These types of allegations keep on appearing. I know we all generally trust CERN scientists (after all, they must be smart people who care), but to keep everyone’s trust I suspect nothing less than full transparency will do.
Where is ProtonMail’s data stored? Where are its web servers? Who has physical access? Who has login keys/credentials to storage and server machines? Who does security audits, how are they done, when we’re they done last, what were the results, and what steps are you taking to improve your system’s security? And most importantly, what exactly does ProtonMail do when dealing with authorities and other entities that want access to user data?
Security is a process, not a destination - that’s a mantra everyone in the security world learns early on. But trust is also a process, not a destination. As an example of a company that treats both as a process, consider AgileBits, the developer of 1Password. Their white papers are case studies in transparency.
Ideally, what you say makes sense, but at some point you're just going to have to place your trust in someone, or something. Realistically, a vendor won't be able to satisfy every single curiosity. Someone else might ask how do we know the data is actually stored where they claim its stored. How do we know if such and such employee even works there. How do we know the OS that their developers use isn't updated and/or compromised, What if they get a new employee who is incompetent and doesn't follow the established protocols, etc, etc. You can only go down one level of abstraction here. Otherwise you'll probably be writing a treatise on belief, knowledge and justified true-beliefs.
We have a transparency report, a privacy policy, terms and conditions, and a threat model document, which clearly covers many of these points.
Much of our code is also open source, and has been audited by third parties, with published audit reports available online.
Some items, like precisely who has access to what, we obviously cannot publish for security reasons, as individual employees may be targeted if this is disclosed too clearly.
Sorry, I'm a user, and I largely trust you all, but this doesn't exactly lay to rest the issue you were given. Security and trust are a chain, and if you don't know every link in that chain than the whole thing is largely useless.
As another pointed out, at some point you just have to trust something and I agree with this. But I wanted to point out that your answer is not sufficient for what you were trying to answer.
Where is ProtonMail’s data stored? Where are its web servers? Who has physical access? Who has login keys/credentials to storage and server machines? Who does security audits, how are they done, when we’re they done last, what were the results, and what steps are you taking to improve your system’s security? And most importantly, what exactly does ProtonMail do when dealing with authorities and other entities that want access to user data?
Security is a process, not a destination - that’s a mantra everyone in the security world learns early on. But trust is also a process, not a destination. As an example of a company that treats both as a process, consider AgileBits, the developer of 1Password. Their white papers are case studies in transparency.