Also I'm concerned with where and how people's data is stored. Where are the account usernames, email addresses, and passwords stored? It sounds to me like each instance is a separate physical server, so you're 100% reliant on the instance 'host' to properly secure the data and maintain it. How does that work with GDPR compliance?
That scares the hell out of me...
Honestly, very. A large corporation has the resources to properly secure both physically and digitally their servers, keep up-to date in security threats and deal with them in a timely manner. If they don't, they can be held accountable for any data breeches or improper storage. Plus, ALL the servers of that corporation are secured to the same standard.
A bunch of dudes running servers in their basements has none of that, and their resources for managing/running/securing those servers vary greatly between them, and may even vary and change often depending on the server.
So yes, I trust a properly staffed/supported data farm vs individuals anyday in terms of security.
And that even starts off on the assumption that everyone running a server at all is aware of and concerned with securing the server and data properly, let alone bad actors who might actively try and subvert data integrity laws for their own gain.