Which Unified API Does Not Store Customer Data in 2026?
Truto, Apideck, Unified.to, and Knit offer pass-through unified APIs that don't store customer data. Truto also offers on-premise deployment for strict data residency requirements.
If your enterprise deal just got stuck because InfoSec flagged your integration middleware for caching customer data, you are reading the right article. The short answer: Truto, Apideck, Unified.to, and Knit all operate pass-through architectures that do not persist customer payload data at rest. Merge.dev, the largest player in the space, uses a sync-and-cache model by default - though it now offers a premium add-on for streaming-only delivery.
This distinction matters more than most product managers realize. For senior PMs and engineering leaders at B2B SaaS companies, the architecture your unified API vendor uses determines whether it shows up as a data sub-processor on your compliance documentation - and whether your 6-month enterprise deal closes or dies in security review.
This guide breaks down the architectural realities of unified APIs, compares sync-and-cache versus pass-through models, and details exactly how zero-storage normalization works under the hood.
The Hidden Compliance Cost of Unified APIs
Every B2B SaaS company selling upmarket hits the same wall. The prospect's security team sends a 200-question vendor questionnaire, and somewhere around question #47, they ask: "Does any third-party sub-processor store, cache, or replicate our data?" If you need an integration tool that doesn't store customer data to get past procurement, this question is the ultimate tripwire.
The pressure to ship integrations is constant. Your sales team is losing deals because your application lacks a native Workday or Salesforce connector. Engineering is bottlenecked maintaining existing integrations, fighting undocumented edge cases, and dealing with terrible vendor API documentation. A unified API - one interface that normalizes data across dozens of platforms - looks like the obvious shortcut.
But speed comes with a hidden security cost if you choose the wrong architecture.
Many unified API platforms rely on a "sync-and-cache" model. To normalize the data, they continuously poll the third-party provider, extract your customers' records, and store them in their own multi-tenant databases. Every unified API vendor you add to your stack becomes a sub-processor with access to your customers' most sensitive data. Whether it is employee PII from HRIS systems, revenue figures from accounting platforms, or customer contact lists from CRMs - the moment that data touches a third-party server at rest, your compliance surface area expands.
Enterprise InfoSec teams are deeply skeptical of this setup, and the financial exposure behind their scrutiny is real. The average cost of a data breach in 2025 reached $4.44 million globally, while in the United States, the average hit a record $10.22 million - up 9% year-over-year. If you are selling into healthcare, where HRIS and benefits data flows through your integrations, the numbers are worse: healthcare was the most expensive industry for breaches for the 14th consecutive year, with average costs of $7.42 million and a containment timeline of 279 days.
When a third-party integration vendor stores your customers' data, they become a sub-processor under GDPR. A sub-processor is any third-party company that processes personal data on behalf of your organization. The relationship creates a chain of responsibility: your client (the data controller) trusts you to handle their data properly, and when you pass some of that processing to a sub-processor, you remain responsible for ensuring compliance throughout the entire chain. Your prospect's legal team now has to evaluate not just your security posture, but your integration vendor's security posture too.
This is not an abstract risk. Research shows that 30% of breaches involved data spread across multiple environments, with the highest average cost at $5.05 million and the longest average lifecycle at 276 days. Every additional environment that holds customer data is another attack surface. When an enterprise buyer sees that their data will be synced to a middleware provider's database, they will demand to audit that provider's data residency, encryption standards, retention policies, and breach notification timelines. Deals stall. Sometimes they die entirely.
Sync-and-Cache vs. Pass-Through Architecture
Unified APIs normalize data from dozens of third-party platforms (Salesforce, HubSpot, BambooHR, Workday) into a common schema. The fundamental architectural question is where that normalization happens - and whether it requires storing your customers' data to do it.
graph LR
subgraph "Sync-and-Cache"
A1[Your App] -->|API Call| B1[Unified API<br>Vendor]
B1 -->|Periodic Sync| C1[Third-Party<br>API]
B1 --- D1[(Vendor's<br>Database)]
end
subgraph "Pass-Through"
A2[Your App] -->|API Call| B2[Unified API<br>Vendor]
B2 -->|Real-Time Proxy| C2[Third-Party<br>API]
end
style D1 fill:#ff6b6b,stroke:#333,color:#fffSync-and-cache architecture
The vendor periodically polls the third-party API, extracts customer records, normalizes them, and stores the result in its own database. When you call the unified API, you are reading from the vendor's cache - not from the source system.
