The twelve-factor methodology is a pretty solid approach to deploying applications that can run locally and in multiple cloud environments, as well as being able to scale out on demand. We’ve used this approach at Deliveroo since time immemorial (about three years ago), at least in part because with Rails it Just Works^TM. With our more recent use of Scala and the ubiquitous Typesafe Config library it’s actually rather harder. After many attempts I finally found an approach I’m happy with.

Akka HTTP’s client uses connection pooling, either implicitly when you use the singleRequest method, or explicitly when using cachedHostConnectionPool or superPool. The number of requests that can be made in parallel and how backpressure works is governed by the max-connections and max-open-requests settings, but these have some slightly surprising behaviour which isn’t quite what the documentation suggests. This post demonstrates how these APIs work and discusses when to use each of them.

When I interviewed for Deliveroo a little over three years ago it was a tiny company so the ‘process’ was just a series of chats with a senior engineer, the CTO, and the CEO. All held in coffee shops because the single-room office had no free space. This approach is typical for early stage startups, and it actually seems to work reasonably well because we managed to hire some great engineers, many of whom still work at Deliveroo. But it’s not really a scalable way to grow a team.

With functions that can fail, people tend to think there are two possible options, success or failure. This is what’s modelled by Scala’s Try[A] and Future[A] types, as well as plain old try/catch. However things aren’t quite as simple as they might first appear. Let’s go down the rabbit hole.

Deliveroo is just over four years old and has grown incredibly quickly; we deliver millions of meals every week in 12 countries. When a company is growing at this rate, how do you get leadership, engineers and customers to prioritise security? I’ll talk about how we did that, setting up a security team, the threat landscape, improving physical security, improving authentication, setting up a bug bounty program, handling personally identifiable information, and responding to security incidents. We’ll also touch on the GDPR and what it means for your company.