Security at Postman

All customer data is stored in databases on Amazon RDS, which are configured securely. Data is stored with at least dual redundancy, with 15-day backups, and is accessible only within the private cloud. We have also instituted per-service access protection and isolation of data.

Depending upon its sensitivity classification, customer data is AES-256-GCM encrypted at the server-side before storage. Postman environment variables are covered in this classification and we strongly encourage you to use them to store your authentication keys and passwords. We have also added sessions in the 6.2 release onwards of Postman. We recommend using session variables for any data that you do not want to be synced to Postman's servers. You can also choose a "secret" data type for the environment variables to mask the initial and current values. This will help you avoid mistakenly sharing your tokens and secrets to an unintended audience while screen sharing or livestreaming.

We maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data. Postman does not distribute actual customer data for internal testing or validation purposes.

Data encryption

We use strong encryption standards to protect your data, both when it's in transit between Postman clients and the Postman cloud and when it's at rest in the production network.

Audit logs

Track key activities related to billing, security, access, and team management with audit logs.

Token Scanner

The Postman Token Scanner scans your public workspaces, collections, environments, and documentation to find accidentally exposed tokens. This protects your organization and prevents malicious users from exploiting the tokens.

Role-based access control

Postman allows you to assign granular access to entities in Postman products with roles and permissions.

SAML-based SSO

Authenticate with and access Postman services through an identity provider of your choice with SAML 2.0 compliant single sign-on (SSO).

Different Postman plans have different security features. See the Postman Security Features guide to learn more about them.

We contract our digital hardware to cloud vendors that adhere to the applicable data regulations and compliances. Our infrastructure runs on data centers provided by Amazon Web Services (AWS), which is SOC2 and PCI Level 1 certified among others. AWS has a number of security and privacy focused features that we leverage wherever applicable.

Our infrastructure run on stable, regularly patched, versions of Amazon Linux with carefully configured security groups, isolated VPC environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.

We do not have in-house data centers and instead rely on Amazon Web Services (AWS) to manage the physical and environmental security of our data centers. Our internal security program covers physical security at our offices.

For more details, please review AWS control and security measures.

Our applications run on the latest stable version of Node.js. We reduce the attack surface by isolating our processes via hardened containerization technology. Our security team sets architectural guidelines, conducts code reviews, and deploys every software system that can interface with customer data.

Our developers are trained with specific attention toward security. Our automated and manual code review processes look for any code that could potentially violate security policies. We have also instituted a standardized security stack that complies with software composition analysis tools.

We process all payments using Stripe, which has been certified as a PCI Level 1 Service Provider.

Our security team performs Vulnerability Assessment and Penetration Testing (VAPT) of our ongoing releases. All vulnerabilities found during VAPTs are managed internally in our vulnerability management system. All vulnerabilities are assigned a score using the CVSS scoring system, an owner, and a deadline based on an internal SLA for fixing vulnerabilities.

In addition to our regular security reviews, we partner with trusted third-party security companies to perform annual penetration tests across our product ecosystem.

We run a private bug bounty program with HackerOne in which we invite ethical hackers to continually look for any potential security vulnerabilities in our platform.

To report a security vulnerability please review our security reporting guidelines and policy.

We maintain intelligent web application firewalls on our load balancers which, along with the elastic scaling capacity of our compute instances, mitigate attacks at the application layer.

We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage. We implement measures to detect and prevent log tampering or interruptions. To determine security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us in case of an anomaly. We run automated scans on each feature release to ensure we aren't introducing any security issues from 3rd party libraries. In case of a customer-reported breach, the leadership team is notified automatically and the report is responded to within a few hours as per set policies.

We have incident response policies and procedures to address service availability, integrity, security, privacy, and confidentiality issues. As part of our incident response procedures, we have trained our teams to:

• Promptly respond to alerts of potential incidents
• Determine the severity of the incident
• Analyze and assess the extent of the incident
• If necessary, execute mitigation and containment measures
• Communicate with relevant internal and external stakeholders, including notifying affected customers to comply with relevant laws and regulations and to meet contractual obligations around breach or incident notifications
• Gather and preserve evidence for investigative efforts
• Conduct and document a postmortem and develop a permanent triage plan

The incident response policies and processes are audited as part of our SOC 2 and other security assessments. Check out our status page for service availability information.

While we continuously focus on doing our part to maintain high standards for security and complying with regulations, you also have a role to play in helping to ensure the security of your data. It's our responsibility to ensure that Postman products and services are safe and secure to use, and it's your responsibility to follow safe practices with the data you store within Postman.

To learn more about the things we expect our users to be aware of during regular product usage, please read the shared responsibility model guide.

For details on what information we collect from you and how we use, share, and store that information, consult our privacy policy.

Our security team ensures the security of data stored with Postman and helps you keep your APIs secure by providing security-aware features, workshops, and content.

If you find a vulnerability in our service or website or want additional information about our security policies, you can contact us at security@postman.com. You can use our PGP public key to encrypt your communications with us.

If you are reporting security vulnerabilities or if you are a security researcher, review our security reporting guidelines and policy.