+1
If you choose not to share the source, its sorta up to you to pay some third party to review the code with NDA.
And as Gili said, no one expects reoccuring audits. Its mostly, or at least about customers needing to know that you've implemented cryptography in a acceptable way and of course that there are no additional ways in to a running process of Enpass.