Denial of Service protection is a key component of your perimeter defense along with your firewall, intrusion detection/prevention and continuous monitoring.
There are several managed service providers that you can choose from. The first vendor you should contact is your Internet Service Provider (ISP), they may have DoS services available as a component of your contract or they will have DoS providers they partner with.
Once you have identified the services your provider offers or the DoS protection partners they have you can evaluate which is best for you.
If you have more questions on this or other security, data protection or regulatory requirements, PCI may be important for you, feel free to let me know.
Best of luck in your venture!
For a startup, I'd suggest at a minimum you use a CDN like Fastly or Cloudflare in front of your application to prevent basic DDoS attacks. In addition, you'll need to pay particular attention to rate-limiting your login and registration APIs/forms so that you won't have bot attacks and brute-force attacks against your site. The CDN's usually don't provide rate-limiting so you may want to use something like Amazon AWS's functionality for this.