Security at Postman

Your data security is important to us. We maintain a security-first culture across our organization and keep security at the core of everything we do.

Postmanaut showing A P I platform graphic. Illustration.

Data security

All customer data is stored in databases on Amazon RDS, which are configured securely. Data is stored with at least dual redundancy, with 15-day backups, and is accessible only within the private cloud. We have also instituted per-service access protection and isolation of data.

Depending upon its sensitivity classification, customer data is AES-256-GCM encrypted at the server-side before storage. Postman environment variables are covered in this classification and we strongly encourage you to use them to store your authentication keys and passwords. We have also added sessions in the 6.2 release onwards of Postman. We recommend using session variables for any data that you do not want to be synced to Postman's servers. You can also choose a "secret" data type for the environment variables to mask the initial and current values. This will help you avoid mistakenly sharing your tokens and secrets to an unintended audience while screen sharing or livestreaming.

We maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data. Postman does not distribute actual customer data for internal testing or validation purposes.


Key security features

Data encryption

We use strong encryption standards to protect your data, both when it's in transit between Postman clients and the Postman cloud and when it's at rest in the production network.

Audit logs

Track key activities related to billing, security, access, and team management with audit logs.

Token Scanner

The Postman Token Scanner scans your public workspaces, collections, environments, and documentation to find accidentally exposed tokens. This protects your organization and prevents malicious users from exploiting the tokens.

Role-based access control

Postman allows you to assign granular access to entities in Postman products with roles and permissions.

SAML-based SSO

Authenticate with and access Postman services through an identity provider of your choice with SAML 2.0 compliant single sign-on (SSO).

Different Postman plans have different security features. See the Postman Security Features guide to learn more about them.


Infrastructure security

We contract our digital hardware to cloud vendors that adhere to the applicable data regulations and compliances. Our infrastructure runs on data centers provided by Amazon Web Services (AWS), which is SOC2 and PCI Level 1 certified among others. AWS has a number of security and privacy focused features that we leverage wherever applicable.

Our infrastructure run on stable, regularly patched, versions of Amazon Linux with carefully configured security groups, isolated VPC environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.


Physical and environmental security

We do not have in-house data centers and instead rely on Amazon Web Services (AWS) to manage the physical and environmental security of our data centers. Our internal security program covers physical security at our offices.

For more details, please review AWS control and security measures.


Software security

Our applications run on the latest stable version of Node.js. We reduce the attack surface by isolating our processes via hardened containerization technology. Our security team sets architectural guidelines, conducts code reviews, and deploys every software system that can interface with customer data.

Our developers are trained with specific attention toward security. Our automated and manual code review processes look for any code that could potentially violate security policies. We have also instituted a standardized security stack that complies with software composition analysis tools.


Payment processing

We process all payments using Stripe, which has been certified as a PCI Level 1 Service Provider.


Vulnerability management

Our security team performs Vulnerability Assessment and Penetration Testing (VAPT) of our ongoing releases. All vulnerabilities found during VAPTs are managed internally in our vulnerability management system. All vulnerabilities are assigned a score using the CVSS scoring system, an owner, and a deadline based on an internal SLA for fixing vulnerabilities.


Penetration testing

In addition to our regular security reviews, we partner with trusted third-party security companies to perform annual penetration tests across our product ecosystem.


Bug bounty program

We run a private bug bounty program with HackerOne in which we invite ethical hackers to continually look for any potential security vulnerabilities in our platform.

To report a security vulnerability please review our security reporting guidelines and policy.


Attack prevention and mitigation

We maintain intelligent web application firewalls on our load balancers which, along with the elastic scaling capacity of our compute instances, mitigate attacks at the application layer.

We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage. We implement measures to detect and prevent log tampering or interruptions. To determine security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us in case of an anomaly. We run automated scans on each feature release to ensure we aren't introducing any security issues from 3rd party libraries. In case of a customer-reported breach, the leadership team is notified automatically and the report is responded to within a few hours as per set policies.


Incident response

We have incident response policies and procedures to address service availability, integrity, security, privacy, and confidentiality issues. As part of our incident response procedures, we have trained our teams to:

  • Promptly respond to alerts of potential incidents
  • Determine the severity of the incident
  • Analyze and assess the extent of the incident
  • If necessary, execute mitigation and containment measures
  • Communicate with relevant internal and external stakeholders, including notifying affected customers to comply with relevant laws and regulations and to meet contractual obligations around breach or incident notifications
  • Gather and preserve evidence for investigative efforts
  • Conduct and document a postmortem and develop a permanent triage plan

The incident response policies and processes are audited as part of our SOC 2 and other security assessments. Check out our status page for service availability information.


Shared responsibility model

While we continuously focus on doing our part to maintain high standards for security and complying with regulations, you also have a role to play in helping to ensure the security of your data. It's our responsibility to ensure that Postman products and services are safe and secure to use, and it's your responsibility to follow safe practices with the data you store within Postman.

To learn more about the things we expect our users to be aware of during regular product usage, please read the shared responsibility model guide.

For details on what information we collect from you and how we use, share, and store that information, consult our privacy policy.


Reach out to Postman Security

Our security team ensures the security of data stored with Postman and helps you keep your APIs secure by providing security-aware features, workshops, and content.

If you find a vulnerability in our service or website or want additional information about our security policies, you can contact us at security@postman.com. You can use our PGP public key to encrypt your communications with us.

If you are reporting security vulnerabilities or if you are a security researcher, review our security reporting guidelines and policy.


Security Portal

Access Postman’s security and compliance documents on our Security Portal, such as penetration testing and audit reports.

Visit Security Portal

Additional resources

Introducing API Security in Postman v10

Nearly every organization today uses APIs, and Postman’s 2022 State of the API report shows that 26% more collections and 32% more…

Read more →

Postman’s New Warnings Pane for API Testing

Since Postman is committed to easing collaboration across stakeholders in the API development process, the Postman API Platform provides a bunch of…

Read more →

How to Securely Deploy Postman at Scale, Part 2: Information Management

Whether you’re a team of five or 500, keeping data secure is a top priority. In Part 1 of this blog post…

Read more →

500,000 companies use Postman

Many of the world's top organizations, including 98% of the Fortune 500, are using the Postman API Platform today.