Postman’s new SOC 2 Type 2 report: how (and why) we did it

At Postman, we’ve always been deeply committed to keeping the Postman platform secure and keeping customer data safe. As part of that commitment, in early 2019 we kicked off an initiative to perform a series of System and Organization Controls (SOC) examinations to adhere to the security, availability, and confidentiality standards set forth in SOC’s Trust Services Criteria.

We undertook this initiative because we knew it could provide crucial third-party validation for our security efforts with respect to the Postman API Platform, and we know how important security is to every Postman customer.

The first step on our journey was determining the security controls and processes necessary to achieve the security we desired. Rather than start from scratch, we wanted to use an open common control framework that we could use as the basis for our program and modify it to suit our needs. We settled on the Adobe Common Controls Framework (CCF), as it contained the mappings to nearly a dozen industry-standard requirements, including those related to SOC. We then modified the controls and associated activities in the CCF to suit our desired security program. In May 2019, that decision was validated by the completion of our SOC 2 Type 1 audit. With that achievement completed, we aimed for the next security-validation milestone: SOC 2 Type 2.

The Postman security team then spent the ensuing nine months working diligently to implement the modified set of controls and associated activities noted above. We did extensive documentation, implemented new controls, and automated certain activities where possible. Our goal was to have all of these elements ready when the SOC 2 Type 2 examination process began. We kicked off the Type 2 audit period in September of 2020. The audit period ended on February 28, 2021, and—as you may have guessed by the title of this blog post—we received the audit report with a favorable opinion.

We learned quite a bit through the Type 1 examination and even more during the Type 2 examination. We have plans to incorporate these substantial learnings into further enhancing and simplifying our control environment. We also plan on heavily investing in control automation to significantly reduce the operational burden with each activity. All of this will continue to make the Postman API Platform even more secure.

Looking to the future, we’ll continue seeking more ways to provide the utmost level of service and confidence to every Postman customer. Our security and compliance teams are constantly monitoring the evolving technology landscape for potential opportunities to ensure a scalable solution while maintaining compliance with appropriate regulations. And, of course, the teams will continue listening to customer needs, requests, and requirements every day.

For some additional insight into where we are today, please visit the Security at Postman page.

What do you think about this topic? Tell us in a comment below.

Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.