Security

All customer data is stored on the Amazon Relational Database Service and configured securely. Data is stored with at least dual redundancy, with 15-day backups, and is accessible only in the private cloud. We have also instituted per-service access protection and data isolation.

We use cryptographic methods and industry standards to protect customer data in transit between Postman clients, the cloud, and at rest. For example, all communications and data in transit over the internet require the latest version of Transport Layer Security, a cryptographic protocol that provides end-to-end encryption. By default, encryption is also enabled on all our services that contain data at rest.

Also, your sensitive data at rest is encrypted on the server side before storage using AES-256-GCM. The Advanced Encryption Standard with Galois Counter Mode (AES-GCM) provides authenticated encryption, which ensures data confidentiality and integrity.

Other encryption methods include securing customer and company data at the application layer using AES-256-GCM. We encrypt sensitive data, including environment variables, access and refresh tokens, and Amazon Web Services (AWS) secret keys. Postman also encrypts your data using a key management service from AWS. In addition, we have key management capabilities to encrypt sensitive data at the application layer.

We maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data, meaning Postman does not distribute customer data for internal testing or validation purposes.

To download assurance reports, access the Postman Security and Trust Portal.