I've been following this thread for a good while. I'm responsible for recommending security tools for a large professional community in the UK.
I'm not currently able to recommend this product however passionate the developers might be.
In this thread there seems to be some conflation around security practices of:
1. the business itself with respect to penetration testing, security and integrity of the code (to prevent malicious code being added to source), process security (to defend against social engineering of the developers etc) and so on.
2. the code base and architecture
It is not at all clear that good security practices are followed, that the staff are all well versed in any recognised international security standard, that they have a common code base, follow security by design principles, etc.
The fact that adding features, changing ui, etc can undermine the work of an audit is also worrying. Of course code changes can introduce new attack vectors and additional security bugs but there is no clear sense of the layers and modularity to the code base that would limit the risks.
I'm also not able to confirm that the programme itself supports and the developers recommend the use of strong two factor authentication particularly with physical based token devices like YubiKey, to access the data the programme is intended to protect.
I had hoped to be able to recommend this to our thousands of members and offer some small discount purchase incentive. We'd have recommended a subscription model to ensure ongoing security updates, maintenance and enhancements.
Unfortunately, I do not feel able to progress this further.
I wish the business and the development team all the best and hope you are able to mature the product and meet the modern security challenges in due course.