Postman Logo

Customer Trust Portal

Start your security review
View & download sensitive information

Welcome to the Postman Customer Trust Portal, where you will find downloadable documents on product security, privacy, compliance, and reliability. Documents are available to current customers or prospects. If you’re looking for general security information, please see our security page: https://www.postman.com/security/

Data security is a shared responsibility between Postman and its users. Learn how you can help keep your data secure and private: https://www.postman.com/security/shared-responsibility/.

Customer Trust Portal Updates

Notice of Security Incident

Copy link
Incidents

On June 13, Postman became aware of a potential data security incident after a third-party provider, Klue, notified us that it had been compromised. Klue, a marketing-intelligence tool integrated with Postman's Salesforce and Gong SaaS platforms, suffered a security incident on its own platform, which resulted in access to Klue’s customers’ Salesforce and Gong services. 

Upon discovery, we immediately disabled all integrations with Klue, and launched a comprehensive investigation with the assistance of third-party cybersecurity experts. 

On June 17, 2026, Postman confirmed that exfiltration of customer contact data and sales information occurred between June 11-12 from its Salesforce environment via the compromised Klue service account; customer data was not accessed from Gong. During our review of the systems and data impacted, we discovered the following types of information had been exfiltrated by the unauthorized user: business contact and sales information such as company, name, email, title, phone number, account name, quotes, Postman user ID, team ID, and plan tier.  

With the assistance of third-party security experts, we conducted a thorough investigation into the nature and scope of the security incident and the data impacted. In addition to disabling all integrations with Klue, we have taken steps to remediate and further secure our environment. We are complying with our contractual and regulatory reporting obligations.

Postman is aware of the cybersecurity incident impacting one of our vendors, Klue. Klue informed us earlier this week that their incident involved unauthorized access that impacted its customers through integrations with Salesforce and Gong. All access and integration with Klue and any integrated systems was immediately disabled. Pursuant to Postman’s incident response policies, we immediately launched an independent investigation as to the scope of impact to Postman systems and data. We have confirmed exposure of business contact data and sales-related data contained in our Salesforce instance. We have engaged forensic experts to determine which of our customers may have been impacted.

Our core platform services remain secure and are not impacted by this incident.

We care about the security of our customers' information and will provide further information as we obtain it.

Notification: Postman New Sub-Processor

Subprocessors

Consistent with Postman’s ongoing commitment to transparency and data privacy, and in accordance with our contractual obligations to you, Postman is writing to inform you of a new addition to our list of sub-processors. 

New Sub-Processor Details

As of June 15, 2026, Postman has engaged and will deploy Google Gemini Enterprise Platform to provide Google AI/LLMs models for AI agent research and development. 

  • Sub-Processor Name: Google Gemini Enterprise Platform 

  • Company Location: California U.S.A. 

  • Purpose of Processing: To provide Google AI/LLM models for agent research and deployment.  

  • Data Processed: Data uploaded, created, or otherwise processed through the Services. 

If you object to this change on reasonable grounds relating to data protection, please notify us in writing within 10 days of this notice by contacting privacy@postman.com

A full list of Postman's sub-processors can be found here

We appreciate your continued trust in Postman. If you have any questions, please do not hesitate to contact us at Postman Support.

Notification: Postman New AI Sub-Processor

Subprocessors

Consistent with Postman’s ongoing commitment to transparency and data privacy, and in accordance with our contractual obligations to you, Postman is writing to inform you of a new addition to our list of sub-processors. 

New Sub-Processor Details

As of July 1, 2026, Postman has engaged and will deploy Daytona to provide a sandbox environment to run AI-generated code and Agents. Use of Daytona sandboxes are voluntary. 

New Sub-Processor Details 

  • Sub-Processor Name: Daytona 

  • Company Location: New York, New York, U.S.A. 

  • Purpose of Processing: Used to spin up secure sandbox environments to execute AI-generated code.  

  • Data Processed: AUser workspace data will be loaded into the Daytona Sandboxes for user developed Agents or other code to interact with inside of the sandbox. 

If you object to this change on reasonable grounds relating to data protection, please notify us in writing within 10 days of this notice by contacting privacy@postman.com

A full list of Postman's sub-processors can be found here

We appreciate your continued trust in Postman. If you have any questions, please do not hesitate to contact us at Postman Support.

Notification: Postman New Sub-Processor

Subprocessors

Consistent with Postman's ongoing commitment to transparency and data privacy, and in accordance with our commitment to you, Postman is writing to inform you of a new addition to our list of sub-processors. 

Postman has engaged and will deploy ClickHouse to host the backend database to support Postman's product functionality, including logging, analytics, and observability. We will be deprecating TigerData, which is currently listed as a sub-processor for these capabilities. 

New Sub-Processor Details 

  • Sub-Processor Name: ClickHouse 

  • Company Location: Mountain View, CA, U.S.A. 

  • Purpose of Processing: Provides managed, columnar database platform (ClickHouse Cloud) used to store, query, and analyze data processed on the platform for observability, performance, and product insights. 

  • Data Processed: Account identifiers, telemetry data, metadata, usage analytics, queries, and payloads. 

If you object to this change on reasonable grounds relating to data protection, please notify us in writing within 10 days of this notice by contacting privacy@postman.com

A full list of Postman's sub-processors can be found here

We appreciate your continued trust in Postman. If you have any questions, please do not hesitate to contact us at Postman Support.

News Event: Axios npm Supply Chain Attack Review

Vulnerabilities

As of March 31, 2026, Postman has completed its investigation into the reported Axios npm supply chain attack involving malicious package versions.
Postman has not identified any systems related to its product platform that are externally exposed and vulnerable, and customers do not need to take any further action to safeguard their instances of Postman.

Featured Documents

SOC 2 TYPE 2 REPORTSData Flow Diagram (DFD)

Sub-processors