- What does zero data retention mean for SaaS integrations?
- Zero data retention (ZDR) means integration payloads are processed in memory and never written to disk. When a SaaS product reads a customer invoice, contact, or employee record through a ZDR integration layer, the record passes through the platform in real time and is delivered straight to the product, with no copy stored on the integration provider infrastructure. Apideck is built this way by default: third-party customer data is never persisted on Apideck servers, because the Unify API is a real-time pass-through layer rather than a sync-and-cache database.
- What is a ZDR API?
- A ZDR API is an API that processes request and response data in memory and retains none of the underlying records once the call completes. The Apideck Unify API works this way. Your call is authenticated, normalized, forwarded to the underlying provider (QuickBooks, Salesforce, Workday, and so on), and the response is normalized and returned, all in a single real-time round trip. Nothing about the customer records is cached or stored, so there is no integration data lake to secure, breach, or delete.
- Does Apideck store my customers data?
- No. Apideck does not store your customers business data. API calls are processed in real time and passed directly from the source system to your application. Because Apideck does not cache your information, you also get up-to-date data on every call instead of a stale copy from the last sync. Zero data retention has been a founding premise of how Apideck designed its infrastructure and platform, not a feature added later.
- How is zero data retention different from a sync-and-cache unified API?
- Many unified API platforms use a sync-and-cache model: they replicate your customers records into their own datastore on a schedule, then serve your reads from that copy. That means a third party holds a persistent, growing store of your customers financial, HR, or CRM data. Apideck uses the opposite model, real-time pass-through, so the data is never persisted. Sync-and-cache trades data residency and freshness for convenience. Pass-through keeps the data with its owner and delivers it live. For products handling sensitive data, pass-through is the lower-risk architecture.
- Is zero data retention the same as encryption or SOC 2?
- No, they are complementary. Encryption protects data in transit and at rest, and SOC 2 audits the controls around how a company handles data. Zero data retention goes a step further by removing the at-rest copy of third-party customer data entirely, so there is less sensitive data to protect in the first place. Apideck combines all three: TLS-encrypted transport, SOC 2 Type II certification, and a pass-through architecture that does not persist customer records.
- Does zero data retention cover OAuth tokens and connection credentials?
- ZDR at Apideck applies to your customers business data, the records that flow through the API. Connection credentials are handled separately. Apideck Vault stores OAuth tokens encrypted so your product does not have to manage per-provider credentials and end users do not have to re-authenticate on every call. The distinction matters: the sensitive business records are never persisted, while the minimal credentials required to keep a connection alive are held securely and encrypted in Vault.
- Does ZDR cover third-party tools and downstream services?
- Zero data retention covers data while it is processed by Apideck. Once data reaches your application, or any downstream tool, model, or MCP client you send it to, it is governed by that service data-handling policy, not by Apideck. If you forward records to your own database, an analytics warehouse, or an LLM provider, review those services retention terms. Apideck guarantee is that the pass-through layer itself keeps no copy.
- Why does zero data retention matter for AI agents?
- AI agents read and write across a customer CRM, accounting, and HR systems through integration tooling, often via MCP. A pass-through layer with zero data retention means the agent works against live data without a third party accumulating a copy of everything the agent touches. Apideck operates a hosted MCP server at mcp.apideck.dev that exposes the Unify API as agent-callable tools over the same ZDR pass-through architecture, so agent access does not create a new retained data store.
- Is Apideck GDPR compliant?
- Yes. Apideck is SOC 2 Type II certified, GDPR-compliant, CCPA-aligned, and ISO 27001 compliant, with EU hosting available. Data minimization is the default, third-party data is never persisted, and Data Scopes let you request only the specific fields your product needs. Not retaining customer data also simplifies GDPR obligations such as the right to erasure, because Apideck holds no copy to delete.
- Can I still get audit logs and observability with zero data retention?
- Yes. Not retaining customer records does not mean flying blind. Apideck provides structured API Logs so you can see every request and response your integration made, with role-based access and PII controls, and Data Scopes give you field-level control over what data is requested in the first place. You get the observability you need to debug and audit integrations without a persistent copy of your customers underlying data.