Trust & Security

Zero data retention, by architecture

Apideck never stores your customers data. Integrations run through a real-time pass-through layer, a zero-storage architecture, so records are processed in memory and delivered straight to your product. No sync, no cache, no third-party data lake to secure.

SOC 2 Type IIGDPRCCPAISO 27001EU hosting

What is zero data retention?

Zero data retention (ZDR), also called a zero-storage architecture, means integration payloads are processed in memory and never written to disk. When your SaaS product reads a customer invoice, contact, or employee record through a ZDR integration layer, the record passes through in real time and is delivered straight to your app, with no copy stored on the integration provider infrastructure. At Apideck, ZDR is not a mode you switch on. It is a founding premise of how the platform and infrastructure were designed: the Unify API is a real-time pass-through layer, so third-party customer data is never persisted. If Apideck infrastructure were compromised, there would be no customer data to expose, because none is stored.

What zero data retention gives you

Not storing customer data is not just a compliance checkbox. It removes an entire class of risk and makes your integrations faster and simpler at the same time.

No customer data at rest

Third-party business records are processed in memory and passed straight through. Nothing is cached on Apideck infrastructure.

Real-time, always fresh

Because there is no cache, every call returns live data from the source system instead of a stale sync.

Encrypted by default

TLS in transit, encrypted credential storage in Vault, SOC 2 Type II controls around every part of the platform.

Compliance built in

SOC 2 Type II, GDPR, CCPA, and ISO 27001, with EU hosting available and data minimization as the default.

Real-time pass-through vs sync-and-cache

The reason Apideck can offer zero data retention is architectural. Most unified APIs copy your customers records into their own datastore. Apideck does not.

Apideck: real-time pass-through

  • Data processed in memory, never persisted
  • Every call returns live data from the source
  • No integration data lake to breach or delete
  • Simpler GDPR posture: no copy to erase
  • Zero data retention is the default, for every customer

Sync-and-cache platforms

  • Customer records replicated into a third-party store
  • Reads served from a copy that can be stale
  • A growing store of sensitive data to secure
  • Right-to-erasure spans an extra data holder
  • Retention is inherent to how the platform works

What zero data retention covers

Transparency matters more than marketing here. This is exactly what the pass-through layer does and does not retain.

Never persisted by Apideck

  • Customer business records (invoices, contacts, employees, deals, files)
  • API request and response payloads flowing through Unify
  • Data accessed by AI agents through the hosted MCP server
  • Reads and writes across every unified API category

Handled separately, and where the boundary sits

  • OAuth tokens are stored encrypted in Vault to keep connections alive
  • Optional API Logs retain request metadata with PII controls you configure
  • Data you forward to your own database or an LLM is governed by that service
  • Provider systems remain the system of record for the underlying data

Zero data retention is part of a wider security posture

Apideck is SOC 2 Type II certified, GDPR-compliant, CCPA-aligned, and ISO 27001 compliant, with EU hosting available. Data minimization is the default, connection credentials are stored encrypted in Vault, and Data Scopes give you field-level control over exactly which customer data your product requests. Because Apideck never holds customer records, your integration layer falls outside the audit boundary for data-at-rest controls, which means fewer systems in scope and simpler security reviews.

Zero data retention FAQ

What does zero data retention mean for SaaS integrations?
Zero data retention (ZDR) means integration payloads are processed in memory and never written to disk. When a SaaS product reads a customer invoice, contact, or employee record through a ZDR integration layer, the record passes through the platform in real time and is delivered straight to the product, with no copy stored on the integration provider infrastructure. Apideck is built this way by default: third-party customer data is never persisted on Apideck servers, because the Unify API is a real-time pass-through layer rather than a sync-and-cache database.
What is a ZDR API?
A ZDR API is an API that processes request and response data in memory and retains none of the underlying records once the call completes. The Apideck Unify API works this way. Your call is authenticated, normalized, forwarded to the underlying provider (QuickBooks, Salesforce, Workday, and so on), and the response is normalized and returned, all in a single real-time round trip. Nothing about the customer records is cached or stored, so there is no integration data lake to secure, breach, or delete.
Does Apideck store my customers data?
No. Apideck does not store your customers business data. API calls are processed in real time and passed directly from the source system to your application. Because Apideck does not cache your information, you also get up-to-date data on every call instead of a stale copy from the last sync. Zero data retention has been a founding premise of how Apideck designed its infrastructure and platform, not a feature added later.
How is zero data retention different from a sync-and-cache unified API?
Many unified API platforms use a sync-and-cache model: they replicate your customers records into their own datastore on a schedule, then serve your reads from that copy. That means a third party holds a persistent, growing store of your customers financial, HR, or CRM data. Apideck uses the opposite model, real-time pass-through, so the data is never persisted. Sync-and-cache trades data residency and freshness for convenience. Pass-through keeps the data with its owner and delivers it live. For products handling sensitive data, pass-through is the lower-risk architecture.
Is zero data retention the same as encryption or SOC 2?
No, they are complementary. Encryption protects data in transit and at rest, and SOC 2 audits the controls around how a company handles data. Zero data retention goes a step further by removing the at-rest copy of third-party customer data entirely, so there is less sensitive data to protect in the first place. Apideck combines all three: TLS-encrypted transport, SOC 2 Type II certification, and a pass-through architecture that does not persist customer records.
Does zero data retention cover OAuth tokens and connection credentials?
ZDR at Apideck applies to your customers business data, the records that flow through the API. Connection credentials are handled separately. Apideck Vault stores OAuth tokens encrypted so your product does not have to manage per-provider credentials and end users do not have to re-authenticate on every call. The distinction matters: the sensitive business records are never persisted, while the minimal credentials required to keep a connection alive are held securely and encrypted in Vault.
Does ZDR cover third-party tools and downstream services?
Zero data retention covers data while it is processed by Apideck. Once data reaches your application, or any downstream tool, model, or MCP client you send it to, it is governed by that service data-handling policy, not by Apideck. If you forward records to your own database, an analytics warehouse, or an LLM provider, review those services retention terms. Apideck guarantee is that the pass-through layer itself keeps no copy.
Why does zero data retention matter for AI agents?
AI agents read and write across a customer CRM, accounting, and HR systems through integration tooling, often via MCP. A pass-through layer with zero data retention means the agent works against live data without a third party accumulating a copy of everything the agent touches. Apideck operates a hosted MCP server at mcp.apideck.dev that exposes the Unify API as agent-callable tools over the same ZDR pass-through architecture, so agent access does not create a new retained data store.
Is Apideck GDPR compliant?
Yes. Apideck is SOC 2 Type II certified, GDPR-compliant, CCPA-aligned, and ISO 27001 compliant, with EU hosting available. Data minimization is the default, third-party data is never persisted, and Data Scopes let you request only the specific fields your product needs. Not retaining customer data also simplifies GDPR obligations such as the right to erasure, because Apideck holds no copy to delete.
Can I still get audit logs and observability with zero data retention?
Yes. Not retaining customer records does not mean flying blind. Apideck provides structured API Logs so you can see every request and response your integration made, with role-based access and PII controls, and Data Scopes give you field-level control over what data is requested in the first place. You get the observability you need to debug and audit integrations without a persistent copy of your customers underlying data.

Build integrations that keep customer data where it belongs

Connect your SaaS to 200+ providers across 9 unified APIs, with zero data retention as the default.