Security and Compliance: A Shared Responsibility Model
Maintaining high security standards and staying compliant with regulations is a continuous focus for Postman. However, as an end user of Postman services, there are some aspects where you share responsibility for security and compliance of the data that you store with Postman.
Our responsibility is to ensure that Postman products and services are safe and secure to use, while yours is to ensure that you follow safe practices with the data you store within Postman. Here are a list of things that we expect our users to be aware of during regular product usage:
We also have a list of recommended best practices of designing and developing using Postman when dealing with PIIs and PHIs.
- Always make API calls over TLS (and other secure protocols.) and do not disable client-side SSL validations .
- Avoid disabling SSL certificate validations for Postman Monitors .
- Follow secure coding practices within scripts run as part of collections by not accidentally sending PIIs and PHIs to systems that are not supposed to receive them.
- Have a peer review process of critical collections and merge changes to such collection using Postman’s collection fork and merge feature .
- If you are on enterprise plan, enable SSO based login and disable password based login. Enable 2FA on your SSO identity provider.
- To test APIs behind a whitelisted restricted firewall, Postman provides the option to monitor APIs from a static IP address under its enterprise plan. Use it to additionally restrict access to your critical network connected systems that has PIIs or PHIs.
- If you suspect your account has been compromised, please remove the affected user account. If you suspect an API Key has been compromised, revoke access to the same from the dashboard.