VSCO × Cloudflare — CF for SaaS / Hostname Initiative POV Plan

01

Current State

Cloudflare is excited to offer a Proof of Value to VSCO to evaluate Cloudflare for SaaS as the infrastructure layer powering VSCO's custom hostname initiative. VSCO operates a B2C creative platform with a large base of creator accounts who use custom domains — each requiring automated SSL/TLS certificate provisioning, edge routing, and per-hostname security policy enforcement at scale.

VSCO's current custom hostname architecture requires manual certificate lifecycle management and does not natively support per-hostname WAF policies or edge-level routing logic. As VSCO's creator ecosystem grows, the operational cost and complexity of managing thousands of custom hostnames under their SaaS platform is a measurable bottleneck to shipping creator-facing features.

Both parties have agreed to a time-bounded POV to demonstrate Cloudflare for SaaS' ability to automate SSL/TLS provisioning, apply per-hostname edge policies, and support VSCO's roadmap for custom domain-enabled creator features — including potential Workers for Platforms extensibility.

Context from existing engagement

VSCO has been an active Cloudflare customer since 2024. The current contract covers WAF, Bot Management, CDN, and R2. The CF for SaaS / custom hostname initiative represents an expansion into the platform tier, driven by VSCO's engineering team (Benji Hertel, Jeremy Hertel, Andreas Salme) and CTO Chris Haire, who is both decision maker and signer.

02

Objectives

The following objectives define what both Cloudflare and VSCO intend to accomplish through this POV:

1

Understand and affirm VSCO's custom hostname challenges

Confirm the operational pain points around certificate provisioning, hostname lifecycle management, and per-hostname routing and security policy today.

2

Confirm Cloudflare for SaaS as the solution

Validate that CF for SaaS' custom hostname API, automated SSL via DCV, and per-hostname Worker/WAF binding covers VSCO's requirements without requiring significant application-layer changes.

3

Define measurable success criteria

Agree on finite, testable outcomes that constitute POV success — hostname provisioning time, SSL issuance success rate, certificate renewal automation, and WAF policy propagation per hostname.

4

Confirm POV timeline and contracting path

Establish start/end dates, check-in cadence, and the contracting process if the POV is successful — including expansion on top of VSCO's existing Cloudflare agreement.

5

Confirm stakeholders and check-in cadence

Align on who owns each workstream at VSCO and Cloudflare, and the weekly cadence already in place with the VSCO engineering team.

03

Proposed Solution Overview

Cloudflare for SaaS enables VSCO to offer custom domains to creators by operating as the authoritative edge for those hostnames — handling TLS automation, routing, and security policy — without VSCO needing to manage certificates or build custom hostname infrastructure themselves.

VSCO Creator mycreativebrand.com

CNAME → vsco.co

Cloudflare Edge CF for SaaS · SSL auto · WAF

Proxied to origin

VSCO Origin vsco.co platform

Cloudflare Products in POV

The core product. VSCO provisions custom hostnames via the Cloudflare API — each hostname receives its own SSL/TLS certificate (DCV automated), edge routing, and is bound to VSCO's fallback origin. Supports tens of thousands of hostnames with no per-hostname operational overhead.

Automated certificate issuance and renewal for every custom hostname. Cloudflare handles DCV (HTTP, TXT, or email validation), issuance via DigiCert or Let's Encrypt, and automatic renewal — no manual cert management for VSCO's engineering team.

Optional but in-scope: Workers for Platforms lets VSCO deploy per-hostname edge logic (creator-specific routing, A/B tests, custom redirect rules) without routing all creator traffic through VSCO's own infrastructure. Aligns with VSCO's existing Workers for Platforms exploration.

WAF managed rules and custom rules applied at the per-hostname level. VSCO can enforce a baseline security policy across all creator custom domains, with the ability to override per-hostname where needed — without running separate WAF infrastructure per creator.

04

Use Cases & Success Criteria

Cloudflare and VSCO agree on the following finite and measurable success criteria to be validated during the POV.

At the end of the POV, VSCO will confirm the success or failed delivery of each criterion. Cloudflare will maintain active entitlements through contracting if the POV is successful. If the POV is not successful, Cloudflare will deactivate the CF for SaaS entitlements upon written confirmation.

Use Case	Pain Point	Success Criteria	Outcome
Custom Hostname Provisioning	Manual certificate lifecycle management for creator custom domains is operationally expensive and error-prone. Certificate renewals require engineering intervention and cause periodic downtime for creators.	Custom hostname provisioned via API in <60 seconds SSL/TLS certificate issued and active within 15 minutes of hostname creation Automated renewal fires ≥30 days before expiry with zero manual steps CNAME-based DCV validated successfully for test hostnames	Necessary
SSL/TLS Certificate Automation	VSCO's current certificate management does not scale to the planned creator custom domain growth. Each new hostname requires manual engineering work to provision and renew certificates, creating a bottleneck to the creator domain feature launch.	Bulk provisioning of 50 test hostnames completes without errors Certificate status API reflects `active` for all provisioned hostnames Wildcard certificate fallback works correctly for unclaimed subdomains Custom certificates (BYO) upload and activate within 5 minutes	Necessary
Per-Hostname WAF Policy	VSCO needs to enforce baseline security rules across all creator custom domains without building and operating per-hostname security infrastructure. Existing WAF rules on vsco.co do not automatically propagate to custom hostnames.	WAF managed ruleset applies to all provisioned custom hostnames by default Custom WAF rules created via CF for SaaS API fire correctly on test hostnames Rate limiting rules inherit correctly from VSCO's fallback origin config Bot Management signals available per-hostname (false positive rate <1%)	Desired
Workers for Platforms — Edge Routing	VSCO wants to enable per-creator customization at the edge (routing rules, feature flags, A/B tests on custom domains) without routing all creator traffic through VSCO's application servers. Current architecture requires application-layer handling for all hostname-specific logic.	Worker script deployed to a custom hostname via Dispatch Namespace API Per-hostname Worker overrides fallback origin routing without affecting vsco.co traffic Worker execution latency <5ms (P99) at Cloudflare edge Worker KV bindings accessible per-hostname for creator-specific config	Desired
Scale & Operational Cost	At VSCO's projected creator custom domain volume, the engineering and ops cost of managing hostnames outside CF for SaaS is unsustainable. VSCO needs a demonstrated path to operating tens of thousands of hostnames with minimal engineering overhead.	API-driven provisioning demonstrated for 100+ hostnames in a single batch No per-hostname manual steps required after initial API call Cloudflare dashboard and API provide full hostname lifecycle visibility Audit trail of certificate issuance events accessible via Logs	Necessary