Pros: Faster response times. Handles rate limits gracefully since reads do not hit the third-party API. Can offer SQL-like querying across integrations.
Cons: Your customers' sensitive data (employee PII, financial records, CRM contacts) now lives on a third-party server. The vendor becomes a sub-processor. You inherit their breach risk. Data goes stale between sync intervals. Retention policies become your problem.
Pass-through architecture
The vendor proxies your API request directly to the third-party in real time, normalizes the response on the fly, and returns it to your application. No customer payload data is stored at rest on the vendor's infrastructure.
- Your application requests
/unified/crm/contacts. - The unified API engine translates your unified query parameters into the syntax required by the target system.
- The engine makes a live HTTP call directly to the third-party provider.
- The third-party provider returns the raw response.
- The engine translates the raw response into the unified schema in-memory and returns it to your application immediately.
Pros: No data residency issues. The vendor is not a data sub-processor for payload data. Always-fresh data from the source. Simpler compliance story.
Cons: Response times depend on the third-party API's latency. You are subject to the source system's rate limits. No offline querying - if the third-party is down, you get nothing.
Both architectures have legitimate use cases. If you need to run analytics over historical employee data across 50 HRIS systems, a sync-and-cache model is genuinely useful. But if your primary goal is to read and write records through integrations while keeping your compliance surface area minimal, pass-through is the architecture that will not block your enterprise deals.
For a deeper analysis of these trade-offs, see our comparison of real-time and cached unified APIs.
Which Unified APIs Do Not Store Customer Data?
Here is an honest breakdown of the major unified API vendors and their data storage posture as of early 2026, based on each vendor's public documentation and security pages.
| Vendor | Architecture | Stores Customer Payload Data? | Key Detail |
|---|---|---|---|
| Truto | Pass-through | No | All normalization happens in-transit. No shadow database. |
| Apideck | Pass-through | No | Real-time API processing, no caching of payloads. |
| Unified.to | Pass-through | No | Proxies requests directly to source systems. |
| Knit | Pass-through | No | Zero-storage model, data never touches their servers at rest. |
| Merge.dev | Sync-and-cache (default) | Yes | Stores data in vendor-hosted databases. Premium streaming add-on available. |
Important nuance: Even pass-through vendors store some data - OAuth tokens, connection metadata, integration configuration. The distinction is about customer payload data: your customers' actual CRM contacts, employee records, financial transactions. That is the data InfoSec teams care about.
At-a-Glance Vendor Matrix: Merge.dev Alternatives Compared
If you are evaluating Merge.dev and finding it too rigid or expensive - especially around custom schema mapping and data residency - here is the head-to-head matrix that most InfoSec-driven procurement decisions come down to. This is the same table teams use when searching for unified API alternatives to Merge.dev, Prismatic, Finch, Apideck, or Kombo based on passthrough architecture and custom field support.
