Lots of warning bells here. If security is your "top priority" then you need to involve security professionals, you're unlikely to get adequate advice from a forum like WHT because the specific details of your setup will be extremely important.

Many of the largest providers (including ones you mention) have had significant security breaches in the past. Also, even the best protected VPS is vulnerable to an attack from a single compromised administrator's PC, which may be completely invisible to you. You have to assume that sooner or later your VPS may be compromised due to no fault of yours. You need to have processes in place to detect that and deal with it if it happens (monitoring, log file checking, backups...). Also you need to be constantly aware of the latest vulnerabilities and keep everything patched to reduce the attack surface as much as possible. Security is an ongoing process.

You should avoid handling any "sensitive" data at all, if you can avoid it. If you can't avoid it you should track it so you know what is exposed and where and when. That's what GDPR is all about.