Sensitive data removal policy (archived)
Effective from November 19, 2020 to March 15, 2023. See latest policy.
If you believe that content on Postman infringes a valid copyright you own, please see our DMCA takedown policy. We rely on the DMCA notice and takedown process for the majority of our removal actions.
However, we understand that sensitive, security-related content may get published on Postman – whether accidentally or on purpose – from time to time. We provide our sensitive data removal process to remove this sensitive data in certain exceptional circumstances where the DMCA process would not be applicable, such as when your security is at risk from exposed passwords and you do not own the copyright to the specific content that you need removed, or the content is not protectable by copyright. This guide describes the information Postman needs from you in order to process a request to remove sensitive data from a workspace.
What is sensitive data?
For the purposes of this document, "sensitive data" refers to content that (i) should have been kept confidential, and (ii) whose public availability poses a specific or targeted security risk to you or your organization.
Sensitive data removal requests are appropriate for:
Sensitive data removal requests are not appropriate for:
Things to know
Ask nicely first. A great first step before sending us a request to remove data is to try contacting the user directly. They may have listed contact information on their public profile page or in the workspace, or you could get in touch by creating an issue or pull request in the workspace. This is not strictly required, but it is appreciated.
No bots. You should have a trained professional evaluate the facts of every request you send. If you're outsourcing your efforts to a third party, make sure you know how they operate, and make sure they are not using automated bots to submit complaints in bulk. These complaints often include data that does not pose any security threats, and they do not include sufficient explanations, requiring additional back-and-forth and resulting in delays, even when the complaint is valid.
Send in the correct request. We offer this sensitive data removal process as an exceptional service only for high-risk content. We are not able to use this process to remove other kinds of content, such as potentially infringing content, and we are not able to process any other kinds of removal requests simultaneously while processing sensitive removal requests. We will be able to help you more quickly if you send in your sensitive data removal requests separately from any requests to remove potentially infringing content. If you are unsure whether your request involves only sensitive data or also involves other legal matters, please consult legal counsel.
Processing time. While we work to process sensitive data removal requests as quickly as possible, due to the volume of requests we process, it may take some time for your request to be reviewed. Additional requests, or multiple requests from additional points of contact, may result in delays.
How does this actually work?
Keep forks in mind
One of the best features of Postman is the ability for users to "fork" collections within one another's public or private workspaces. Essentially, that means that users can make a copy of a collection on Postman so teams can work in parallel on the same collection. This makes it easy for teams to make changes and test them without risking the base collection. As the license or the law allows, users can then make changes to that fork to either push back to the main project or just keep as their own variation of a project. Each of these copies is a "fork" of the original collection, which in turn may also be called the "parent" of the fork.
Postman will not automatically disable forks when disabling a parent collection. This is because forks belong to different users and may have been altered in significant ways. Postman does not conduct any independent investigation into forks. We expect those sending sensitive data removal requests to conduct that investigation and, if they believe that the forks also contain sensitive data, expressly include forks in their request.
Sending a sensitive data removal request
Due to the type of content Postman hosts (mostly software code) and the way that content is managed (with Git), we need complaints to be as specific as possible. In order for us to verify that a user has removed reported sensitive data completely, we need to know exactly where to look.
These guidelines are designed to make the processing of requests to remove sensitive data as straightforward as possible.
Your request must include:
- A working, clickable link to each file containing sensitive data. (Note that we're not able to work from search results, examples, or screenshots.)
- Specific line numbers within each file containing the sensitive data.
- A brief description of how each item you've identified poses a security risk to you or your organization. It is important that you provide an explanation of how the data poses a security risk beyond merely stating that it does.
- If you are a third party acting as an agent for an organization facing a security risk, include a statement that you have a legal right to act on behalf of that organization.
- OPTIONAL: Let us know if your request is particularly urgent, and why. We respond to all sensitive data removal requests as quickly as possible. However, if this request is especially time-sensitive, such as a very recent credential exposure, please explain why.
How to submit your request
You can submit your request to remove sensitive data to help@postman.com. Please include a plain-text version of your request in the body of your message. Sending your request in an attachment may result in processing delays.
Disputes
If you received a sensitive data removal request from us, you can dispute it by replying to our email and letting us know—in as much detail as possible—why you think the content in question is not sensitive data subject to this Policy.
Event Recap: A New Era for API and AI Builders
Discover how leading developers are building smarter, faster, and more secure APIs in the age of agentic AI. Get the insights, strategies, and product announcements that emerged from two incredible days of innovation in Los Angeles.
