Security, Data Handling & Audit

What FroggerAPI processes

• Postman collections or OpenAPI definitions
• Used only to validate and normalize API scan inputs
• No runtime traffic inspection

What is stored

• Normalized OpenAPI definitions (Pro / Enterprise)
• Version history and diffs
• Audit events (metadata only)

FroggerAPI does not store API traffic, credentials, or secrets.

Audit logging

FroggerAPI records governance decisions for traceability and compliance.

• Who submitted a spec (user or API key)
• When validation occurred
• Which ruleset was applied
• Whether the spec passed or failed governance checks
• Spec hash (no spec body in logs)

Audit logs are tenant-scoped and read-only.

CI/CD behavior

CI integration is optional. FroggerAPI does not block deployments by default.

• CI can be run in report-only mode
• Gating is configurable via failOn
• Security workflows do not depend on CI

Deployment options

• Public SaaS (HTTPS)
• Private VPC deployment
• On-prem container deployment