// Trust & Security Report
Postman, Inc.
Postman API Platform (API Client, Spec Hub, Mock Servers, Collection Runner, Monitors, API Catalog, Insights) plus AI features (AI Engineer, Agent Mode, Postbot), Postman CLI, Postman MCP Server, and Enterprise add-ons (Advanced Security Administration: BYOK, Secret Scanner, Vault)
Certifications held
11
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.postman.com“SOC 2 Type 2 listed in Regulatory Compliance and Standards section of trust portal; corroborated by vendor blog: 'We kicked off the Type 2 audit period in September of 2020. The audit period ended on February 28, 2021' and Postman received 'the audit report with a favorable opinion.'”
Verify on security.postman.com“"SOC 3" listed as a Regulatory Compliance and Standards badge on the Customer Trust Portal.”
Verify on security.postman.com“"ISO/IEC 27001" and "ISO/IEC 27001:2022" (and a separately labeled "Certi-Trust ISO 27001") listed as certification badges on the Customer Trust Portal.”
Verify on security.postman.com“"ISO/IEC 27017:2015" listed as a certification badge on the Customer Trust Portal.”
Verify on security.postman.com“"ISO/IEC 42001:2023" listed as a certification badge on the Customer Trust Portal, alongside SOC 2, ISO 27001, and HIPAA.”
Verify on blog.postman.com“"Postman's baseline Enterprise security controls now independently satisfy HIPAA's technical safeguards without ASA add-ons" and Postman offers to sign 'a Business Associate Agreement (BAA) for our HIPAA-covered customers.' Also listed as a badge on the Customer Trust Portal.”
Verify on postman.com“"Postman complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the DPF (UK DPF Extension), and the Swiss-U.S. Data Privacy Framework (Swiss DPF)." GDPR is also listed as a Regulatory Compliance badge on the trust portal, and the Privacy Policy documents GDPR legal-basis processing.”
Verify on security.postman.com“"PCI DSS" listed as a Regulatory Compliance and Standards badge on the trust portal and security page.”
Verify on postman.com“"The Cloud Security Alliance's STAR Registry" / "CSA STAR" listed on the security page and trust portal.”
Verify on postman.com“"We do not sell your data for commercial purposes or 'share' data as defined under the CCPA and CPRA." Also listed as a badge on the trust portal.”
Verify on security.postman.com“"TX-RAMP" listed as a Regulatory Compliance and Standards badge on the Customer Trust Portal.”
> Show 1 unconfirmed / not-held certifications
source: security.postman.comNo public evidence. FedRAMP does not appear anywhere in the Regulatory Compliance and Standards section of Postman's own Customer Trust Portal (which does list SOC 2, ISO 27001, ISO 27017, ISO 42001, HIPAA, PCI DSS, GDPR, CCPA, TX-RAMP). Third-party aggregator sites claim FedRAMP compliance but this could not be confirmed on any postman.com or security.postman.com page, and Postman is not listed in the FedRAMP Marketplace search performed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Product data and backups hosted on AWS servers in the EU and the U.S.; Enterprise customers can use Bring Your Own Key (BYOK) to manage their own encryption keys.
There is an unresolved tension in the vendor's own documentation. The Privacy Policy states: 'We may also use information you provide to develop artificial intelligence (AI) tools and systems as set forth in our Postman AI Terms.' Separately, the Security page states: 'Postman does not use customer data in internal testing. All validation and QA efforts are conducted on a production-mirrored internal stack using fictitious data only' -- but that statement is scoped to internal QA/testing, not to AI feature training (Postbot, AI Engineer, Agent Mode). The dedicated Postman AI Terms page (postman.com/legal/postman-ai-terms/) renders its contract text via client-side JavaScript and could not be retrieved to confirm the actual training scope, opt-out mechanism, or tier differences. Treat as unconfirmed (null) until the AI Terms document is read directly or Postman is asked for a direct written answer.
// Security controls
Encryption at rest
AES-256-GCM for data at rest; sensitive data (environment variables, secrets, access tokens) encrypted at the application layer and managed via a key management system (KMS). Enterprise customers can enable Bring Your Own Key (BYOK).
postman.comAccess control
Role-based access control (RBAC) and multi-factor authentication (MFA) cited as baseline Enterprise controls supporting HIPAA technical safeguards; Azure AD SCIM user provisioning also supported.
blog.postman.comTenant isolation
Tenant isolation and governed access to production systems cited as baseline Enterprise controls.
blog.postman.comPenetration testing
Application Penetration Testing and Network Penetration Testing reports available (gated) via the Customer Trust Portal.
security.postman.comData storage redundancy
"All user data is encrypted and stored across six copies in three locations."
postman.com// Products & data scope
data: API requests, collections, environments, workspace content; may be private or public workspaces
Core product available to individuals and small teams; SOC 2 and ISO certifications apply to the shared platform infrastructure.
data: Same workspace content plus admin/org-level controls, SCIM provisioning, audit logs
Baseline Enterprise security controls now independently satisfy HIPAA technical safeguards without requiring the ASA add-on, per Postman's own 2026 HIPAA compliance announcement.
data: Encryption keys (BYOK), scanned secrets, vaulted credentials
Includes Bring Your Own Key (BYOK), Secret Scanner, and Vault. Formerly required for HIPAA compliance; now optional/'a plus' rather than mandatory per the vendor's 2026 blog post.
data: Workspace and API context is used to ground AI suggestions
Governed by the separate Postman AI Terms (content not retrievable at assessment time); Privacy Policy states user-provided information may be used to develop Postman's AI tools and systems, which is not clearly reconciled with the 'no customer data in internal testing' security-page claim.
data: Publicly published APIs, docs, and MCP server listings
Public-by-design; not in scope for confidential customer data handling.
// What to watch
- AI training posture is unresolved: the general Privacy Policy states customer-provided information may be used 'to develop artificial intelligence (AI) tools and systems as set forth in our Postman AI Terms,' while the Security page states customer data is not used in 'internal testing' -- these are different scopes (AI feature training vs. QA) and the dedicated AI Terms document could not be retrieved (client-side rendered) to resolve which controls apply to AI Engineer/Agent Mode/Postbot.
- FedRAMP is claimed by several third-party aggregator sites (not Postman-owned) but does NOT appear on Postman's own Customer Trust Portal certification list; graded held=false pending a vendor-domain source.
- The Customer Trust Portal (security.postman.com) gates most underlying audit reports and documents (SOC 2 report, penetration test reports, DPA) behind a 'Get access' / request flow, so only the certification labels themselves (not the full reports) were directly verifiable.
// At a glance
Pricing model
Freemium SaaS (Free tier, paid Basic/Professional tiers, custom-priced Enterprise tier with add-ons)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Postman, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.postman.com