How are your semi-custodial wallets secured?

Our infrastructure is housed in a secure data centre, admin access to database and API servers is protected by a both VPN and additional key based (plus password) authentication and is restricted to authorized persons only.  Without a valid VPN account plus a suitable 128 bit SSL key a person cannot login to our systems.
Our internet ingress points are firewalled at the network layer and have dedicated proxy servers routing incoming traffic to specific nodes.
Access to our API comes based on authorized access tokens matching with the correct user account, which require authorization via our login service to generate a valid token.  If a valid matching user account and token are not provided, access to our API endpoints is denied..
Additionally, we monitor our systems continually for intrusion and run a monthly penetration test which is updated every month with tests for all new reported vulnerabilities.