[atoav]

But where does the code run physically? Of course on a server, otherwise it wouldn't be reachable from the net. But who maintains those servers? Is there some contract with those who maintain it?

In my experience if you run things professionally you have to set up log rotation purely for legal reasons anyways. Is serverless without logs? Or how would you there ensure to log privacy relevant data only for the legally allowed periods?

How do you do SSL on serverless and who is in control of the certs that guarantee safe communications between you and your customers? If it is not you, are they somehow contractually bound to keep your user data private?

[paulgb]

> In my experience if you run things professionally you have to set up log rotation purely for legal reasons anyways. Is serverless without logs? Or how would you there ensure to log privacy relevant data only for the legally allowed periods?

AFAIK the big providers use log rotation by default. I just know that I've been running some low-stakes serverless projects for years and have always been able to access recent logs, and never worried about disk space. Privacy laws is a good point I hadn't thought of (in the context of these projects), though.

> How do you do SSL on serverless

In the case of Netlify, they already manage the certificate if you point your domain at them and click a button, so it works automatically with their functions. Same story with Cloudflare. AWS and Google make you jump through a few more hoops, or you can host the endpoint from one of their domains and piggyback on their certificate.

I imagine the security practices of all four would hold up to the security practices of a 4 Euro / month VPS host.