| Dimension | Truto | Apideck | Unified.to | Knit | Merge.dev (baseline) |
|---|---|---|---|---|---|
| Storage posture | Pass-through, zero payload storage | Pass-through, zero payload storage | Pass-through, zero payload storage | Pass-through, zero payload storage | Sync-and-cache (default); customer data replicated into Merge's infrastructure until manually deleted |
| Custom field / schema mapping | Declarative JSONata mappings with per-environment and per-account overrides; every mapping is data, not code | Custom Field Mapping feature (gated to Scale tier and above) | JSONata-style transforms; custom field mappings on Scale Up and above | Custom data models plus per-account custom field mapping dashboards; passthrough requests for uncovered fields | Common Models plus Field Mapping and passthrough (Remote Data) blobs |
| Pricing model | Flat per-integration (does not scale with linked accounts or API calls) | Consumer-based (per active end-customer); Launch starts around $599/mo for 25 consumers, Scale from $1,299/mo | Usage-based (monthly API requests); Grow plan from $750/mo for 750K calls, $1.00 per 1,000 additional | Tiered per integrated account with volume discounts; free tier plus paid tiers, Enterprise contact-sales | Per linked account: $650/mo for up to 10 production accounts, $65 per additional account; Professional and Enterprise are contract-based |
| Deployment options | Multi-tenant cloud, single-tenant cloud, on-premise / self-hosted | Cloud-only (multi-tenant) | Cloud-only (multi-region) | Cloud-only | Cloud-only; single-tenant available as an add-on |
| Major trade-offs | Real-time latency depends on source API; historical analytics needs external sync (RapidBridge) to your store | Custom Field Mapping and SSO gated to higher tiers; some connectors depend on polling when providers lack webhooks | Every successful API call and native webhook counts against quota - pagination and webhook fan-out can burn through allowances | Sync frequency and enterprise security features (SAML SSO, customer-managed secrets) are tier-gated; catalog is HR/finance-heavy | Data storage expands compliance scope; per-account pricing punishes multi-integration and broad-adoption products; typical polling cadence limits real-time use cases |
| Compliance / security page | truto.one/security | apideck.com/security | unified.to/security | getknit.dev/security | merge.dev/security |
Reading this table: "Pass-through" means the vendor does not persist customer payload data at rest. It says nothing about credential storage, logs, or connection metadata - always ask each vendor for their exact retention policy. Pricing figures are pulled from public pricing pages as of early 2026 and change frequently; verify with the vendor before signing.
Truto
Truto operates a 100% pass-through architecture. When you call GET /unified/crm/contacts, Truto proxies the request to the underlying CRM (Salesforce, HubSpot, etc.), transforms the response into the unified schema using declarative expressions evaluated in-transit, and returns the normalized result. No customer records are written to a database at any point.
The platform was engineered from the ground up to operate without integration-specific code or shadow databases. Schema normalization is handled entirely in-transit using declarative JSONata expressions. This means no customer payload data - CRM contacts, HRIS records, ATS candidates - is ever stored at rest, providing built-in SOC 2 and HIPAA readiness by entirely removing the unified API provider from the data custody chain.
Custom schema mapping: Because every mapping is JSONata data rather than compiled code, Truto supports a three-level override hierarchy (platform, environment, account) so you can add custom fields, remap operators, or reshape responses per customer without a vendor deploy. Custom fields are available on every plan, not gated behind a Scale or Enterprise tier.
Pricing model: Flat per-integration - your cost does not increase when a customer connects more accounts or when your customer count grows.
Truto stores credentials (encrypted OAuth tokens and API keys), integration configuration, and connection metadata. It does not store customer payload data. For organizations that need even stronger isolation, Truto offers on-premise deployment and single-tenant cloud options with configurable data processing regions - see the next section for details. For a deeper dive, see our post on why zero-storage matters for compliance-strict SaaS.
Apideck
Apideck does not store customer data. API calls are processed in real-time and passed directly from the source to your application. Their architecture is conceptually similar to Truto's pass-through model, and their SOC 2 Type 2 compliance combined with no-data-storage has made them a strong candidate for security-conscious teams.
Custom schema mapping: Apideck exposes a Custom Field Mapping feature and a Proxy API for uncovered endpoints. Custom Field Mapping is excluded from the Launch plan and only becomes available starting at the Scale tier, which is a meaningful gotcha if custom fields are core to your enterprise deals.
Pricing model: Consumer-based as of January 2026. You are billed per active end-customer who has at least one integration, with unlimited connectors per consumer and unlimited API calls. Launch pricing starts around $599/month for 25 consumers, with custom field mapping unlocking at the Scale tier. Security details on their security page.
Unified.to
Unified.to also operates a pass-through model. They do not store end-user data or credentials. Requests proxy through to the source system in real time, and you stay in control of where data flows and how it is handled.
Custom schema mapping: Unified.to normalizes data into common models and offers a passthrough for calls to vendor-specific endpoints. Custom field mappings and features like whitelabel auth are available starting on the Scale Up tier; the Start Up tier is limited to standard mappings and a 24-hour sync frequency.
