Delivery Hero is on a mission “to deliver anything, straight to customers’ doors.” Today, the company is the world’s leading local delivery platform, connecting customers in over 70 countries across four continents with an ecosystem of restaurants, shops, retail partners, and ‘Dmarts,’ its self-branded, delivery-only supermarkets.
The company manages a portfolio of international and regional brands like efood, foodora, foodpanda, foody, Glovo, HungerStation, PedidosYa, talabat and Yemeksepeti, and is also a global pioneer of q-commerce — online sales and ultra-fast logistics services that deliver goods in under an hour.
Founded in 2011 in Berlin with an initial team of 10, Delivery Hero now hires employees across 4 continents, in over 70+ countries and has been listed on the Frankfurt Stock Exchange since 2017.
For Delivery Hero, rapid growth had introduced complexities and challenges for its IT and security approach. Between 2016 and 2020, the company grew its workforce from ~9,000 to ~30,000 employees, and over that time, expanded their global reach through various strategic mergers and acquisitions. Keeping pace with onboarding new users and integrating new companies with different tech stacks was increasingly taxing for Delivery Hero’s internal teams.
“With so many different new people and infrastructures to manage, the complexity added up,“ explains Wilson Tang, Director of Engineering, Platform Core Services at Delivery Hero. “That limited how efficiently we could innovate. To move quickly, we needed tools to help us get that complexity under control.”
The shift to remote work in 2020 placed even greater demands on security, forcing Delivery Hero to manage an expanded attack surface and stay vigilant against a rise in cyber threats. Ensuring safe and productive access for employees to internal resources became a top priority.
“When we adopted work-from-home and hybrid work models around the world, we needed to protect applications designed for access only on our internal office networks,” says Tang. “Securing everything and giving employees access from home, or anywhere else they chose to work, became much more challenging and complex.”
To tame this complexity, Delivery Hero has adopted Cloudflare’s connectivity cloud, which converges many services companies need to secure and protect their digital environments. Specifically, Delivery Hero has progressively consolidated more security, performance, and developer functionality, onto Cloudflare’s control plane, including:
“Cloudflare’s connectivity cloud is helping us manage complexity across our global operations and has made our lives so much easier,” says Tang.
Delivery Hero, which had always prioritized cloud-native security tools, first turned to Cloudflare to secure access to internal applications. Specifically, Tang and his team began evaluating Cloudflare One, a Security Services Edge (SSE) platform that includes a Zero Trust Network Access (ZTNA) service to secure remote access.
Previously, Delivery Hero had relied on a VPN solution, but had found the technology inefficient to manage and slow for end users. In testing Cloudflare, they focused first on applying identity-based checks for web apps – a common initial use case that does not require deploying any device client software.
“From the beginning, Cloudflare impressed us with its ease and speed of deployment,” says Tang. “Protecting an application takes maybe five minutes, and I can skip the pain points of setting up access with traditional VPNs.”
Over time, the company has scaled its deployment across more users and more applications, including key developer tools and backend customer systems. Today, Delivery Hero uses Cloudflare to secure access for over 40,000 employees to all applications across self-hosted, SaaS, and non-web environments. Enforcing single sign-on identity checks has helped Delivery Hero both improve its security posture with Zero Trust best practices and streamline the experience for end users.
“With Cloudflare, our employees can access the tools they need to get their jobs done without extra security hassle or connectivity issues,” says Tang.
Adopting Cloudflare has helped Delivery Hero scale more efficiently by simplifying the process of onboarding new employees and consolidating access policies on a single platform. This has freed up time and energy for Delivery Hero’s technical staff to focus on innovation rather than administration.
“Being able to onboard new teams quickly and easily shift our new brands onto a consolidated, easily administered platform like Cloudflare improved our efficiency and time-to-market with new products,” says Tang. “Speed of innovation is everything in the tech industry, and by simplifying operations using Cloudflare we can iterate and create service and value improvements that keep our customers from turning to our competitors.”
