As far as I'm aware, there's no requirement imposed by GDPR requiring that data stay within the EU as long as you have DPA's with Cloudflare, AWS, and any other data processors.
DPAs are very easy to sign with AWS and Cloudflare.
I also don't understand your complaint about "200 edge locations". Are you expecting him not to use a CDN?
As far as I'm aware, there's no requirement imposed by GDPR requiring that data stay within the EU as long as you have DPA's with Cloudflare, AWS, and any other data processors.
DPAs are very easy to sign with AWS and Cloudflare.
I also don't understand your complaint about "200 edge locations". Are you expecting him not to use a CDN?