Security and Trust FAQ

Customer data includes content you upload or create using our Services. You can find your rights regarding "Your Content" in our Terms of Service.

In addition, our privacy program protects personal data in accordance with global privacy regulations, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as the growing body of privacy laws in U.S. states and around the world.

We minimize the personal data we collect to what is needed for business purposes, including provisioning user seats and authentication. We also prohibit the upload of sensitive personal information and other highly regulated data into our development platform and discourage the use of personal data for testing.

Please read our Privacy Policy to learn how Postman collects, uses, transfers and shares your data.

We protect customer data using cryptographic methods and industry standards. All data in transit is encrypted using the latest Transport Layer Security. At rest, data is encrypted by default using AES-256-GCM, ensuring confidentiality and integrity. We also secure sensitive data, such as environment variables and tokens, at the application layer with AES-256-GCM and manage encryption keys through AWS.

For more information, read our security page.

Postman secures its applications at every layer and phase, from development to deployment and operation. We use containerization to isolate software, set architectural security guidelines, and perform code reviews. Industry standards and security frameworks are applied throughout the software development lifecycle, with testing for OWASP vulnerabilities. Annually, third-party firms validate our ecosystem's security, and our bug bounty program allows anyone to report potential vulnerabilities in the Postman API Platform.

Learn about Postman's software security practices.

We conduct vulnerability scans on the network, application, and operating system layers, enabling us to patch vulnerabilities across Postman's computing devices and applications. We also may remove and turn off services.

We also oversee what software is installed on Postman systems and can mitigate issues. For example, any software installed is reported to a central repository for analysis. We also have patching mechanisms built into the operating systems to update devices automatically.

Read about our vulnerability management practices.

Our company has policies and procedures for handling potential incidents and responding adequately, including conducting investigations, containment, and mitigation measures. Learn more about Postman's incident response practices.

Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security. Our company's product data and backups are hosted on AWS servers in the EU and U.S., which offer strong security and privacy-focused features.

Our comprehensive privacy program implements best practices for collecting, using, sharing, international transfers, and deleting personal information. We believe that your personal information is your property, and we respect your privacy rights and preferences, including through up-to-date cookie controls and other collection mechanisms.

We also require the execution of standard Data Privacy Agreements (DPAs), which include security requirements and Technical and Organizational Measures (TOMs) for customers and vendors we contract with.

Prospective customers can request access through our Security and Trust Portal.

Postman received early certification approval from the U.S. Department of Commerce as a participant in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the DPF (UK DPF Extension), and the Swiss-U.S. Data Privacy Framework (Swiss DPF). This approval acknowledges that Postman is compliant with the EU-U.S. data privacy requirements pursuant to the European Commission's July 2023 adoption of the adequacy decision.

Read Postman's certification.

We keep your data in secure offline backups for 15 days after you delete your account or end your relationship with us. After that period, Postman permanently deletes your data from the product.

We only share information with third parties to help us operate, support, and market our services. We do not sell your data for commercial purposes or "share" data as defined under the CCPA and CPRA. All third-party vendors, including our sub-processors, undergo a privacy risk assessment and are required to execute our standard vendor DPA.

Please view the complete list of Postman sub-processors.

No. We do not sell any customer data.

Send us an email at security@postman.com.

View the instructions on the Postman Learning Center to delete your account.

No. Postman does not log API responses by default. However, you can keep responses in your Postman History if you want to save responses.

Postman has HR processes to secure its workforce. For example, all new workers complete a background screening and verification before employment or access to any systems. Plus, during onboarding, we've implemented technical controls assigning role-based access to applications and systems, enabling us to restrict accounts and customer data.

We also have procedures that protect data by revoking access to tools, accounts, and applications for workers who have been terminated or left Postman.

All new hires and workers complete privacy and cybersecurity training annually.

Contact Postman Support after reading our security, privacy, compliance, reliability, and legal pages.

Explore the Postman Learning Center for documentation and support resources.