Data access and handling

Learn how and why Postman accesses, processes, transmits, and stores the data generated during tests.

Access

The Postman Insights Agent monitors raw network traffic between services to automatically infer API endpoints. This data is only visible to the Postman Insights Agent and never leaves the host. No network traffic is shared; the Postman cloud only receives the results of the inspection.

The agent does not use the elevated privilege that would allow it to sniff traffic, to send, or to alter traffic.

Processing

The Postman Insights Agent processes witnesses locally, on the host or test worker. The Postman Cloud then processes and analyze the witnesses producing API definitions and endpoint insights. Postman stores metadata about individual requests in a time-series database table.

Transmission

All communication between the Postman Insights Agent and the Postman Cloud is done over HTTPS with TLS 1.2. Authentication and authorization is handled by a Postman API key. The owner of the API key must have edit access to the corresponding Insights workspace.

Storage

All test witnesses and artifacts are stored in the Postman Cloud using on-disk encryption and are only accessed using secure methods and encryption whenever possible. Postman automatically deletes raw request and response data after 30 days. Data deletion or purging of sensitive information is available upon request. The Postman Insights team provides a five-business-day SLA for all deletion requests.