Security and Trust Portal

Notification: Updated Postman Sub-Processor List

Consistent with Postman’s ongoing commitment to transparency and compliance with data privacy laws, and in accordance with our contractual obligations to you, Postman is writing to provide you with a list of our current sub-processors in a newly formatted list that takes into account new potential data processing use cases through new products and features.

To view or download the updated Postman sub-processor list, please visit the Postman Trust Center here

A full list of Postman’s sub-processors can be found here.

We appreciate your continued trust in Postman. If you have any questions, please do not hesitate to contact us at Postman Support.

News Event: Shai-Hulud 2.0 npm supply-chain attack

Postman has discovered unusual activity in our NPM org that was identified as relating to the ongoing “Shai-Hulud 2.0 npm supply-chain attack.

Please read more on our blog post: https://blog.postman.com/engineering/shai-hulud-2-0-npm-supply-chain-attack/

As of November 20, 2025, Postman has confirmed that our systems remain unaffected by the unusual activity reported in connection with Gainsight applications and Salesforce integrations.

Our Security Engineering team conducted a thorough review of our Salesforce and Gainsight logs. No indicators of compromise (IoCs), unauthorized access, or exploitation were identified.

We have proactively disabled our connection between Gainsight and Salesforce while Gainsight addresses the issue on their end. This is a temporary and precautionary measure.

As of October 3, 2025 Postman’s investigation determined our systems are not impacted by the s1ngularity/Nx and Shai-Hulud npm supply-chain attacks.

As of Sept 4th, 2025, Postman’s investigation has determined that our systems are not impacted by the Salesloft Drift vulnerability.