Store only the addresses (or better yet, generate the addresses from an xPub as needed) on the hosted server. That way the users can send the funds to you without needing any private keys on the hosted server at all.
Have a separate smaller system which is not hosted for sending funds out. The users can place requests for funds on the hosted server where the requests can be stored. The non-hosted server can retrieve the requests, run them through a set of sanity checks to make sure nothing unexpected is happening, and then can send out the funds in scheduled batches (reducing transaction costs).
The non-hosted server can be secured behind a firewall allowing NO incoming connections at all, and ONLY allowing the 1 outgoing connection to the hosted server.
In reference to this quote, what is actually meant by a "non-hosted" server. I'm not familiar with the concept. Does it simply mean a server that is kept locally and turned off most the time (surely not)? I would greatly appreciate some input on what exactly this means. Thanks in advance for the replies