thank you for your questions - please see below our answers.
#1 There are a couple of API calls initiated directly from CRM.web (e.g. create a list, its attributes, a message, or a segment. Query attributes to map CRM fields). There are API calls that are done by the CRM.server, such as creating members (aka transferring the CRM target group to Campaign Manager). And, there are messages that CRM.server receives from the so called Sync.Middleware that is polling Campaign Manager for state changes (sent messages, opens, clicks, unsubscribes, etc.)
Communication is done via SSL.
#2 There is no limitation of users in Campaign Manager.
#3 Password Syntax Rules
Strong passwords are required – 8 characters or more, and contain a combination of 3 or more of the following:
• Upper case letters
• Lower case letters
Password Expiration and History
Passwords expire and must be changed every 90 days. The last 5 passwords are tracked and not allowed for re-use. Accounts are deactivated after 30 days of inactivity.
#4 There is no standard functionality. But, you could customize a button / trigger (program call) that would call the API and e.g. delete the list (including all messages, members, and interactions)