Just an aside, and this might sound obvious -- but I'd also be damn sure to get another party to specifically do penetration testing for web exploits on the test server's data. (Of course, I guess it might also sound stupid for some reason...)