Security and compliance: a shared responsibility model

Last updated: October 15, 2024

Data security is a shared responsibility between Postman and its users. Postman's security program and processes are consistent with best practices and industry standards. We also embed security into our product in an effort to make it safe and secure to use. However, You also share responsibility for security and privacy by following safe practices with your data and credentials.

The shared responsibility model below covers some security and privacy practices. You should implement them to help secure your account, secrets, and data.

Avoid unintentional sensitive data exposure

Be careful when publishing a Postman element, such as workspaces, collections and environments, to avoid accidental data exposure by making it public or sharing too broadly with team members. You can manage the visibility of workspaces, which are personal by default. You can also manage public elements.

Update your Postman Client

Always use the latest version of the Postman desktop app to ensure the best, most secure experience. The app automatically downloads minor updates and bug fixes, helping keep your data secure. Also, always protect access to your devices, as the app may save a local copy of your data.

You can further leverage Postman Enterprise features to deploy Postman at scale securely.

Secure access to your Postman account and data

It's up to You to ensure that your accounts have adequate protection. Always use a strong password based on best practices, verify your email address, and enable two-factor authentication in Postman with Google or your single sign-on identity provider. Other account security measures You can implement include:

• Ensuring that users invited to Partner Workspaces follow the same security standards as your organization to protect data.
• Removing any team member's account that you suspect has been compromised, and notify Postman for additional help. You can also check your team's audit logs.
• Safely handling and managing the Postman API keys created by your team to ensure compliance and security across your organization.

Securely store sensitive data in Postman

Postman Vault lets you store sensitive data, including API keys, access tokens, and passwords, as vault secrets in your local instance of Postman. Only you can access and use your vault secrets, which aren't synced to the Postman cloud.

Additionally, you can minimize the risk of unintentionally disclosing sensitive data by sharing it safely with collaborators and storing it as a secret variable within an environment. You can also specify allowed domains or subdomains for a vault secret.

Restrict data access based on user roles

You can define one or more role types for team members based on their required level of access. Doing so enables you to control who has access to your data. We recommend isolating workspaces where sensitive data is stored and limiting access to only individuals who need it.

Learn about using Postman's role-based access control system to restrict the visibility of team resources.

Safely use your account

Please be vigilant about potential Postman imposters. We will never send you emails with attachments or request any sensitive information. Avoid opening an attachment or installing any software from an email that claims to be from us—it's not.

Also, be mindful of potential phishing web pages attempting to impersonate Postman. We won't ask you to download software by email or sign in to a non-Postman website—contact Postman Support for any account issues.

Securely use integrations to protect your data

Agreements between Postman and users do not cover the use of third-party integrations. If you handle sensitive data, ensure that security and compliance agreements are implemented with the integration provider before use.

Audit your Postman account

Use Postman audit logs to review any unusual activity with your Postman team, including any unexpected changes to team settings. You can also use audit logs to ensure that only authorized members have accessed your team. Audit logs are also accessible through the Postman API, allowing you to integrate audit logs with your security information and event management (SIEM) tools.

Have oversight of your outgoing data

Ensure that email addresses receiving notifications about monitor run failures and other errors are authorized to receive such messages.

Other data security measures

Below are further recommendations for handling sensitive data in Postman:

• Always make API calls over the internet using Transport Layer Security, and do not turn off client-side Secure Sockets Layer (SSL) validations for the Postman app. Also, avoid turning off SSL certificate validations for Postman Monitors.
• Follow secure coding practices within scripts run as part of collections by not accidentally sending sensitive data to systems unauthorized to receive such data.
• Refrain from blindly trusting entities inside public workspaces, and review public entities such as collections and environments before using them.
• Have a peer review process for critical collections and merge changes using Postman's collection fork and merge feature.
• Postman enables monitoring APIs from a static IP address when testing them behind a restricted firewall. Allow the static IP address to limit access to your critical network-connected systems, especially when handling private data.

Do you still have questions?

Please read our Security and Trust FAQ and documentation, or contact Postman Support.

Explore resources

Reducing exposure to API security risks