Pricing model: Usage-based, anchored on monthly API requests across all integrations. The Grow plan starts at $750/month for 750,000 API calls, with $1.00 per 1,000 additional calls. Successful API calls and native webhook deliveries are billable - pagination and webhook fan-out can burn quota faster than teams expect. See their security and compliance page.
Knit
Knit differentiates itself from legacy providers with a security-first architecture. They operate a zero-storage model where customer data never touches their servers at rest, focusing heavily on the compliance benefits of not maintaining a secondary database of customer records. They publicly claim SOC 2 Type II, ISO 27001, and GDPR compliance - request the attestation reports during procurement to verify scope.
Custom schema mapping: Knit supports custom data models and per-account custom field mapping dashboards, plus passthrough requests to source APIs for fields Knit does not cover. G2 reviewers note the custom field mapping API can be inconsistent across integrations, so pilot it against your target systems before committing.
Pricing model: Tiered per integrated account with volume discounts (more accounts, lower per-account price). Sync frequency, whitelabel auth, and enterprise features like SAML SSO and customer-managed secrets are gated to higher tiers. See their security page for compliance details.
The Contrast: Merge.dev
Merge is transparent about its approach: they deliberately chose to store data rather than operating as a pass-through-only platform. Storing data allows Merge to increment on its database rather than performing a full refresh on each sync, letting them resync data more frequently while respecting third-party rate limits. Customer data and credentials are stored indefinitely until actively deleted by the Merge customer.
Custom schema mapping: Merge exposes Common Models plus a Field Mapping feature and Remote Data passthrough blobs for fields outside the common model. This works well when your integrations fit their normalized schema; it becomes friction when a large enterprise customer has heavily customized Salesforce or Workday deployments that need per-account overrides on the fly.
Pricing model: Per linked account. The Launch plan is free for the first 3 production Linked Accounts, then $650/month for up to 10 total production Linked Accounts, with $65 per additional Linked Account. Professional and Enterprise plans are contract-based. At 200 customers connecting 3 systems each (600 linked accounts), that math lands around $39,000/month before add-ons.
Merge now offers a premium feature called Destinations that streams data directly to your infrastructure without storing it on Merge's servers. This is a step in the right direction, but it is an add-on to an annual plan - not the default architecture. If you use Merge's standard configuration, your customers' HRIS records, CRM contacts, and financial data persist on Merge's infrastructure until you explicitly delete them. See merge.dev/security for their security documentation.
Read more: For a deeper dive into the compliance implications of these models, read our guide on Security Implications of Using a Third-Party Unified API.
When to Pick Pass-Through vs Cached Unified APIs
Both architectures have legitimate use cases. The mistake is assuming one is universally better. Use this decision matrix to figure out which model fits your product before you spend six weeks in a POC.
Pick a pass-through unified API when...
- Your buyers have serious InfoSec teams. If you sell into financial services, healthcare, government, or any regulated vertical, removing customer payload data from the vendor's infrastructure eliminates an entire category of procurement questions.
- You need current data, not last-night's snapshot. Products that trigger workflows on live CRM changes, present real-time HRIS status, or write records back to source systems benefit from reading straight from the source.
- Customer count will grow faster than integration breadth. Per-connection billing on cached platforms creates a linear "success tax" as you add customers - pass-through vendors with flat or consumer-based pricing decouple your infrastructure cost from your sales curve.
- You need per-customer schema flexibility. Different enterprise customers have different Salesforce custom fields, different Workday configurations, and different NetSuite object graphs. Pass-through vendors with per-account mapping overrides handle this without vendor deployments.
- Data residency mandates rule out a shadow database. If a copy of your customer's PII on a third-party server would fail a vendor security review, pass-through is the only viable model.
Pick a cached / sync-and-store unified API when...
- You need to run analytics across historical integrated data. Cross-integration SQL queries, historical trending, and machine learning on synced records are natively supported by cached models. On pass-through platforms you have to sync into your own data warehouse (Truto's RapidBridge, for example) to get this.
