Our "hot wallet" is a 3/3 multi-sig with one of the signers being a physical server, so funds are safe. The infrastructure looks like a mini blockchain (with only 3 validators or signers which are all run by us for now), so even if the frontend or backend servers would get hacked, no funds could be stolen since faking guarantee letters using the backend server doesen't do anything as the signers would also have to verify.
I understand that, but my concerns was more about how users would be able to redeem their certificates should your service be seized or shutdown. It doesn't really matter that the funds are secure and cannot be stolen by third parties if the real owners cannot access them either.
And if you have a solution to this problem, how would that change if you move to multiple third party signers as you have mentioned above. Would I have to go to each signer individually and have them validated my certificate and approve my withdrawal? How would I even track down the signers?
First of all the frontend will be open source very soon, so if the service gets seized/shutdown anyone can use that to withdraw assuming the multi-sig signers are still online. The only really bad scenario is if
all 3 signer servers get seized at the same time. Chances of that happening are very slim since we would know about at least 1 of them with enough time in advance and no single server out of the whole infrastructure is exposed so even finding one of them would be quite challenging, let alone the signers.
If there was a 5/10 multi-sig for example, if only 5 of those signers are still running then anyone can use the open source frontend to withdraw. You don't have to contact anyone, theoretically even the signers don't have to know who the other ones are. As long as the required amount of multi-sig signers are still online then the service is online regardless if we the creators are around anymore or not.