Our infrastructure is hosted on Google Web Services, just like many of the world's top brands, including Netflix, and government departments, such as the UK Ministry of Justice. We have several layers of security protecting our core services.
Every cloud based software has to allow access to its users in order to deliver value. We have built a tight "opt-in" permissions system that doesn't give even our own support staff access to your data: you must invite a support staff member into your Organisation, otherwise they can't see anything. Roles allow for even finer control over the permissions within your Organisation.
We enforce a minimum of 8 characters per password, but recommend that you make your password as long as you can tolerate. This gives you control over the convenience-to-security balance.
All clients are connected over SSL (Secure Sockets Layer). This is an industry standard method of encrypting all the data sent between the user and the server. This means that even in the unlikely event that someone manages to intercept a request, it will not contain any meaningful information.
Where we have used JWT tokens (url-based authentication tokens that allow one-time actions to be permitted), we have used an aggressive expiration policy such that intercepted tokens are extremely unlikely to be usable.