1) It would mostly depend on the service provider (how they facilitate uploading files). But short answer: yes.
2) Your war file would be all compiled class files and javascript along with rudimentary html (I am presuming this, since you mentioned this is a GWT project. As far as my knowledge goes, the class files cannot be accessed directly (there might be some loophole which I am not aware). From that perspective I would say you are safe.
However, you mentioned
..secure on the company's server... Do you mean the service provide when you say company? If yes I think it should be all there in the license agreement.
3) If you can share more on what you mean by user authentication (realm, LDAP, SSO), you might get more suggestions. If I am not mistaken, by law, sensitive data, should be inside a DB in an encrypted form. If you are using a pure GWT application bundled into a war, it is essentially just client side code. You will have to add the data persistent code (irrespective of encryption+DB) to it, if you have not already done so. The DB would also depend on the service provider. Not all providers offer all types of DBs.
4) Like GAE, Amazon offers
cloud hosting. I am sure there are other service providers too. e.g. Java ranch is hosted on [http://www.evolutionhosting.com/pub/evolution.jsp]Evolution Hosting[/url]
Your question is not really GWT related. I will move it over to the General Computing forum for you.