Let's dive into Postman's terms of service (No. 3)

Oh the things you find when you read the fine print

Hey software engineers!

Happy National Chicken Wing day here in the States.

Did you know only 3% of 18-34 year olds actually read terms of service before checking that accept box? Are you surprised it’s that high?

Read them or not, “clickwrap” terms are generally binding—and may have some impact on your business. Accordingly, we’re definitely going to be paying some close attention to them here at Engineering Counsel Daily.

Let’s pick on Postman

Since Postman, the suped up, graphical version of cURL for REST developers, is so prevalent and recently raised $50 million, I thought we could start by reviewing their terms of service.

As a developer using Postman, it seems there are two agreements you’ll be bound by. The first is the end user license agreement (“EULA”), which seems to apply to all versions of Postman – the free one, the paid version, and the enterprise version. 

If you’re publishing your REST API on their directory of APIs, which I wasn’t actually aware of until writing this email, then there’s a link to the documentation that’s supposed to have some additional terms. I couldn’t find anything additional, so I guess Postman just gets to spring it on you (although they do say they “may” contact you if terms change in Section 2.)

Some general observations

The language of the contract seems a bit non-traditional and clumsy at points, but I think Postman is an Indian-based company. So the EULA could have been drafted by non-American lawyers who express things differently than I’m used to. (They do, however, select Delaware to be the governing law and forum of choice, so maybe I’m wrong.)

I don’t mean for this comment to take away from their work, only to offer one possible explanation as to why some of the terms caught me a bit off guard.

Also, generally, I didn’t notice any arbitration terms, so it looks like Postman is comfortable defending its claims in open court. 

A few surprising terms

There were at least three surprising nuggets in the Postman terms of service.

Surprise #1: Only three devices at a time!

One term that jumped out at me as really surprising, as a software developer myself, is that they say you can only be logged into three devices at one time. Section 5.2.

It’s bad enough that I have to fire up my password manager everytime I log into Postman (they didn’t used to require login to use it), but now I can only have three devices connected?!?! I don’t know about you, but I’m constantly switching around from machine to machine and tablet to phone like a schizophrenic, so maybe I’m probably violating the Postman EULA as I write this! 👎

I supposed they’re trying to prevent people from sharing accounts, but still… wouldn’t five or ten logged in accounts be a little more reasonable? Even Microsoft is more generous than that.

Surprise #2: You’re giving them free publicity!

I thought this was rather shocking. Their terms explicitly say that, as a user of Postman, they get to announce to the world that you or your company use it. Section 14.

So, if you work for the National Security Administration, IBM, Accenture, Disney, or other organizations that shy away from this kind of publicity, you should probably know you just gave them permission to blast it out to the universe.

They do permit you to opt out by contacting their sales department. But they caution it could take up to 30 days to remove any publicity. 

Surprise #3: You have to be 16 years old!

I know this only impacts the youngest developers, but this limitation would have been a bummer for me when I got my start.

Feels like a fairly arbitrary limitation to me, especially since kids a lot younger than can get themselves on the social media dopamine loop, which seems a lot more problematic than running some REST calls.

Who’s bound? The company or the user?

This question implicates a big area of law called agency. At a high level, as a developer, you probably have zero actual authority to bind the company to any contracts. But here, from Postman’s point of view, you’re apparently entering into some kind of relationship with them, so they can always argue to the contrary. In other words, it’s always a hard question to answer with precision.

The language in the Postman EULA seems like it’s trying to clarify the point, but the effect is actually more confusion from my point of view:

If you are agreeing to this Agreement not as an individual but on behalf of your employer/company, then You means your employer/company, and you are binding your employer/company to this EULA.

Intellectual property considerations 

In the world of software, we trade in intellectual property, so it’s good to have an understanding of what you get and what you have to give up.

Here, most of Postman’s terms are pretty standard. They let you know that they are giving you the right to use the product, but they basically retain all other rights, including the right to terminate your use if you violate some terms. Pretty standard stuff.

However, there are some other interesting provisions. Rightly, they promise that you own the content that you create with their tool, which is cool. But then, unless I missed it somewhere, they don’t assert that you as the developer give them a license to use the content like Twitter does

So, theoretically I guess you might have an argument that they are infringing your content when you publish it on their site and they, then, do something with that content. (OF COURSE, making that claim would trigger some pretty expensive litigation, I think, so probably isn’t much of a concern, but I’m surprised they don’t include the term.)

Also, there’s an interesting provision whether they promise to indemnify (e.g., defend you against litigation from third parties) developers for certain claims, but I’m not sure they ask the developers to do likewise. Again, maybe I missed it since I certainly didn’t do the in depth analysis like I would for a client, but it did seem a little one sided against Postman. 

Developer restrictions

Section 8 includes a list of restrictions on how you can use Postman. None of it feels very objectionable to me (other than that age 16 limitation I fumed about above). You basically can’t use the software to violate other laws, create derivative works, generate terrible content (e.g., harassing, threatening, vulgar, etc.)

Unlike Apple’s terms of service you could use Postman to build nuclear weapons, I suppose. But why would you want a REST service on a nuclear bomb anyway?

That’s it!

There’s probably a lot more to say about Postman’s terms of service and terms of service in general! But I think I’ve done enough damage here.

Did a friend forward this to you?

Why don’t you get on the list yourself?

LEGAL DISCLAIMERS AND OTHER MUMBO JUMBO: since this is a newsletter from an attorney, it is possible that this could be construed as attorney advertising (in blinking lights, of courts). I should also tell you that anything I say or opinions I offer in the list should never be construed as legal advice — even if you think the facts from some case or situation I discuss are pretty close to yours, small details make a big difference. And besides, since I’m just broadcasting information without seeing your individual situation, how could I possibly be giving you legal advice? Never forget the lesson of the Selfish Giant. And finally, my name is Michael Rice, I wrote this content, I’m licensed in California, and, with rare exception, can only work with clients in California.