Impossible to tell, in fact. If it is in-browser, you may be able to see if it comes in as plain text, in which case they rely on the HTTPS encryption only. Likely, it's only encrypted while stored on their servers, so they still need to hold the keys.