Much of our code is also open source, and has been audited by third parties, with published audit reports available online.
Some items, like precisely who has access to what, we obviously cannot publish for security reasons, as individual employees may be targeted if this is disclosed too clearly.
Sorry, I'm a user, and I largely trust you all, but this doesn't exactly lay to rest the issue you were given. Security and trust are a chain, and if you don't know every link in that chain than the whole thing is largely useless.
As another pointed out, at some point you just have to trust something and I agree with this. But I wanted to point out that your answer is not sufficient for what you were trying to answer.