I don't have time to write papers. But as far as I can see, your onboarding is the best available for Hive. Some store keys server-side (@esteem) and add security risks (see issue with @community321 hack on steem). Some don't even give the keys to their users (@steemmonsters). Some other just sell the accounts, when nobody wants to pay to try a social network.
The only problematic data are the keys and the phone number. If you don't have it stored in your db, technically you could even make your db public. The only security concern then is your own key that is used to create the accounts, and that's only a risk for you. As long as your server is secure (i.e. regular package updates), your key should be fine too.
All phone numbers are purged from the db now and instead a SHA-256 hash is stored for each account created. Works like a charm!
Aye! I'am really thankful for those insights - which are really valuable for me.
Usually I don't need papers but a little kick into the right direction :)