Here are some of the things we do:

• Reward independent security researchers for discovering and responsibly disclosing vulnerabilities in our software (email security@parlaywith.me for an invite to our private HackerOne program).
• Continuous security patching.
• Force HTTPS connections to our server in order to secure your data over the wire.
• Client-side password hashing with bcrypt: our servers never see your password.
• Sanitize all user-provided data before putting it in the DOM (XSS).
• Use localStorage instead of session cookies (CSRF).
• Use X-Frame-Options headers and content security policy directives.
• Continuous database balance sanity checks. We will not be another MtGox.
• Application-level encryption of sensitive database fields.
• Rate limit sensitive server functions including login.
• Consider comprimised any machine that has been used for web browsing or has run Adobe or Microsoft software.
• Access production environment and sensitive 3rd-party services from uncompromised computers with 2FA.
• Use gratuitously strong random cycling passwords and 2FA with sensitive 3rd-party services.
• Cycle API keys.
• Meteor methods with thoroughly checked arguments and user authority in lieu of complex allow/deny rules.
• Audit logs.

We take additional security measures that we don't disclose (for security reasons ).

We will hire a skilled security firm to do an in-depth pentest once we can afford to do so.

We have also audited our source code for the following types of vulnerabilities:

• Parameter manipulation
• Replay attacks
• TOCTOU and race conditions
• Number processing, including conversion, rounding, and overflows
• Private data exposure
• MongoDB injection