and services that store data at rest have encryption enabled by default. Sensitive data such as environment variables, tokens, and AWS keys are encrypted at the application layer using a key management service.
For enterprise customers, Postman now offers Bring Your Own Key (BYOK) encryption, giving you full control over encryption keys and ownership of sensitive data in the Postman Cloud. Every encryption event is logged for compliance, helping simplify audits while maintaining complete visibility.
Postman does not use customer data in internal testing. All validation and QA efforts are conducted on a production-mirrored internal stack using fictitious data only.
To download assurance reports, access the Postman Security and Trust Portal.
Key security features
Bring Your Own Key (BYOK)
Enterprise customers can manage and control their own encryption keys, ensuring full ownership of sensitive API data in the Postman Cloud. Every encryption event is logged for audit readiness and compliance.
Postman Vault
Postman Vault lets you store sensitive data as vault secrets in your local instance of Postman. Only you can access and use your vault secrets, and they aren't synced to the Postman cloud.
Postman API key management
You can manage the Postman API keys that your team creates at scale, ensuring you maintain compliance and security across your organization. Teams can control the creation of API keys, their expiration dates, and revoke keys when needed.
API Governance and API Security
Enforce consistent security standards with configurable governance rules that help you identify weaknesses, reduce risk, and improve overall API quality across your organization—without disrupting developer workflows.
Audit logs
Audit logs display events related to your team, users, and billing. You can track key activities related to security access and team management for the past 180 days. Visit the Postman Learning Center to learn more.
Secret Scanner
The Postman Secret Scanner examines your public workspaces, collections, environments, and documentation to find accidentally exposed secrets. Learn how to use the Secret Scanner, which is turned on by default.
Role-based access control
Postman helps you to assign granular access to users in our product with roles and permissions. Such roles define user permissions within a Postman team and a user's level of access to a Postman element, such as a collection or an API, helping you secure your data.
Two-factor authentication (2FA)
You can enable 2FA for your Postman account to add an extra layer of security when you log in using a password.
Infrastructure security
For our hardware, we contract with cloud providers that adhere to global privacy and security regulations and standards. We also have a rigorous process to minimize cybersecurity risk while onboarding and offboarding vendors.
Our infrastructure runs on data centers provided by Amazon Web Services (AWS). We leverage several security and privacy-focused features. Also, our infrastructure runs on stable, regularly patched versions of Amazon Linux. It has configured security groups and isolated virtual private cloud environments with well-defined network segmentation, role-based access control, and advanced web-application firewall protection.
Physical and environmental security
Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security. Our company's product data and backups are hosted on AWS servers in the EU and U.S., which offer strong security and privacy-focused features.
Additionally, our internal security program covers physical security at our offices around the world.
Software security
Our applications run on the latest stable version of Node.js, an open-source programming language.
Postman has controls at every layer and phase of development to secure its applications during the software development lifecycle, deployment, and operation phases. We use security frameworks and industry standards throughout our software development lifecycle. We further uncover any OWASP vulnerabilities during software security testing before releasing new products or features.
In addition, our company's automated and manual code review processes search for any code that could potentially violate corporate security policies. Importantly, we also train our software developers to follow best security practices around coding and collaboration.
Other practices involve setting architectural security guidelines. We also minimize risks to our applications by isolating them through containerization, which keeps software in secure containers. Furthermore, third-party firms validate the security of Postman's product ecosystem annually.
We also oversee the software installed on Postman systems and can quickly mitigate any issues. Any installed software is reported to a central repository for analysis. Also, we have patching mechanisms built into the operating systems to update devices automatically.
Payment processing
We process all payments using Stripe, which has been certified as a Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service provider.
Vulnerability management
We monitor the security of our products and applications through various ongoing activities, including regularly scheduled Vulnerability Assessment and Penetration Testing (VAPT) for all product releases.
We also conduct vulnerability scans on the network, application, and operating system layers at regular intervals throughout the year. Additionally, we promptly patch vulnerabilities in accordance with standard service level agreements and policies.
