[raesene9]

If I can make a couple of suggestions for winning over that crowd.

1) As OP said, dial back "never" statements, there's no such thing as perfect security :)

2) When I look at a solution like this which essentially requires a lot of trust from customers (if your servers get hacked or your code is insecure, that's going to be a bit hit for your customers), I look for 3rd party validation. Something like a published 3rd party audit from a reputable consultancy, using good named consultants, with a clearly stated scope of work is likely to help allay fears about trusting a third party with a solution like this.

3) Talk some more about the experience of your team. What you're doing is hard to do well, so explaining where your team has experience of doing things like this in the past, will help.

[arcurn]

This is very helpful — thank you!

On #2, we have carried out security audits with Cure53[0] and others, which we are happy to share. We also have a root of trust which is provably embedded in the AWS Nitro System[1]

#1 and #3 are great suggestions which we will implement in our next website revamp. Thanks!

[0]: https://cure53.de/ [1]: https://evervault.com/blog/e3

[tailspin2019]

> we have carried out security audits with Cure53[0] and others

You need to be shouting about this on your new security summary page :)

It all builds a story of trustworthiness.

It seems like you have quite a lot of info captured in your blog, but the “blog” section is definitely not where I go first when I’m doing a quick scout of a company/service to size them up (from a “can I trust these guys?” perspective).

[tailspin2019]

Great comments. Completely agree. Third party validation for something like this really goes a long way.