I never touch the vanity accounts at all!
But you had to manually copy paste the passphrase to deliver in DGS anyway.
I have a dedicated raspberry pi B on my home network where all the passphrases are, nowhere else. It watches the blockchain for orders, and delivers or refund if the order has something wrong.
To deliver: - it checks if the account is still unknown, then funds it with 2 nxt, annoncing its public key. I use reference transaction set to the incoming payment transaction to secure myself. Then it uses the secret passphrase to send an encrypted message to the buyer with the passphrase in it and set account control such that the buyer approval is required for future transactions. Once everything looks good for sufficient time, the passphrase is deleted. The nxt node it uses can be my personal computer if it is connected and nxt server on, a raspberry pi 2 on the same network, or my nxt.notbot.me vps node since it has https available now.
Originally, I intended to only use the raspberry pi 2 but it often showed being late (in term of height) compared to the other nodes. Like if some database transactions took hours instead of minutes for it. So now I monitor it and it seems that while this happened several time during the first 2 or 3 days, now, 2 or 3 days later it doesn't happen anymore, and the pi2 is up to date all the time.. strange...
I really liked the idea that you could install a pre-configured pi2 on a private network and voilĂ ! you have a secured private access to NXT for an entire company for less than 100$.. I don't know if pi2 is enough now.. so for my self I have set up redundancy and for companies I would advice a slightly better hardware.. Perhaps pi3 is the best deal..