Just to clarify we do not have access to your private keys
[...]
and your wallet.dat file is encrypted with your masterkey & password
1. The wallet file is encrypted with the password
2. The encrypted wallet file is stored on your server
3. You get the password transmitted via plaintext
This leads to the conclusion, that you indeed have access to the private keys, therefore making your following statement a simple and plain lie.
[...] leaving us with no access to your funds or private keys.
How we secure CSRF attacks and SQL injection:
[...]
You claim that you prevent CSRF
with "SQL Injection filters":
We use SQL injection filters to prevent CSRF attacks [...]
So.. i see two options. You are either
1) incompetent or
2) malicious
And, to be honestly, both options are bad for operating a web wallet.