Postman Is Now SOC 2 Certified


We’ve always taken security seriously.

Now, with over 200,000 companies and 6 million developers using Postman worldwide, we wanted to make it easier for both small and large companies to understand exactly how seriously we take security. So, we went ahead and got SOC 2 certified.

Just to give a quick overview, Service Organization and Controls (SOC) are assurance reports which provide an industry-wide acknowledgment that a company adheres to trust service principles. These principles, set by the American Institute of Certified Public Accountants (AICPA), are security, availability, processing integrity, confidentiality, and privacy. There are multiple types of SOC reports, and SOC 2 is the standard security compliance for SaaS companies, like Postman. These reports provide valuable information for enterprises and customers to assess the quality of security provided by a service like Postman.  

After considerable time and effort, we are excited to announce that Postman has successfully completed the Service Organization Controls (SOC) 2 Type 1 audit with no exceptions.

This is an essential step in our mission to ensure security and governance – and we won’t stop here. While the SOC 2 Type 1 report is an important milestone, we already have our eye on a Type 2 report, which will further validate the strength of our controls over time.  We hope these reports convey our effectiveness at safeguarding the data of our current and future customers.

The Postman  SOC 2 Type 1 report is available under NDA upon request.

What do you think about this topic? Tell us in a comment below.


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 thought on “Postman Is Now SOC 2 Certified

  • Avatar

    How does postman facilitate the separation of duties requirement for public companies? Are there user permission levels such that developers can have the ability to create and edit collections, but not the ability to publish those collections to the public API auto-generated documentation? This would also mean that only certain people (who are not developers) would have the permission to publish.