It's a great writeup, I just find it weird that the author runs his "privacy-focused" analytics service on AWS and Cloudflare. From a GDPR perspective it's not even clear if this is lawful (Schrems-II), and there are some good alternative cloud services available in the EU (e.g. Hetzner or OVH). Also, Cloudflare still sets the __cf* cookie on every request, so it's not really cookieless tracking (I'm aware that Cloudflare is planning to get rid off this cookie though).
Edit: Maybe the downvoters can explain what they're disagreeing with?
Sure, I still find it's a weird choice for a privacy-focused service. Also it's not clear that the Cloudflare cookie is really required to ensure the functionality of a web service (it probably isnt' as they're planning to get rid off it), so just pretending that you don't need to inform customers about this cookie set by your data processor is mere wishful thinking. Again, no one cares much about this and it's not enforced, if you're building a privacy-focused service you should give it some thought though instead of just saying "Cloudflare is cool because it gives me free TLS and load balancing". Just my 2c.
No it's not, you can check e.g. the EDPB's recommendation [1] on this. At the very least you'd need to use data mapping and ensure EU citizens data stays within the EU, the author's service advertises "200 edge locations around the world" so I'm skeptical whether data won't leave the EU.
Not many companies care about this and there's little enforcement so far, I think it's fair to think about this though if you're running a privacy-focused web service from Germany.
It's pretty clear that using AWS is lawful. What you're questioning is if AWS is being used in a compliant manner, which is an entirely different thing. It is possible to do so, so there's nothing odd with choosing AWS.
Personally I find it odd to choose AWS (and Cloudflare) for running a privacy-focused service out of Germany. But again, that's just my personal opinion, I guess most people here are fine with this setup. And I'm also at least a bit doubtful that a one-person startup can get all compliance aspects of running services in a global AWS and Cloudflare-based setup right, so I'd recommend using infrastructure that by default will be hosted in the EU so you don't have to worry about this.
You don't have to obey the GDPR for users outside the EU, so as long as the central storage is located in the EU (and only replicated across EU countries, which is easily configurable), the author is most likely absolutely fine.
By the edge locations, I'd assume he's serving cached static files, such as his blog or tracking scripts from there using CloudFlare. Assuming CloudFlare is not falsely advertising their GDPR compliance, the author is also fine.
As far as I'm aware, there's no requirement imposed by GDPR requiring that data stay within the EU as long as you have DPA's with Cloudflare, AWS, and any other data processors.
DPAs are very easy to sign with AWS and Cloudflare.
I also don't understand your complaint about "200 edge locations". Are you expecting him not to use a CDN?
Edit: Maybe the downvoters can explain what they're disagreeing with?