Security and compliance: a shared responsibility model

Postmanaut sitting at computer and screen. Illustration.

A shared responsibility model

Maintaining high security standards and staying compliant with regulations is a continuous focus for Postman. However, as an end user of Postman services, there are some aspects where you share responsibility for security and compliance of the data that you store with Postman.

Our responsibility is to ensure that Postman products and services are safe and secure to use, while yours is to ensure that you follow safe practices with the data you store within Postman. Here are a list of things that we expect our users to be aware of during regular product usage:

  1. Protect your Postman Client app installation

    Ensure you download the latest version of the Postman App and that you have adequate access protection to the systems (workstations) where Postman is used or accessed from. Postman app keeps a local copy of your data and as such it is recommended that the storage medium is encrypted and adequately protected from unauthorised access.
  2. Protect access to your Postman account

    Ensure you have a strong password for your Postman account. If you are using Google to sign in or have configured a single sign-on mechanism ensure you have adequate protection of those systems and accounts. Postman API Keys can access your data—ensure that api keys are safely stored, transmitted and protected from accidental exposure.
  3. Segregate data access based on user roles

    You choose who has access to your data, hence it is advised that you segregate workspaces and environments where PIIs or PHIs are stored and limit access to individuals eligible to access such data. Postman “admin” role must be used judiciously among a limited few who are aware of the responsibilities of administering Postman services.
  4. Safely store sensitive information

    Avoid storing sensitive information anywhere except within Postman Environment variables. Postman also facilitates restricting the syncing of sensitive information to Postman servers. Using “Sessions”, you can choose to keep the sensitive information to within your local system.
  5. Be aware of what you publish publicly

    Postman provides features to share data outside your organization, such as documentation and mock servers. Please avoid publishing any sensitive data in these public elements, including your API keys and personally identifiable information.
  6. Audit your Postman Account

    Use the Postman audit logs to verify legitimate account access and be aware of any unusual activity. Ensure legitimate team members have access to your account and that unexpected changes have not been made to team settings.
  7. Have an oversight on your outgoing data

    Ensure email address that get notifications for monitor run failures and errors are authorised to receive such notifications.
  8. Be aware of what PIIs and PHIs are carried by Postman as a conduit

    PHI that you transmit through Postman must come from HIPAA compliant source and the same must be observed while sending to any service.
  9. Do not share PII/PHI through any support medium

    Postman support will never ask to share your personal information and neither should you. PIIs or PHIs of no individual should be shared through Postman support medium.
  10. Usage of Postman Integrations are not bound by security agreements

    If you deal with PIIs and PHIs (or have signed BAA with us) do not use integrations without ensuring you have instituted security and compliance agreements directly with the integration service provider.

We also have a list of recommended best practices of designing and developing using Postman when dealing with PIIs and PHIs

Different Postman plans have different security features. See the Postman Security Features guide to learn more about them.

  • Always make API calls over TLS (and other secure protocols.) and do not disable client-side SSL validations.
  • Avoid disabling SSL certificate validations for Postman Monitors.
  • Follow secure coding practices within scripts run as part of collections by not accidentally sending PIIs and PHIs to systems that are not supposed to receive them.
  • Have a peer review process of critical collections and merge changes to such collection using Postman’s collection fork and merge feature.
  • Enable SSO based login and disable password based login. Enable 2FA on your SSO identity provider.
  • To test APIs behind a whitelisted restricted firewall, Postman provides the option to monitor APIs from a static IP address. Use it to additionally restrict access to your critical network connected systems that has PIIs or PHIs.
  • If you suspect your account has been compromised, please remove the affected user account. If you suspect an API Key has been compromised, revoke access to the same from the dashboard.

Security Portal

Access Postman’s security and compliance documents on our Security Portal, such as penetration testing and audit reports.

Visit Security Portal