TracegenceNever fear a document audit again
Create a tenantCustomer login
Open role

Security Engineer

Own the security posture of a multi-tenant SaaS handling food-safety compliance data - Postgres RLS, JWT auth, HMAC-signed workflows, immutable audit logs, and everything between them.

← All open roles
  • Job ID JOB-A4E72F63
  • Team Engineering
  • Location Remote
  • Type Full-time
  • Level Senior

About the role

Tracegence is the system of record for compliance audits. If a customer's HACCP plan, recall record, or supplier certificate gets seen by the wrong tenant - or modified by the wrong role - the customer can fail an FDA audit. Multi-tenancy and RBAC aren't features here; they're the product's contract. Today the stack defends in depth: Postgres Row-Level Security with USING + WITH CHECK on every tenant-scoped table, short-lived JWTs with revocable refresh tokens, HMAC-SHA256 signed action chains in the workflow engine, an append-only audit log enforced at DB-trigger level, magic-link auth, and tenant-prefixed S3 keys. The next year is about hardening: real WAF rules in Cloud Armor, secret rotation cadence, SOC 2 / ISO controls, supply-chain attestation on container builds, and probably an internal red-team practice. You'd own the security work that comes after the easy "install a tool" wins: threat modeling new features, reviewing migrations that touch RLS policies, deciding when MFA + SSO become table stakes, and being the person whose review is required before any auth-touching PR ships.

What you'll do

  • Own threat modeling for new features and migrations - especially ones touching auth, RLS, or workflows
  • Run a real secrets-rotation cadence across Secret Manager, GitHub Actions, and tenant integrations
  • Set up Cloud Armor + WAF rules; tune for the SaaS attack surface, not generic templates
  • Drive the SOC 2 / ISO compliance work - turn controls into code, not policy docs
  • Improve the audit log: alerts on anomalous reads, retention against the right legal asks
  • Be the security review on every PR that touches auth, payments, or tenant boundaries

What we look for

  • 4+ years in security engineering at a real product company - not pure consulting
  • Hands-on with the OWASP top 10 in production code, not just on a quiz
  • Comfortable reading Django / Postgres / GCP IAM and finding what's missing
  • Have seen a SOC 2 audit from inside engineering (Type 1 or 2)
  • Can write a clear security review that a backend engineer will act on, not file under "later"

Apply for Security Engineer

Send a short note and your relevant background - we read every email.

Create a tenantCustomer login