1. We have a subscription based service that stores a users identifying information as well as a transaction history. As this information is only used internally, and is not shared outside of the company, are we still forced to abide by GDPR?
The GDPR applies regardless if the personal data is processed internally or shared with third parties outside the company.
2. Also, are we able to stored IP addresses for the purpose of mitigating DDoS attacks or must we anonymize or use GEO location
You may be able to retain IPs based on "legitimate interest" for security purposes such as DDoS attacks. However, the users need to be informed about the processing of their personal data according to art. 13 an 14 of the EU GDPR.