We just passed security certification by plynt. As a secure web service, it's important that we get a reputable 3rd party to test our service regularly. We chose Plynt for the job as they publish very clear criteria of what they test against, they're very responsive, and have a fair pricing structure.
Their certification criteria show what is tested, basically their security engineers go in and try to destroy safedrop, hack into messages and generally mess things up. Happily we passed first time, which shows our app has been solidly written from the start.
In more detail
Hosted at an SAS 70 Type II and ISO27001 compliant data center, safedrop.com offers secure messaging and file sharing to businesses globally. The certification by Plynt test that a Web application under testing has adequate measures to guard against remote adversaries and protect against a wide range of threats.
Plynt’s certification standard is composed of 23 criteria. These are categorized in two sections: Section 1 incorporates "Security Protection Criteria," which identifies the defenses an application must demonstrate to get the Plynt Certificate; and Section 2 incorporates "Security Requirements Criteria," which specifies the features and behavior an application must have to get the Plynt Certificate.
The security penetration tests are generally targeted at critical Web applications, especially those with sensitive data, including customer billing, personal data, banking, etc., in order to satisfy management and ensure enterprise customers achieve regulatory requirements like PCI, SOX (sound exchange), and health insurance portability and accountability act (HIPAA) compliance.
Plynt certification criteria gives you the assurance that safedrop is compliant for SB1386, SOX, SEC 17, HIPAA
safedrop certificate: http://www.plynt.com/certified/safedrop_certificate_2010/