I've evaluated quite a few and retained DosArrest before. Very reasonably priced both for emergency setups and ongoing services. Mark Teolis is great and his team is available 24x7. There's also Prolexic and Verisign but they are quite expensive to set up.
Also, in our case, we found out that we were actually covered for a DDOS attack inside our business insurance and received payment for both downtime and lost revenue. Check with your insurance agent on this. Cyberattack sections don't cost anything but great to have.
Denial of Service protection is a key component of your perimeter defense along with your firewall, intrusion detection/prevention and continuous monitoring.
There are several managed service providers that you can choose from. The first vendor you should contact is your Internet Service Provider (ISP), they may have DoS services available as a component of your contract or they will have DoS providers they partner with.
Once you have identified the services your provider offers or the DoS protection partners they have you can evaluate which is best for you.
If you have more questions on this or other security, data protection or regulatory requirements, PCI may be important for you, feel free to let me know.
Best of luck in your venture!
For a startup, I'd suggest at a minimum you use a CDN like Fastly or Cloudflare in front of your application to prevent basic DDoS attacks. In addition, you'll need to pay particular attention to rate-limiting your login and registration APIs/forms so that you won't have bot attacks and brute-force attacks against your site. The CDN's usually don't provide rate-limiting so you may want to use something like Amazon AWS's functionality for this.