Now, look on you sample connection string looks like:
DataConnectionString: Data Source=<SQLServerName>;Initial
Catalog=<MyDatabaseName>;Integrated Security=True;Persist Security
By default, we stored connection string in Web.config file, but in nopCommerce we found that Connection String is stored in \Presentation\Nop.Web\App_Data\Settings.txt
Yes it's safe. All files stored into App_Data directory are "secured". Any file you place there will not be downloadable.