Klaviyo app listing requirements
Klaviyo’s Integration Directory is the central hub for Klaviyo customers to discover apps that will help achieve their growing business needs. Before we can consider showcasing your app in our integration directory, your app must demonstrate compliance with Klaviyo’s app listing requirements detailed below. As you prepare to submit your app for review, please ensure that your app meets the criteria below.
Customer value and ease of use
- Apps must provide clear and obvious value to customers:
- Your app must have a website that outlines details on its benefits. Include up-to-date visuals and/or a demo video.
- Your app must have supporting documentation on setup, accomplish common use cases, and best practices.
- Your app must be an incremental improvement to customers’ workflows gained through efficiency or driving revenue.
- Apps must be easy to install and use:
- Your app must be quick and easy to install. We expect the app to be live and functional within hours, and it must not require coding for basic use cases.
- Users installing and using this app must have a high quality, modern installation and configuration user interface while in your product.
- Your app must have step-by-step documentation for setup and use.
- Your app must support the main use cases with minimal manual effort by the customer for setup and use.
- Your app must use OAuth for installation and authorization.
Technical requirements
- Apps must demonstrate expected behavior:
- Your app must have at least 5 installs with API activity. For the avoidance of doubt, developer accounts or other accounts associated with your company do not count toward this requirement.
- Your app must provide a user workflow diagram, a list of API endpoints used, and an architecture diagram of the data flow. If your app only includes general information about the product, it will not be considered.
- Apps need to follow best practices including:
- Your app must use OAuth authentication and request only required scopes.
- Your app must use stable APIs.
- Your app must respect API rate limits to avoid unnecessary load in accordance with our API Terms of Use.
- Your app must monitor for and handle errors reasonably. High error rates may result in being delisted.
- Apps should maintain uptime and reasonable SLAs:
- Your app must not have any frequent or unresolved customer support escalations.
- Your app must resolve any identified issues with performance, stability and reliability in a timely manner.
- You must notify customers of any outages related to your app and related products.
App listing
- App listing pages should contain up-to-date information or linked resources including:
- An accurate description of your app and how it provides customer value, beyond general product information.
- Detailed instructions on how to install your app and contact information for customer support.
- Clear steps on how to configure top use cases and implement best practices.
- A list of all data exchanged between your app and Klaviyo, which lets users know how information will flow, which must be accurate, up-to-date, and reflect the scopes your app requests.
- High quality demo and enablement material using fictional information that does not expose any customer or user information.
- Links to your app’s Terms of Service and Privacy Policy that must be kept up to date.
- Apps cannot directly connect merchants to service providers, agencies, developers, capital fundraising, or other restricted services referred to in Klaviyo's Acceptable Use Policy.
- App listings should not imply endorsement by Klaviyo without formal, written approval
- Your app and any related documentation cannot suggest being Klaviyo’s “preferred”, “recommended”, “top performing”, “best”, etc.
- Your app should comply with all Klaviyo brand guidelines.
Security requirements
Data protection
-
Data in transit:
- Ensure all data transmitted between the third-party application and our systems is encrypted using TLS 1.2 or higher.
- Use strong recommended cipher suites - refer to the Mozilla SSL Configuration Generator for guidelines on disabling weak cipher suites. This tool provides recommended configurations for various web servers and helps ensure that only secure cipher suites are used. Link: Mozilla SSL Configuration Generator.
- Enforce the use of HTTPS for all API communication to ensure data encryption in transit.
-
Data at rest:
- All sensitive data (e.g., passwords, financial information, PII, OAuth tokens) must be encrypted at rest using industry-standard algorithms (e.g., AES-256).
-
Access, authentication and authorization:
- The third party application must authenticate and authorize requests on exposed endpoints. Third party integrations must:
- Validate the application identity and integrity of the request.
- Token must be validated server side to ensure that only permitted users can execute actions within an application.
- Tokens must expire and the application must reject expired tokens.
- At a minimum ensure that MFA is required to authenticate to the third party systems and resources used to process, store and/or transmit data.
- Implement robust access controls (e.g., role-based access control) to limit access to data based on the application's specific needs.
- Clearly state where user data will be stored and processed. If data is transferred outside the user's region, obtain explicit user consent and comply with relevant data transfer regulations (e.g., GDPR).
- The third party application must authenticate and authorize requests on exposed endpoints. Third party integrations must:
-
OAuth credentials security:
- Store OAuth credentials securely using industry best practices, a dedicated credential store with encryption (e.g. AWS/GCP Secrets Manager, Vault, etc.). Restrict access to credential store(s) to only those individuals required for proper operation.
- Request only the minimum set of API permissions necessary for the application's functionality.
- Implement mechanisms for regular rotation of OAuth client credentials to mitigate the risk of compromise.
- Never hardcode OAuth client credentials within the application code. Always retrieve them from a secure secrets store (e.g. AWS/GCP Secrets Manager, Vault, etc.).
-
API security:
- Provide comprehensive and accurate API documentation that outlines available endpoints, authentication methods, and expected data formats.
- Implement rate limiting on API calls to prevent abuse attacks.
- Validate and sanitize all user input received through the API to prevent malicious code injection attacks (e.g., SQL injection, XSS).
- Implement secure error handling practices to avoid exposing sensitive information in error messages.
-
Logging and auditing:
- Implement logging mechanisms that capture detailed records of activities, including login attempts, data access, changes, deletions, API calls, etc.
- Securely store logs in a tamper-evident manner to prevent unauthorized access or modifications.
- Logs must be retained for a minimum of 365 days.
- Ensure real-time monitoring of log data to detect and alert on suspicious or anomalous activities.
-
Application security:
- The third party application must validate and sanitize all untrusted data and treat all user input as unsafe.
- The third party application must not use versions of third party libraries and dependencies with known critical or high vulnerabilities. When vulnerabilities in these libraries and dependencies are discovered, application developers must remediate vulnerabilities in 3 and 7 days respectively.
Legal requirements
-
Apps must pass a security review. Information on your company, app, and use case(s) must be true and complete at the time of submission.
-
You must submit an app registration form and, as part of that, agree to the following terms:
Klaviyo reserves the right to choose to not list your apps for any reason.
Updated 3 months ago