I can't audit their server-side code. Even if it's open source, it's impossible to verify that the software which the server is running is identical to the open source version, or that there's no proxy in between you and the sever which logs the passwords, or some debugger attached which inspects the passwords in memory as people log in.
Basically, your master password is never sent, and everything is encrypted and decrypted locally.
You can't audit the server side code, but you can audit the client (and compile it from source) to make sure that the encryption is local and the master password is not sent.
The proxy would only see encrypted blobs; the client (which afaiui can be compiled and run locally despite using their hosted service) never sees the passwords in clear.
As long as the client and cryptography are uncompromised, the server only gets metadata.