All issues found are assigned a score using the Common Vulnerability Scoring System (CVSS), an owner, and a deadline based on an internal Service Level Agreement (SLA) for fixing vulnerabilities. We also may remove and turn off services.
Additionally, we use an automated tool for source code analysis, which runs before every production release. This tool covers vulnerabilities in open-source software and libraries. You can view applicable third-party licenses and a list of open-source software.
Penetration testing
In addition to our regular security reviews, we partner with trusted third-party companies to perform annual penetration tests across our product ecosystem.
Bug bounty program
We invite anyone to identify and report potential security vulnerabilities in the API Platform. Postman runs a private bug bounty program with HackerOne.
Please review our security reporting guidelines and policy.
Attack prevention and mitigation
We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage.
Our company further implements measures to detect and prevent log tampering or interruptions. To determine security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us in case of an anomaly. In addition, we run automated scans on each feature release to ensure we reduce any security issues from third-party libraries.
Also, our leadership team is notified automatically in the event of a customer-reported breach. In accordance with Postman's corporate policies, we respond to the report within a few hours.
Incident response
Our company has incident response policies and procedures to help mitigate cyber risks around service availability, integrity, security, privacy, and confidentiality. As a result, we train our Postman teams to:
The incident response policies and processes are audited as part of our System and Organization Controls (SOC 2) and other security assessments.
Explore our status page for service availability information.
Shared responsibility model
Through our shared responsibility model, we rely on our users to help safeguard their data and credentials in Postman. We strongly encourage customers, security teams, and developers to use Postman securely.
For more information, read best practices to help you keep your sensitive data secure and private in Postman.
Postman Security Workspace
The Postman Security Workspace on the Postman API network is where we publish security-specific API and collection templates. This public workspace provides you with templates to solve specific security use cases.
For example, Postman Security has created a collection that will help you to get secrets from the vault using pre-request scripts. You can fork collections and start using them. Before using a collection, we encourage you to read the documentation and verify that you've selected the right environment.
FAQ
What is BYOK encryption, and who can use it?
Bring Your Own Key (BYOK) encryption allows Postman enterprise customers to manage and control their own encryption keys for data stored in the Postman Cloud. This ensures sensitive data remains fully owned by the customer and inaccessible to Postman. Every encryption event is logged, helping with compliance and audit reporting.
Does Postman adhere to information security standards?
Postman complies with global industry standards on data security and privacy, including the European Union's General Data Protection Regulation and the California Consumer Privacy Act.
We also undergo annual compliance assessments to validate our practices, including the System and Organization Controls (SOC 2) and Microsoft's Supplier Security and Privacy Assurance (SSPA). These assessments cover our company's security, availability, and confidentiality practices.
Download SOC 2 and 3 reports on the Postman Security and Trust Portal. Also, please access our compliance and security pages for more information about our practices.
What is customer data and personal data?
Customer data includes content you upload or create using our Services. You can find your rights regarding "Your Content" in our Terms of Service.
In addition, our privacy program protects personal data in accordance with global privacy regulations, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as the growing body of privacy laws in U.S. states and around the world.
We minimize the personal data we collect to what is needed for business purposes, including provisioning user seats and authentication. We also prohibit the upload of sensitive personal information and other highly regulated data into our development platform and discourage the use of personal data for testing.
Please read our Privacy Policy to learn how Postman collects, uses, transfers and shares your data.
What are Postman's data encryption and key management practices?
Postman uses strong encryption (AES-256-GCM) for data at rest and TLS for data in transit. All sensitive data, including environment variables, secrets, and access tokens, is encrypted at the application layer and managed via a key management system (KMS).
Enterprise customers can also choose Postman's Bring Your Own Key (BYOK) encryption feature, which allows them to manage and control their own encryption keys. These keys are never accessible by Postman, and all encryption events are logged for compliance and auditing.
How does Postman secure its applications?
