Postman has discontinued option to have Collections locally and forcing people to move all the data into your cloud, which includes API calls, username, passwords and lots of other confidential data.
How is this data stored and who can see it? Can some government agency require you to show this data? Is this encrypted, what kind of encryption is used, how is this encryption implemented?
If data was sync from person, who is working for a company, which latter found that passwords or internal confidential info is stored on Postman servers, how can they request removal of this and how can they be sure this is not stored in your DR, backup and archive solutions? How can we be sure, it was not exported somewhere to be used for some internal AI/ML building or sent by email?
To address the questions raised here, we have created an FAQ section on the blog post announcing the new lightweight Postman API client.
This contains information about how Postman protects your data and it provides a link to our Security & Trust Portal, where you will find additional details about our product security, privacy, compliance, and reliability information.
If you’re still prevented from using Postman in a signed in state by your company’s security policies, you can reach out to our technical architects and solution engineers at [email protected] for further assistance.
Security and trust portal doesn’t reply to my questions, on how do you encrypt my passwords, are they encrypted when they travel from my PC to your Cloud, are they backed up, replicated and how can we request deletion.
If you are hacked, and passwords are not encrypted, do you understand what will happen to Postman as company and your reputation? You will be sued by all the companies, since you endangered their internal data.
You are obviously not aware of what you are doing?
I am sure there are many companies, which might not be even aware of this…so, it would be good to show this info to everybody…
With V11 of Postman, we have introduced the Postman Vault (Store secrets in your Postman Vault | Postman Learning Center), which allows you to store your sensitive data in an encrypted local vault that is not synced with the Postman Cloud. Also, we have added multiple security features to help prevent accidental exposure of your API credentials.
Hi @dejan.rodiger – Thanks for raising these questions. We recently shared an update from our Head of Security, Sam Chehab, that outlines exactly how we approach security for all Postman users, including on the Free plan.
A couple of key points you might find helpful:
Proactive secret scanning before publishing – Before any collection is published or made visible in a public workspace, the Postman Secret Scanner will detect and redact sensitive values such as API tokens, credentials, or private keys, and notify the admin so they can take action before anything is exposed.
API response history control – On the Free plan, history is disabled by default (but can be enabled if needed), and workspaces can be purged to remove stored history.
You can read the full update here for more detail on encryption, secret storage, and how Postman helps teams avoid accidental exposure: Postman (Free) is secure by design
