Regarding Netcups DDOS-Protection I cannot tell you anything helpful for your decision. I never noticed a DDOS on my services the last 4 years - but just use the Forum-search, some other users noticed attacks. Nobody like me not noticing any attacks will ever submit a forum-post like "glad to have Netcups DDOS protection", but every single customer having any Performance/(D)DOS-Issue will likely fire up a new Forum-Post complaining to be victim.
What I noticed is, that there was a discussion about "UDP DDOS Traffic" which seems to be not detectable / filtered by Netcups DDOS-Infrastructure. As you seem not to speak german and machine-based language-translation probably will not provide you the information, that the the referenced Forum-Thread-Author seems to be a very young and/or unexperienced person (disclaimer: this is just my personal view, based on the style of writing), I would suggest to focus on the Postings of "[netcup] Felix" in this thread which give some insights you maybe like to read.
Regarding CloudFlare and Latency: A "standard web application" will not noticeable suffer by the "cloudflare latency". But as you seem to have a certain type of Web-Application where latency is a key indicator I would suggest:
1. prepare and test your setup for cloudflare (or a similar service)
2. disable cloudflare for regular (day to day, high-performance) service usage
3. re-enable cloudflare in the case of a DDOS to provide additional protection "on demand"
4. automate the switch between cloudflare enabled / disabled to make it as easy and trivial as possible for you to quickly add additional protection in case of needed