- Third-party rate limits would break your read patterns. If your product does high-frequency reads that would exceed the source API's rate limits, a cache absorbs the spike.
- The third-party API's uptime is worse than your SLA. Cached data keeps working when the source is down. Pass-through returns an error.
- Your integration set is stable and your customer count is low. Per-linked-account pricing is manageable at 20 enterprise accounts; it becomes brutal at 2,000 SMB accounts.
- Historical data completeness matters more than real-time freshness. Onboarding workflows that need every historical record from a source system benefit from a pre-populated cache.
The hybrid path
If you find yourself needing both - live reads for user-facing features plus historical data for analytics - the cleanest architecture is a pass-through unified API for the user-facing path plus a targeted sync into your data store for analytics. This keeps the vendor out of the payload custody chain for real-time operations while giving your team full control over historical data governance.
On-Premise Unified APIs: When Pass-Through Cloud Is Not Enough
For some organizations, even a zero-storage pass-through architecture running in a vendor's cloud is not sufficient. Government contractors, defense subcontractors, certain healthcare systems, and financial institutions operating under strict data residency mandates need every component of the integration pipeline - including the normalization engine itself - running inside their own network perimeter.
This is where on-premise (self-hosted) unified API deployments come in.
Which vendors offer on-premise deployment?
Among purpose-built unified API platforms, on-premise options are rare. Most vendors are cloud-only SaaS.
Truto offers on-premise deployment as part of its enterprise plan, alongside single-tenant cloud and configurable data processing regions. The same declarative, config-driven engine that runs in Truto's cloud can be deployed inside your infrastructure. Because Truto's architecture is entirely data-driven - all integration behavior is defined by JSON configuration and JSONata expressions, with zero integration-specific code - the self-hosted deployment runs the identical codebase, not a stripped-down "enterprise edition."
Apideck, Unified.to, and Knit are cloud-only platforms as of early 2026. Their pass-through architectures minimize data exposure, but the normalization engine and credential storage still run on vendor-managed infrastructure.
For broader integration needs (iPaaS rather than unified API), platforms like MuleSoft Anypoint and WSO2 support hybrid and on-premise deployment. But these are general-purpose API management platforms - not purpose-built unified APIs with common data models across SaaS categories like CRM, HRIS, and ATS.
On-premise vs. pass-through cloud: how they compare
| Factor | Pass-Through Cloud | On-Premise / Self-Hosted |
|---|---|---|
| Data exposure | Payload data transits vendor infrastructure in-memory, never stored | Payload data never leaves your network |
| Credential storage | Vendor stores encrypted OAuth tokens and API keys | You control all credential storage |
| Compliance posture | Vendor is a conduit, not a sub-processor for payload data | Vendor is not in the data path at all |
| Operational burden | Vendor handles uptime, scaling, and updates | Your team handles infrastructure, patching, and scaling |
| Time to deploy | Minutes to hours | Days to weeks, depending on internal approval processes |
| Cost | Lower - shared infrastructure | Higher - dedicated infrastructure plus internal ops overhead |
| Update cadence | Automatic - new integrations and fixes ship immediately | Manual - you control when updates are applied |
| Data residency | Depends on vendor's available regions | Full control - deploy in any region or air-gapped environment |
When to choose on-premise over pass-through cloud
On-premise deployment makes sense when your compliance requirements go beyond what even a zero-storage cloud pass-through can satisfy:
- Regulatory mandates prohibit data from transiting third-party infrastructure. Some government and defense contracts (FedRAMP High, ITAR) prohibit any customer data from passing through third-party cloud infrastructure, even transiently in-memory.
- You need full control over credential storage. If your security policy requires all OAuth tokens and API keys to reside in your own HSM or vault infrastructure, self-hosted is the only option.
- Air-gapped or restricted network environments. Organizations operating without public internet access need on-premise deployments that can reach internal or on-premise SaaS instances directly.
- Your customers' procurement process explicitly requires it. Some enterprise buyers will not approve any vendor whose infrastructure touches their data, regardless of whether that vendor stores it.
