Postman is HIPAA-Compliant

Every security team evaluating a vendor is asking the same core questions: Where is my data? Is it encrypted? Who can access it? What happens if something goes wrong?

Readiness for the U.S. Health Insurance Portability and Accountability Act (HIPAA) isn’t about answering those questions just once. It’s about answering them consistently, at scale, in production and over time. At Postman, ensuring that we are HIPAA Compliant is the result of a deliberate effort to continually test our security assumptions and strengthen our security controls to protect customer data across the platform—and just as importantly, to remove unnecessary friction for customers trying to adopt us.

Removing Historical Requirements on our Customers

Historically, before signing a Business Associate Agreement (BAA) for our HIPAA-covered customers, Postman required our customers to purchase and enable Advanced Security Administration (ASA) features such as Bring Your Own Key (BYOK) encryption, Secret Scanner, Vault, and other security features to ensure the appropriate level of security vigilance. Some of these features, however, created a hard blocker. For example, BYOK, which is tied to Amazon Web Services Key Management Service (AWS KMS), didn’t serve the needs of customers operating in a non-AWS cloud environment.

With advancements in our baseline security controls, and third-party confirmation of our compliance, we’ve been able to remove the need for customers to implement mandatory BYOK.

Postman’s baseline Enterprise security controls now independently satisfy HIPAA’s technical safeguards without this ASA add-on. In particular, we’ve taken a hard look at how data actually moves through Postman to ensure that we are providing comprehensive controls across our platform, such as:

• Encryption at rest and in transit
• Role-based access control and MFA
• Tenant isolation
• Governed access to production systems

In short, we have done the hard work to ensure ourselves and our customers that we continuously meet our core security program objectives of protecting the confidentiality, integrity, and availability of customer sensitive data across the platform and overtime. As a result, BYOK is now a “plus” for our customers, but not a requirement to meet compliance objectives; it remains available to customers who want to manage and control their own encryption keys.

What we’ve done

We’ve approached our compliance objectives not as a check-the-box, point-in-time exercise. Rather, we spent approximately 700 hours organization-wide over nearly a year, taking a hard look at how data actually moves through Postman, testing our controls, and challenging our assumptions.

We mapped and classified data across the platform, validated it against production systems, and enforced tighter controls where it mattered:

• Automated data discovery and classification across cloud storage and data services, providing continuous visibility into where sensitive data resides in real time.
• Restricted access to production systems
• Redaction of sensitive data from logs
• Stronger controls on how and where data is stored

This was not trivial. Supporting a platform used by tens of millions of developers means aligning dozens of services, teams, and data patterns.

But controls on paper don’t protect anyone. Controls in production do.

We’ll keep building

We’re continually looking for ways to validate our strategy and learn. You’ll start to see that show up in new areas, especially in how we approach AI. We’ll keep investing in stronger controls, clearer governance, and better ways for our customers to build securely at scale.

If you’re evaluating Postman for a healthcare use case, start with the audit report in the Postman Trust Center. Please reach out with questions–we’re here to work with you!