Everything relevant is on or linked to from the Privacy and GDPR link at the foot of the Make website. You might need to click through a number of documents to find exactly what you want.
If you’re using an API key, that does get stored securely within the Make infrastructure.
OAuth 2.0 is a much more secure auth mechanism - that’s where you get redirected to the service you’re connecting with to enter your login and password.
In OAuth 2.0 the login and password aren’t visible to Make. Instead the remote service sends a temporary access token back to Make, which Make refreshes automatically. Again, that token is stored securely within the Make infrastructure.