For everyone else - including most enterprise B2B SaaS companies selling into regulated industries - a pass-through cloud architecture is usually sufficient. The practical question is whether your buyer's InfoSec team cares about storage (pass-through cloud solves this) or transit (on-premise solves this).
Example decision: A healthcare SaaS startup syncing employee records from BambooHR for 200 mid-market customers? Pass-through cloud with a HIPAA BAA is the right call - fast to deploy, zero ops burden. A defense contractor building an internal HR dashboard that pulls from on-premise Workday behind a firewall? On-premise deployment with air-gapped networking is the only viable path.
How Truto Normalizes Data Without a Database
The obvious question is: if you do not store data, how do you normalize it? Different CRMs call the same field different things - Salesforce uses FirstName, HubSpot nests it under properties.firstname. Someone has to translate.
Most sync-and-cache platforms solve this by extracting data into their own database, running transformations offline, and serving the normalized result from cache. Behind their unified facade, they maintain separate code paths for each integration with integration-specific database columns, dedicated handler functions, and hardcoded business logic.
Truto takes a fundamentally different approach. The entire platform contains zero integration-specific code. Integration behavior is defined entirely as data: JSON configuration and declarative JSONata expressions. The runtime engine is a generic pipeline that reads this configuration and executes it in-transit.
The zero-storage pipeline
When a unified API request comes in - for example, GET /unified/crm/contacts?integrated_account_id=abc123 - the following pipeline executes:
Step 1: Resolve Configuration. The engine loads the integration configuration (a JSON blob describing the API's base URL, auth scheme, and pagination strategy) and the integration mapping (JSONata expressions for translating formats). No customer payload data is loaded at this step.
Step 2: Transform the Request In-Transit. The unified request is translated into the third-party's native format. If you pass a unified query parameter, the engine evaluates a JSONata expression to map it. HubSpot requires constructing a complex filterGroups array for searches; Salesforce requires building a SOQL WHERE clause. The engine does not know which one it is doing - it simply evaluates the JSONata expression provided in the configuration and attaches the result to the outbound HTTP request.
Step 3: Execute the Live HTTP Call. The proxy layer makes the HTTP call directly to the third-party provider using the constructed URL and injected authentication tokens. It handles pagination (cursor, offset, link-header) dynamically based on the configuration.
Step 4: Transform the Response In-Transit. When the raw response returns, the engine evaluates a JSONata response mapping expression against each item. For Salesforce, this might map flat PascalCase fields into the unified schema. For HubSpot, it might extract data from nested properties objects. The data is reshaped in memory and immediately returned to the client. The original response is also preserved as a remote_data field so you can always access the raw data your provider returned.
/* Example: In-transit JSONata mapping for Salesforce Contacts */
response.{
"id": Id,
"first_name": FirstName,
"last_name": LastName,
"name": $join($removeEmptyItems([FirstName, LastName]), " "),
"email_addresses": [{ "email": Email }],
"created_at": CreatedDate,
"updated_at": LastModifiedDate
}A three-level override system (without storing customer data)
One criticism of pass-through architectures is that they cannot handle customization - different customers need different field mappings for the same integration. Truto solves this with a three-level override hierarchy:
- Platform-level defaults - the base mapping that works for most customers.
- Environment-level overrides - a customer's environment can modify any mapping without affecting others.
- Account-level overrides - individual connected accounts can have their own mapping adjustments.
These overrides are configuration data, not customer payload data. They describe how to transform data, not the data itself. When a customer's Salesforce instance has custom fields that need special handling, only the mapping rules change - no customer records are stored or cached. The mapping configuration is lightweight JSON containing field names, transformation rules, and endpoint paths. It contains zero customer PII.
Architectural Deep Dive: Learn more about how this declarative approach eliminates technical debt in our guide to Integration Solutions Without Custom Code: The 2026 PM Guide.
The honest trade-offs
Pass-through is not magic. Because Truto does not cache data, every API call hits the third-party system in real time. That means:
- Latency depends on the source system. If Salesforce's API takes 800ms to respond, your unified API call takes at least 800ms plus transformation overhead.
- Rate limits are partially your problem. Truto handles rate limit detection and surfaces standardized retry headers, but if your customer's BambooHR instance is rate-limited, you cannot work around it by reading from a cache.
