Missed the bcrypt part. Regarding providers - I've seen AWS, but that may mean a lot of things and a lot of ways to execute. If I want to evaluate how stable will this service be, it doesn't mean anything really (it could be one instance with the whole storage going away if it crashes). Geographical location may matter too depending on what kind of users you handle.

Hi -- thanks for the questions. We want more docs online, but haven't done a full write up yet. In short, we don't have an SLA, but we know enterprise will want that so we're working on it.

Someone else responded to some of your questions. Here is some more color: Only employees can view the data. Authenticated admins can view their own data (but not password hashes yet -- we want to use MFA for those requests to export). Passwords are never stored. We use the industry standard BCrypt (salted hash). We're using DynamoDB for storage. Our primary location is N. Virginia. We use MFA on AWS to secure everything (http://aws.amazon.com/mfa/). We backup several times a day and store backups in different regions on similarly secured S3 (uses the same MFA). We have tested the backup and migrated to another data center entirely (AWS Oregon). We are also 100% https, using hsts, and all of our cookies are HTTP Only and set to secure (http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly). I think this answers most of your questions. Happy to answer any followups as well.