Yes. In on-premise environments sometimes private CA are used. GRAVITY has a mechanic to import private certificates in deployed .jar-files and docker containers. (More information)
SaaS: What Web Application Firewall (WAF) is used?
Yes. OpsOne uses ModSecurity to additional protection against application level attacks such as cross site-scripting and SQL injections. By default, the core rules set will be loaded, and will block common vulnerabilities and zero day attacks by adding some more global rules. But Gravity Global AG will configure additional settings in accordance of the GRAVITY configuration and the customers requests.