Klaviyo is a software company that provides data-driven marketing tools for e-commerce businesses. Before launching a brand new couponing system, the engineering team needed to ensure that the new feature would not expose customers to coupon fraud and financial risk. They selected DataDome for its high level of protection, minimal UI impact, and transparent pricing. The project launched successfully and Klaviyo’s customers have been kept safe from bot-driven abuse since day one, while the protection remains invisible to end users.

The Problem: New Feature Could Increase Risk of Bot-Driven Abuse

The Klaviyo marketing automation platform enables e-commerce businesses to unify all their customer data in one place, and to deliver personalized experiences via email or SMS. Among the platform’s many features are signup forms, which customers can build and publish to their websites with just a few clicks.

“We wanted to add a new coupon feature to our signup forms, where coupon codes would be dynamically generated in the form itself as opposed to sending them by email or text message,” says Maya Nigrin, Software Engineer at Klaviyo. “However, before releasing this new feature, we wanted to ensure that it was sufficiently protected from automated abuse.”

Maya and her team already had some experience with IP-based blocking systems to mitigate issues like “list bombing”, where bad actors use automated tools to bulk fill signup forms. However, they were well aware of the limitations of these tools.

“With the addition of coupons, the incentive for malicious users also became higher. It was no longer just about getting on a list; they would immediately receive something with a certain monetary value,” Maya explains.

The Solution: Powerful Protection, Minimal UI Impact

During the planning of the project, Maya and her team were acutely aware that any protective measures would have to be built into the new coupon system from the start.

“We wanted the feature to be secure by design, in case people would try to harvest coupon codes programmatically,” Maya observes. “Our couponing system is quite complex, as it relies on a lot of communication between us and the e-commerce platforms we integrate with. We didn’t want to risk endangering any of that architecture, so it was really important that we had something preventive from the outset.”

The team started out by looking into different CAPTCHA options, but quickly realized that none of them were ideal in terms of customer experience. Store owners would have no control over how the CAPTCHAs looked, or where they were placed on the site.

“During our research, DataDome came up as one of the options,” Maya explains. “One thing that was really attractive to us was that DataDome allowed us to run a whole testing process to make sure that it worked in the form. Our use case is a little eccentric, as we’re using the protection on many different customer sites, but the DataDome engineers were remarkably flexible in helping to get the protection to work for us. Price-wise, it also worked a lot better for us than some other options we investigated.”

The Results: Successful Launch, Seamless User Experience

Because Klaviyo implemented the DataDome solution as a preventive measure before launch, there are no quantitative “before and after” metrics. However, the team assesses the project’s success in multiple indirect ways.

“The main benefit is that this feature would simply not have been released without the addition of some kind of bot protection, in order to protect our customers and their monetary interests,” Maya shares. “There was a point in time where we worried that the couponing feature might never get out the door, even though it was in really high demand. A lot of protection systems just did not work for our use case, so finding something that did exactly what we needed it to do, at a price that made sense for us, allowed us to release this feature in the first place.”

Another indirect success indicator is the volume of support tickets.

“List bombing attempts tend to generate a lot of customer inquiries,” Maya explains. “So after launching the new feature, we kept a really close eye on support tickets. It’s obviously not a quantitative assessment, but it still gives us some level of visibility into how effective the protection is. There was no noise at all that got all the way up to engineering, which was definitely a sign of success.”

In a similar way, the team regularly checks the DataDome dashboard, which provides full transparency on CAPTCHAs passed as a measure of the protection’s false positive rate.

“We want to know if and how our customers are being affected,” Maya observes. “Tickets are only going to come up if there’s a problem with the system, so having a way to see how many people are solving CAPTCHAs is really useful. That said, because everything has gone so well, I check it much more infrequently now, maybe just a quick check once a month to make sure everything keeps running smoothly.”