We are utilizing the industry's best security practices with guidance from NIST and the latest Digital Authentication Guidelines.

Our application is continuously monitored for CVE, OSVDB, XSS, SQL injection and many other types of vulnerabilities using Hakiri.

@jgrevich - hardened images, FIPS ? 

All PII is encrypted at rest with a symmetric key derived from the user's passphrase, using a NIST-approved algorithm that relies on a hardware security module (HSM).

Every assertion of PII (Personally Identifiable Information) is encrypted during transit using TLS (transmitted over HTTPS) and additionally using industry standard XML encryption at the application layer to further protect against pilfered payloads.

Our XML encryption approach uses the xmlenc gem with AES-256-CBC for the PII and RSA-OAEP-MGF1P for the key. The encrypted PII is signed with the Service Provider's public key.

@jgrevich - reference details of our https certs/HSTS? 

We rely on fail2ban within Rack::Attack to identify malicious requestors and ban appropriately. Rack::Attack enables throttling for prevention of DoS attacks and mitigates abusive requests, allowing us to rely less on short-term, one-off hacks to block a particular attack.

@jgrevich - relevant network security? 

The application and server-level health and availability is monitored using New Relic and incident response is handled using PagerDuty.

We are currently implementing our own independent monitoring and transaction testing for accurate monitoring of system and key transaction health without relying on third parties.

@pkarman and @jgrevich - thoughts on:
Also, the fault tolerance of all of these components.  In other words, 
how do we protect against single points of failure (SPOF)