We don't offer two factor but is something we are investigating. This is mitigated somewhat by the fact that a lot of our users use Google login.
2. SSL / TLS
SSL shouldn't be a paid feature. It's been included in our product for free since we launched.
We try and use SSL everywhere. All page from catch.com are only available via SSL. e.g. login, landing page, marketing, blog, etc.
There are a few exceptions like our Knowledge Base which is powered by Assitly / Desk:
We don't offer note level encryption. We'd love to get some feedback on a straightforward way to do key management.
We've been using HSTS for at least a year now. It was an easy decision for us since all content from catch.com is only available via SSL.
Security is hard and hopefully these breaches will raise the bar for everybody.
Would you say Catch has something to offer over Evernote for someone who uses the latter for private & personal notes?