Postman secures its applications at every layer and phase, from development to deployment and operation. We use containerization to isolate software, set architectural security guidelines, and perform code reviews. Industry standards and security frameworks are applied throughout the software development lifecycle, with testing for OWASP vulnerabilities. Annually, third-party firms validate our ecosystem's security, and our bug bounty program allows anyone to report potential vulnerabilities in the Postman API Platform.
Learn about Postman's software security practices.
What are Postman's vulnerability management processes?
We conduct vulnerability scans on the network, application, and operating system layers, enabling us to patch vulnerabilities across Postman's computing devices and applications. We also may remove and turn off services.
We also oversee what software is installed on Postman systems and can mitigate issues. For example, any software installed is reported to a central repository for analysis. We also have patching mechanisms built into the operating systems to update devices automatically.
Read about our vulnerability management practices.
How does Postman respond to potential security incidents?
Our company has policies and procedures for handling potential incidents and responding adequately, including conducting investigations, containment, and mitigation measures. Learn more about Postman's incident response practices.
How does Postman protect data centers?
Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security. Our company's product data and backups are hosted on AWS servers in the EU and U.S., which offer strong security and privacy-focused features.
How does Postman respect privacy?
Our comprehensive privacy program implements best practices for collecting, using, sharing, international transfers, and deleting personal information. We believe that your personal information is your property, and we respect your privacy rights and preferences, including through up-to-date cookie controls and other collection mechanisms.
We also require the execution of standard Data Privacy Agreements (DPAs), which include security requirements and Technical and Organizational Measures (TOMs) for customers and vendors we contract with.
How can I access the Postman Data Processing Addendum?
Prospective customers can request access through our Security and Trust Portal.
Is Postman a member of the EU-U.S. Data Privacy Framework?
Postman received early certification approval from the U.S. Department of Commerce as a participant in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the DPF (UK DPF Extension), and the Swiss-U.S. Data Privacy Framework (Swiss DPF). This approval acknowledges that Postman is compliant with the EU-U.S. data privacy requirements pursuant to the European Commission's July 2023 adoption of the adequacy decision.
Read Postman's certification.
How does Postman manage customers' data after they stop using the product?
We keep your data in secure offline backups for 15 days after you delete your account or end your relationship with us. After that period, Postman permanently deletes your data from the product.
Does Postman share customer data with any of its third-party partners or sub-processors?
We only share information with third parties to help us operate, support, and market our services. We do not sell your data for commercial purposes or "share" data as defined under the CCPA and CPRA. All third-party vendors, including our sub-processors, undergo a privacy risk assessment and are required to execute our standard vendor DPA.
Please view the complete list of Postman sub-processors.
Does Postman sell my data?
No. We do not sell any customer data.
How do I delete my Postman account?
View the instructions on the Postman Learning Center to delete your account.
Are API responses stored in logs?
No. Postman does not log API responses by default. However, you can keep responses in your Postman History if you want to save responses.
How does Postman secure its workforce and corporate environment?
Postman has HR processes to secure its workforce. For example, all new workers complete a background screening and verification before employment or access to any systems. Plus, during onboarding, we've implemented technical controls assigning role-based access to applications and systems, enabling us to restrict accounts and customer data.
We also have procedures that protect data by revoking access to tools, accounts, and applications for workers who have been terminated or left Postman.
All new hires and workers complete privacy and cybersecurity training annually.
What if I have other questions?
Contact Postman Support after reading our security, privacy, compliance, reliability, and legal pages.
Explore the Postman Learning Center for documentation and support resources.
Postman Security and Trust Portal
Access Postman's security and compliance documents on our Security and Trust Portal, such as penetration testing and audit reports.
500,000 companies use Postman
Many of the world's top organizations, including 98% of the Fortune 500, are using the Postman API Platform today.
June 3 & 4, 2025 in Los Angeles, CA
Step into the future of APIs and AI at POST/CON 25. Join developers, architects, and tech leaders to build smarter, faster, and more secure APIs in the age of generative AI.