- No offline querying by default. You cannot run SQL against data that is not stored. Truto does offer an optional sync feature called RapidBridge that syncs data directly to your data store if you need this - keeping the data in your infrastructure, not Truto's.
These are real trade-offs you should evaluate based on your use case. For the majority of B2B SaaS applications - reading and writing records through integrations, powering customer-facing features, syncing data on demand - the latency difference is negligible and the compliance benefit is massive.
InfoSec Checklist: Questions to Ask Each Unified API Vendor
When your InfoSec team evaluates a unified API vendor, do not accept marketing claims at face value. Terms like "real-time" or "secure" do not guarantee a pass-through architecture. Use this checklist as a starting point for every vendor security review - the answers should be on their public security page or in a security questionnaire response, not filibustered on a sales call.
Data storage and residency
-
"Do you persist any customer payload data at rest?" Not connection metadata or OAuth tokens - actual customer records (employee PII, CRM contacts, financial data). Acceptable answer: No, all payload data is processed in memory and immediately discarded after the HTTP response is sent. Red flag: "We store it temporarily for caching" or "we sync it to provide cross-platform search."
-
"What is your data retention policy for customer payloads?" If the answer is not "we don't store them," ask how long data persists and what triggers deletion. Also ask about API logs - a vendor that logs full request and response bodies for 30 days is storing your customers' data by another name.
-
"Will we need to list you as a data sub-processor?" This is the litmus test. Under GDPR, a processor cannot engage another processor without prior written authorization from the controller. If the vendor stores customer data, they must appear as a sub-processor. If they do not store payload data, they act strictly as a conduit.
Architecture verification
-
"Can you provide an architecture diagram showing the data flow for a unified API call?" You want to see whether data passes through a database or is processed in-memory.
-
"How do you handle custom fields and custom objects?" Acceptable: mapped dynamically in-transit using transformation expressions, per-account overrides, or passed through in a raw data object (Truto's
remote_data, Merge's Remote Data, Knit's passthrough). Red flag: dynamically generated columns in the vendor's database to accommodate custom fields. Follow up: "Is custom field mapping available on the tier we are buying, or is it gated to a higher tier?" (Apideck's Custom Field Mapping is a common gotcha here - it is gated to Scale.) -
"What happens when the third-party API is down?" Pass-through vendors will return an error. Cache vendors may serve stale data. Know which behavior you are getting.
Pricing and billable-unit definition
- "What counts as a billable unit?" Linked accounts, active consumers, API calls, webhook events, or integrations? Ask specifically whether pagination, virtual webhook polls, and retries count against your quota - these can silently 10x your bill.
- "What is the cost curve at 10x our current customer count?" If the answer scales linearly with customer count (per-linked-account or per-consumer), you have a growth tax on your integration layer. Do the 24-month projection before committing.
- "Which features are gated to higher tiers?" Custom field mapping, SSO, whitelabel auth, sync frequency, and log retention are commonly gated. Confirm the tier that includes what you actually need.
Deployment model and data residency
-
"Do you offer on-premise or self-hosted deployment?" If your security requirements prohibit customer data from transiting any third-party infrastructure - even in-memory - you need a vendor that can deploy inside your network. Ask whether the self-hosted version is the same codebase or a separate, limited product.
-
"Can we run your platform in our own cloud VPC or air-gapped environment?" For organizations with strict network segmentation, this determines whether the vendor is even viable. Ask about container-based deployment, dependency requirements, and whether the platform needs to phone home for licensing.
-
"What data processing regions do you support?" If on-premise is overkill but you have data residency requirements (EU-only processing, for example), confirm the vendor can run in your required region. Ask whether this is a dedicated instance or a shared multi-tenant cluster in that region.
-
"Is single-tenant cloud deployment available?" A middle ground between shared multi-tenant cloud and full on-premise. Single-tenant gives you a dedicated instance managed by the vendor, without sharing infrastructure with other customers.
Compliance documentation
-
"Can I see your SOC 2 Type II report?" Not the marketing badge - the actual report. Review the system description for mentions of customer data storage. If a vendor claims SOC 2 or ISO 27001 but does not provide the report under NDA, treat that as a red flag.
