I updated the PageKite Data Processing Statement with some words about VPS providers.

Aside from annoying tax-related data retention requirements, renting VPSes from 3rd parties is in many ways the "weak link" limiting what security promises I can make to my users.

Although I don't believe my providers will hack into my servers and steal data from their disks, how would I even know?

I've often pondered whether I should move the Account DB and order processing to hardware I own & host myself.

@HerraBRE wheni have physical access to your server I own it - you must host yourself

@yukiame That's a security absolutist fallacy.

Hosting myself is a trade-off. Am I better at guaranteeing physical security than a professional provider? Will the reduced uptime be justified?

If the answer to either question is No, the data is better off with a professional, and things are secured the way everything else on this planet is secured: through contracts, laws, and social trust.

@HerraBRE bah BS there is only Blockchain

@yukiame OK, you win. 😆

@kaniini @HerraBRE but in a cage with a number lock with 3 dials

@kaniini @HerraBRE yep the APC is gold together by an toothstick

@feld @kaniini @yukiame Pretty cool! 😎

@kaniini @yukiame Multiple colo'ed servers is an option.

But at my scale just getting that operational with comparable uptime to what I have today, would be - relatively speaking - very expensive.

It's a tiny business with little revenue. And I myself am very time constrained. Is addressing this the best use of that time and money?

Considering the actual PII that I am responsible for (very little), and the current risk profile, I don't think so.

@HerraBRE lots of people use humans.txt to credit the humans that built the service; there's even an informal mini standard:
http://humanstxt.org/

@npd Yeah, I saw that a while back. I prefer my joke. 😛