Lead Security & Compliance Engineer

About The Position

Requirements

• Deep Security Expertise: Expert in modern cloud security (AWS/Azure), encryption protocols, identity/access management, and threat modeling. Knows how to defend against highly motivated, sophisticated attackers, not just AI-enabled script kiddies.
• Compliance Veteran: Has been through the trenches of HIPAA and SOC 2 audits at a software or AI company. Knows exactly what is strictly required versus what is just security theater, and can execute the requirements efficiently without bloat or delay.
• Paranoid but Pragmatic: Loses sleep over potential attack vectors so the founders don't have to. However, translates that paranoia into practical, actionable engineering tasks rather than paralyzing the business with red tape.
• Fast & Scrappy: Moves at a massive action startup pace. Can deliver enterprise-grade security without slowing down the core engineering team. Highly self-directed; acts as the "who" that solves the problem, not just someone who points out flaws.
• Product-Minded: Deeply understands the tension between AI context needs and data privacy. Doesn't just say "no" to product features; finds innovative, code-level ways to achieve product goals securely.
• Senior Leadership Presence: Can articulate complex security architectures and risk models clearly. Able to step into a room with VCs, government officials, or auditors and instantly project deep, credible expertise.

Responsibilities

• Achieve full HIPAA and SOC 2 compliance as fast as possible. Own the implementation of cloud, auth providers, secret management, and BAA vendor negotiations.
• Develop a comprehensive, multi-step security and risk-mitigation plan, with rigor that’s convincing to sophisticated customers.
• Build and implement automated CI/CD safeguards, rigorous testing, and deployment guardrails that completely prevent product engineers from accidentally exposing secrets or writing vulnerable code.
• Own the strategy for defending against Advanced Persistent Threats (APTs) and even state-level actors. Organize and execute rigorous external penetration testing, establish an incident response protocol, and anticipate issues before they occur.
• Own the security architecture with a deep empathy for the end user. You recognize that heavy-handed security decisions can break core product functionality. You will solve the hard technical challenges of keeping incredibly sensitive data locked down, ensuring our users' absolute privacy while maintaining the seamless, context-rich experience they expect.