Our "hot wallet" is a 3/3 multi-sig with one of the signers being a physical server, so funds are safe.
Where's the redundancy in this setup? Who holds for instance the backup to the keys used on the physical server? And doesn't the fact that someone has access increase the risk of losing funds?
We are the only ones who hold the backup (offline) for all 3 signers and the only ones who have access to the servers. One of the servers belongs to us, the other 2 are rented. The difference that we care about between the physical and rented ones is that for the physical one we are 100% sure it is not tampered with in any way. (can't disclose how for security reasons so you'll have to take my word on this) And if something were to ever happen we would find out with enough time in advance that we could just migrate to a new setup instantly.
The only really bad scenario is if all 3 signer servers get seized at the same time.
If just 1 out of 3 is unavailable, the multisig transaction can't be signed anymore. Unless you mean a 1/3 multisig setup, but that creates other risks.
It is a 3/3 multisig setup, 1/3 would defeat the purpose. The reasoning behind it is that if one signer will ever be seized or it stops for any reason there is no damage that can be done. Like I said the only real bad scenario is if all of them get hacked at the same time without us knowing. If we ever feel that something is not right with any one of the signers we can migrate to a new multi-sig with new signers and new servers in under an hour, in fact we were planning to do this once in a while by default just in case. Most if not all other services store their keys on a single server that may be infiltrated from day 1, there is just no way to be sure but we don't want to take any chances ourselves.