Security and Compliance Engineer

Security & Compliance Engineer

About BackOps AI

Role Overview

What You’ll Do

• Own and improve our security and compliance program across frameworks such as SOC 2 TYPE I/II, SOC 3, ISO 27001, COBIT, and GDPR
• Translate control requirements into practical technical and operational implementations across engineering, cloud infrastructure, access management, vendor management, and internal business processes
• Partner with engineering and infrastructure teams to strengthen areas such as IAM, least privilege, secrets management, audit logging, endpoint and device controls, vulnerability management, network/security hardening, backup governance, and data retention/deletion
• Drive audit readiness by maintaining evidence, control mappings, policies, procedures, risk registers, and remediation tracking
• Lead recurring access reviews, control reviews, and risk assessments across systems, vendors, and internal workflows
• Own or coordinate security policy development and lifecycle management, including periodic review and updates
• Support privacy and data governance processes, including data classification, retention, deletion, handling of customer data, and coordination on GDPR-related requirements
• Run vendor and subprocessor security reviews, due diligence, and ongoing monitoring
• Help define and operationalize incident response governance, including response procedures, roles, escalation paths, and post-incident follow-up from a security perspective
• Partner with product and engineering teams on secure development practices, change management, and control design early in the lifecycle
• Respond to customer-facing security and compliance requests, including security questionnaires, due diligence reviews, and trust documentation
• Build scalable security/compliance workflows so that controls are automated, repeatable, and measurable wherever possible
• Promote a strong security culture through lightweight training, clear guidance, and practical enablement for engineers and cross-functional teams

What We’re Looking For

• Experience: 4+ years in security, compliance, GRC, cloud security, security engineering, or a similar hands-on role in a modern SaaS or cloud-native environment
• Framework Depth: Working knowledge of one or more major frameworks such as SOC 2 TYPE I/II, SOC 3, ISO 27001, COBIT, GDPR, and the ability to map controls across frameworks
• Technical Fluency: Comfortable working with engineering and infrastructure teams on cloud security fundamentals such as IAM, logging, secrets, vulnerability remediation, endpoint controls, and secure configuration
• Audit & Evidence Discipline: Able to maintain clean documentation, control evidence, remediation plans, and audit artifacts without turning the role into pure paperwork
• Risk Mindset: Strong judgment in identifying material risks, prioritizing remediation, and balancing speed with practical security outcomes
• Communication: Can write clear policies, standards, procedures, risk summaries, and customer-facing responses; able to work effectively across technical and non-technical teams
• Execution: You are organized, hands-on, and able to independently drive programs from requirement to implementation to review
• Startup Fit: Comfortable operating in a fast-moving environment where you may define structure while also doing the work directly

Nice to Have

• Experience with Vanta, Drata, or similar compliance automation tooling
• Experience supporting SOC 2 Type I/II, SOC 3, ISO 27001 certification, or similar audits end-to-end
• Familiarity with cloud environments such as AWS and/or GCP
• Experience with vendor risk management, security questionnaires, and enterprise customer diligence workflows
• Familiarity with privacy operations and data governance practices in B2B SaaS environments
• Experience with security awareness programs, endpoint/device management, or identity lifecycle management
• Exposure to secure SDLC, application security reviews, or vulnerability management programs
• Experience working in AI, automation, or operationally sensitive product environments

What Success Looks Like

• Our controls are not just documented — they are actually operating, measurable, and sustainable
• Audit readiness improves with less scramble and clearer ownership
• Security and compliance become embedded into engineering and business workflows instead of bolted on later
• Enterprise customers gain confidence in our maturity through strong security posture and clear responses
• Risk is identified earlier, prioritized better, and remediated faster

What We Offer

• Equity & Ownership: Competitive equity so you grow alongside the company
• Impact & Visibility: Direct access to leadership; your work directly improves customer trust and company readiness
• Collaborative Culture: Tight-knit team of seasoned operators and AI experts
• Flexible Work: Hybrid with core Bay Area presence and remote flexibility