Customers on some plan can upload a certificate of their choice, and generally have to provide the key along with it. Keyless SSL exists, but isn't widespread.
Ah, I guess the point I'm missing is that with a 'serverless' setup, the cloud provider must have access to your private key? Unless you use some sort of key server setup (what they call Keyless SSL)