This information is best known by Matthias. Here’s what I know:
Data stored on our own server.
Server in Germany – best data protection law in the country.
https all around (end-to-end encryption)
the data is handled by a stack of software which is open-and-free (so the code can, in principle, be audited) and stewarded by substantial development communities (Drupal, MySQL, PHP, Apache, Linux – so the code is audited in actuality).
We have moderators policing the activity feed every day, several times of day.
We have explicit terms and conditions. /t/edgeryders-lbg/351/privacy-policy-and-terms-of-use
One known security bug: https://edgeryders.eu/en/edgeryders-dev/task-1508. Does not affect credentials, and is easy to fix on a case-by-case basis reverting to the latest legit version of the wiki.
I would be also interested in an assessment for the proposed future hosting at Ecobytes.
Ecobytes provides Drupal hosting on machines configured with BOA (Barracuda-Octopus-Aegir). The focus of this scripts is on performance and security, allowing for an efficient sharing of codebase, while providing a proper and secure separation of clients, sites and octopus instances.
The server is also hardened and is kept up-to-date. Although it was affected by the Drupalgeddon, BOA has released upgrades within a few hours. Since then an automatic hotfix policy was also implemented, to allow servers (which authorize it) to be automatically patched if such major security issues are appearing. It also uses several mechanisms at the server level (e.g. csf/lfd) to trace and blacklist attacking IPs.