Remote mysql access requires whitelisting by IP already. (Servers Management > Security > MySQL)
Locking SSH keys to IP addresses and specific apps is very necessary, though.
This is indeed a good suggestion. We at Cloudways believe in being transparent to our users in all operational areas. We have added this idea to our Product Improvement Ideas list, and information about security would be available on the Cloudways Platform in the coming days.
On the Features page, CW advertises, "Proactive Cloudways security practices keep all your servers safe and secure. ... All Cloudways hosted servers are protected by OS-level firewalls that filter out malicious traffic and keep out the intruders." This is not completely true, and there's no way to know to what extent it may be partially true. I had to request help hunting down what was causing outages, come to find it was a single IP address from China repeatedly trying to log in to one site, and was told to ban it in htaccess. That is the opposite of "proactive" and "OS-level."
I just found out that a deleted account can't be used as a team member, either! I'm completely locked out of my client's account. I'm sorry I referred them to Cloudways and will be looking for an alternative.
+1 Very annoying limitation as it is now.