Our Bitcoin custody involves multi-signature wallets, with a set of private keys that control access to the BitMEX public address. A quorum of signers are randomly nominated and required to sign before any transfer occurs. No private keys are kept on any cloud server, and even in the event of a full system compromise, there would not be enough private keys available to an attacker to steal funds that are held and protected by BitMEX.
All other assets - as well as a minimal amount of Bitcoin to enable accelerated withdrawals - are secured via secure multi-party-computation (MPC). Put short, no private key is ever held in one place. The creation, signing and revocation are done in a trustless distributed manner between a threshold of co-signing components.