-
"Do you have a published sub-processor list?" Any vendor that stores customer data should maintain one. Review it to understand the full chain of custody.
-
"Do you support HIPAA BAAs?" If you are in healthcare SaaS, this is non-negotiable. A vendor that does not store PHI has a much simpler HIPAA story than one that does.
For a deeper dive into passing enterprise security reviews with third-party integration tools, see our practical guide for engineering and product leaders.
Making the Right Call for Your Stack
The unified API market is splitting into two clear camps: vendors that store your customers' data and vendors that do not. Neither approach is universally wrong - the right choice depends on your product's requirements, your customers' security expectations, and your risk tolerance.
If you are selling into enterprises with strict data governance policies - financial services, healthcare, government contractors, or any company with a serious InfoSec team - a pass-through architecture removes an entire category of compliance questions from your vendor security reviews. You do not need to explain where your customers' HRIS data lives on a third-party server, because it doesn't.
If your compliance requirements go further - data cannot transit any third-party infrastructure, credentials must live in your own vault, or you operate in an air-gapped environment - look for a vendor that offers on-premise deployment without sacrificing the unified API's core value: one interface across dozens of integrations.
If you need to run analytics over historical integrated data, a caching architecture (or a hybrid like Merge Destinations) may be the better fit - just go in with eyes open about the sub-processor implications.
By adopting a zero-storage, pass-through unified API, you get the velocity of shipping dozens of integrations in weeks instead of years without sacrificing the security posture required to close enterprise deals. You eliminate the sub-processor conversation entirely, and your sales team stops having to defend a third-party's database architecture to antagonistic InfoSec auditors.
FAQ
- What are the best alternatives to Merge.dev that don't store customer data?
- Truto, Apideck, Unified.to, and Knit all run pass-through architectures that do not persist customer payload data at rest. Truto adds flat per-integration pricing, JSONata-based custom schema mapping on every plan, and on-premise deployment; Apideck uses consumer-based pricing (Launch from ~$599/mo, Custom Field Mapping gated to Scale); Unified.to uses usage-based pricing (Grow from $750/mo for 750K API calls); Knit uses tiered per-integrated-account pricing with volume discounts.
- Which unified API offers the best custom schema mapping?
- Truto exposes declarative JSONata mappings with a three-level override hierarchy (platform, environment, account) available on every plan, so you can add custom fields or reshape responses per customer without a vendor deploy. Apideck offers Custom Field Mapping but gates it to the Scale tier and above. Unified.to and Knit support custom mappings and passthrough requests on higher tiers. Merge.dev exposes Common Models plus Field Mapping and Remote Data blobs, but per-customer schema flexibility is limited compared to expression-based platforms.
- How does Merge.dev pricing compare to alternatives at scale?
- Merge.dev's Launch plan is free for the first 3 production Linked Accounts, then $650/month for up to 10 accounts, plus $65 per additional account. At 200 customers connecting 3 systems each (600 linked accounts), that math lands around $39,000/month. Apideck bills per active consumer (unlimited connectors per consumer), Unified.to bills per API call, Knit bills per integrated account with volume discounts, and Truto uses flat per-integration pricing that does not scale with customer count.
- When should I pick a pass-through unified API over a cached one?
- Pick pass-through when your buyers have serious InfoSec teams, you need current data instead of last-night's snapshot, per-customer schema flexibility matters, or data residency mandates rule out a shadow database. Pick cached (sync-and-store) when you need cross-integration SQL analytics, the source API's rate limits or uptime would break your read patterns, and your customer count is low enough that per-linked-account pricing stays manageable.
- What questions should InfoSec ask a unified API vendor during security review?
- Ask whether they persist customer payload data at rest, what their retention policy is (including full-body API logs), whether you must list them as a GDPR sub-processor, how custom fields are handled, what counts as a billable unit, whether custom field mapping and SSO are gated to higher tiers, what happens when the third-party API is down, and whether they offer on-premise or single-tenant deployment. Always ask for the actual SOC 2 Type II report - not the marketing badge.