Best practices for self hosting on VPS


I would like to self host BW on a VPS (e.g. DigitalOcean), but i have some concerns with someone from DO having access to the stored data. Is this taken care by BW out of the box? If not what one can do?

First thing that comes to my mind:
Add an encrypted storage. I am fine with manually restarting BW when needed, like providing the encryption key or something.

Any hints are welcome. Thank you in advance.

PS: this is for a small company.

By design, all sensitive data is already encrypted at rest on the server.

Thank you. Now, I can move forward with more confidence.