After simplifying its security approach for internal resources, Delivery Hero began a similar process for security across its public-facing resources, which include websites, desktop and mobile customer apps, and vendor-facing administrative portals.
With its large online footprint and high volume of transactions processed, Delivery Hero has consistently been an attractive target for attackers, particularly as the company has grown. These attacks risked eroding customer trust, and mitigating them took time and energy away from staff.
“We faced every type of attack you can imagine,” says Tang. “DDoS attacks and bots brute forcing our endpoints, and deliberate, for-profit credential stuffing, account takeovers, and voucher, identity, and credit card fraud attempts against our customer and vendor portals.”
To address these risks, Delivery Hero has secured all its public-facing apps and websites with Cloudflare’s Application Services. Security capabilities such as web application firewalls, DDoS mitigation, DNS management, and bot management help Tang’s staff regain visibility and protection over their expanding footprint of digital properties.
“Due to their technical advancement, you cannot stop the bot attacks without the observability of a tool like Cloudflare,” says Tang. “Using Cloudflare for visibility, we can query malicious traffic, identify the attack patterns, and use that intel to develop solutions to mitigate them.”
Adopting Cloudflare’s Application Services has also helped Delivery Hero more efficiently manage global demand across its websites.
“We see traffic spikes year-round across regions because of different holidays, marketing activity, or annual festivals.” says Tang. “It is not unusual for us to see a 3x traffic surge in one country, and a 10x burst in another the following day.”
Using Cloudflare, Delivery Hero has insulated itself against these demand spikes, whether expected or unexpected, and is able to deliver consistently high-speed experiences for their customers year-round. Tang estimates that using the Cloudflare connectivity cloud has reduced latency, slashed Delivery Hero’s bandwidth costs by 90%, and helped the company achieve a cache hit rate of 98.5% for its vast library of product images and other online assets.
“Cloudflare’s global network and cache reserve have reduced our infrastructure costs and improved our image and static asset delivery times,” says Tang. “The savings are huge, several petabytes per month.”
One final area where consolidating onto Cloudflare’s connectivity cloud has helped Delivery Hero is with making development safer and easier.
For example, Delivery Hero has mandated that all new features for websites and apps are built with Cloudflare’s security protections.
“Cloudflare is so secure and so easy to use we have made it a compulsory tool for our development teams,” says Tang. “Whenever we develop a new API endpoint, it must be behind Cloudflare, so we can properly protect and manage it.”
Delivery Hero also uses Cloudflare Workers, a developer platform to build and deploy serverless applications and functions. By configuring changes on Workers, Tang and his team can scale those changes across Delivery Hero’s application footprint with speed.
“Cloudflare Workers is so easy to deploy. In minutes, we can make changes, create third-party integrations, or onboard new technologies that would otherwise take us hundreds of hours of development and testing,” says Tang.
Throughout the years tackling various use cases with Cloudflare, Tang has had a positive experience.
“Cloudflare has supported us every step of the way. From our account managers and customer success agents to Cloudflare technical support, somebody is always on hand to help us achieve our business goals.”
Achieved 98.5% cache reserve hit rate for online assets, accelerating service delivery and improving the user experience worldwide
90% reduction in bandwidth expenses due to improved bot security and content caching in the connectivity cloud
Mitigated bot attacks, freeing up development teams to focus on product innovation rather than fraud prevention
Secure hybrid work with Zero Trust access for over 44,000 employees
Reduced organizational complexity, speeding up the onboarding of new employees and infrastructures
“Having a single Cloudflare solution in place to help us manage complexity across our global operations has made our lives so much easier. Cloudflare has supported us every step of the way.”
Wilson Tang
Director of Engineering, Platform Core Services
“Speed of innovation is everything in the tech industry, and simplifying operations using Cloudflare allows us to iterate and create service and value improvements that keep our customers from turning to our competitors.”
Wilson Tang
Director of Engineering, Platform Core Services