05

POV Timeline

The POV is scoped to a 4-week engagement with weekly check-ins aligned to VSCO's existing Cloudflare cadence call. Milestone dates below are proposed; final dates to be confirmed at POV kickoff.

Start POV Kickoff

TBD

Formal kickoff. CF for SaaS zone configured. Fallback origin set. Initial test hostnames provisioned via API with Kathy Ly & VSCO engineering.

CF for SaaS active on VSCO zone. First test custom hostname live with valid SSL.

Check-in 1 Provisioning Review

+1 week

Review hostname provisioning via API. Validate certificate issuance times. Bulk provisioning test (50+ hostnames). Confirm DCV method works for VSCO's domain setup.

Provisioning speed & SSL issuance criteria validated. Issues logged and triaged.

Check-in 2 Security & WAF

+2 weeks

Validate WAF managed ruleset propagation across custom hostnames. Test custom WAF rules via API. Confirm Bot Management signals per-hostname. Review false positive rate on test creator domains.

Per-hostname WAF criteria validated or issues identified for resolution.

Check-in 3 Workers for Platforms

+3 weeks

Deploy test Worker to Dispatch Namespace. Bind to custom hostname. Test per-hostname routing logic. Validate Worker execution latency. Review KV binding for creator config storage.

Workers for Platforms use case validated. Edge routing working per-hostname without vsco.co impact.

Check-in 4 Proposal Review

+4 weeks

Review pricing, services, and proposed terms. Discuss expansion on top of existing VSCO–Cloudflare agreement. Confirm Pool of Funds allocation. Decision on production rollout scope.

Pricing reviewed. Decision made on production deployment and contract expansion scope.

End POV Results Review

+4 weeks

Formal review of all success criteria outcomes. VSCO confirms pass/fail per criterion. Cloudflare presents production deployment architecture and contract.

POV verdict. Go/No-Go for contract expansion. Order Form delivered if successful.

Contract Order Form

POV +5 days

Cloudflare provides VSCO with approved Order Form for internal review and signature. Expansion on existing MSA.

Contract executed. CF for SaaS active for production creator hostnames.

06

Participants

VSCO

BH

Benji Hertel Engineering & Infrastructure Manager POV Technical Lead

JH

Jeremy Hertel Engineering Manager Technical Implementation

AS

Andreas Salme Director, Platform Software Engineering Technical Stakeholder

CH

Chris Haire Chief Technology Officer Decision Maker & Signer

YA

Yasser Aboudkhil Engineering Technical Implementation

Cloudflare

TP

Ted Patsos Account Executive, Digital Native West POV Manager

KL

Kathy Ly Solutions Engineer Technical Resource

Check-in Cadence

VSCO and Cloudflare have an established weekly cadence call (Thursdays). The CF for SaaS POV check-ins will be folded into the existing meeting or scheduled as 30-minute add-ons aligned to the milestone schedule above. Kathy Ly is primary technical point of contact for POV questions between meetings.

VSCO primary: Benji Hertel / Jeremy Hertel

CF primary: Kathy Ly (SE) · Ted Patsos (AE)

Escalation: Chris Haire (VSCO CTO) · CF SE Manager

07

Contracting

The CF for SaaS / Hostname Initiative expansion will be structured as an addendum to VSCO's existing Cloudflare agreement. The POV entitlements will be active at no charge for the duration of the POV period. Upon successful completion, Cloudflare will issue an Order Form for expansion.

Existing Agreement

VSCO's current contract covers WAF, Bot Management, CDN, R2, and Image optimization. The CF for SaaS expansion is additive to the existing SKUs under the same MSA.

Pool of Funds

VSCO and Cloudflare have an active Pool of Funds discussion. The CF for SaaS expansion and Workers for Platforms use case will be scoped against the confirmed Pool allocation. Final ACV to be reviewed at the Proposal Review check-in.

POV Entitlements

CF for SaaS entitlements (custom hostnames, per-hostname SSL, WAF for SaaS, Dispatch Namespace for Workers) are provisioned as a time-bounded POV. Entitlements are deactivated if the POV is unsuccessful, confirmed in writing.

Go/No-Go Decision

At POV end, VSCO will confirm success or failure of each success criterion. A majority of "Necessary" criteria must pass for POV to be considered successful and for Cloudflare to issue the Order Form.

Contacts for contracting questions

Ted Patsos · ted@cloudflare.com · Account Executive, Digital Native West
Kathy Ly · kly@cloudflare.com · Solutions Engineer

✓

Agreement to Proceed

By proceeding with the POV, both parties acknowledge the objectives, success criteria, timeline, and contracting terms outlined in this document.

Chris Haire

Chief Technology Officer · VSCO

Date: _______________

Ted Patsos

Account Executive · Cloudflare