Security and Compliance Engineer
Listed on 2026-06-18
-
IT/Tech
Cybersecurity, Information Security
Security & Compliance Engineer
San Francisco
• Hybrid
• Full-time
Back Ops AI is transforming supply chain operations with agentic AI solutions that automate complex workflows, freeing operations teams to focus on what matters most. Headquartered in the San Francisco Bay Area with flexible remote‑friendly options, we foster a culture of innovation, ownership, and measurable impact.
Role OverviewAs a Security & Compliance Engineer, you will own and strengthen the operational security, compliance, and privacy foundations of our company and platform. You will work across engineering, infrastructure, and business operations to design practical controls, reduce risk, improve audit readiness, and help us meet the expectations of enterprise customers. This is a hands‑on individual contributor role for someone who can translate frameworks into working processes and technical safeguards without slowing down delivery.
This role is not an SRE role. While you will partner closely with infrastructure and engineering teams, your primary focus will be security posture, control effectiveness, compliance execution, privacy coordination, and customer trust.
What You’ll Do- Own and improve our security and compliance program across frameworks such as SOC 2 TYPE I/II, SOC 3, ISO 27001, COBIT, and GDPR
- Translate control requirements into practical technical and operational implementations across engineering, cloud infrastructure, access management, vendor management, and internal business processes
- Partner with engineering and infrastructure teams to strengthen areas such as IAM, least privilege, secrets management, audit logging, endpoint and device controls, vulnerability management, network/security hardening, backup governance, and data retention/deletion
- Drive audit readiness by maintaining evidence, control mappings, policies, procedures, risk registers, and remediation tracking
- Lead recurring access reviews, control reviews, and risk assessments across systems, vendors, and internal workflows
- Own or coordinate security policy development and lifecycle management, including periodic review and updates
- Support privacy and data governance processes, including data classification, retention, deletion, handling of customer data, and coordination on GDPR‑related requirements
- Run vendor and subprocessor security reviews, due diligence, and ongoing monitoring
- Help define and operationalize incident response governance, including response procedures, roles, escalation paths, and post‑incident follow‑up from a security perspective
- Partner with product and engineering teams on secure development practices, change management, and control design early in the lifecycle
- Respond to customer‑facing security and compliance requests, including security questionnaires, due diligence reviews, and trust documentation
- Build scalable security/compliance workflows so that controls are automated, repeatable, and measurable wherever possible
- Promote a strong security culture through lightweight training, clear guidance, and practical enablement for engineers and cross‑functional teams
- Experience: 4+ years in security, compliance, GRC, cloud security, security engineering, or a similar hands‑on role in a modern SaaS or cloud‑native environment
- Framework Depth: Working knowledge of one or more major frameworks such as SOC 2 TYPE I/II, SOC 3, ISO 27001, COBIT, GDPR and the ability to map controls across frameworks
- Technical Fluency: Comfortable working with engineering and infrastructure teams on cloud security fundamentals such as IAM, logging, secrets, vulnerability remediation, endpoint controls, and secure configuration
- Audit & Evidence Discipline: Able to maintain clean documentation, control evidence, remediation plans, and audit artifacts without turning the role into pure paperwork
- Risk Mindset: Strong judgment in identifying material risks, prioritizing remediation, and balancing speed with practical security outcomes
- Communication: Can write clear policies, standards, procedures, risk summaries, and customer‑facing responses; able to work effectively across technical and non‑technical teams
- Execution: You…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).