Our "hot wallet" is a 3/3 multi-sig with one of the signers being a physical server, so funds are safe. The infrastructure looks like a mini blockchain (with only 3 validators or signers which are all run by us for now), so even if the frontend or backend servers would get hacked, no funds could be stolen since faking guarantee letters using the backend server doesen't do anything as the signers would also have to verify.
I understand that, but my concerns was more about how users would be able to redeem their certificates should your service be seized or shutdown. It doesn't really matter that the funds are secure and cannot be stolen by third parties if the real owners cannot access them either.
And if you have a solution to this problem, how would that change if you move to multiple third party signers as you have mentioned above. Would I have to go to each signer individually and have them validated my certificate and approve my withdrawal? How would I even track down the signers?