Application Security Lead

Application Security Lead

Remote (North America)

About Hightouch

Hightouch is an Agentic Marketing Platform powered by the industry-leading Composable CDP. With complete brand context, customer data, and performance history in one place, every marketer finally has the power to build and ship end-to-end campaigns themselves. Teams move faster, stay on brand, and get AI marketing that actually works.

Founded in 2019 and headquartered in San Francisco, Hightouch enables marketing teams to analyze performance, brainstorm ideas, and generate creative at a speed and quality that wasn't previously possible.

Named a Leader in the 2026 Gartner® Magic Quadrant™ for Customer Data Platforms, Hightouch is trusted by leading enterprises like Domino's, Spotify, Aritzia, Cars.com, Ramp, and PetSmart.

At Hightouch, our mission is to help our customers leverage data and AI to grow their businesses. The team is ambitious, impact-driven, efficient — and we believe humility, kindness, and compassion are essential to our success. If you're energized by velocity, obsessed with raising the bar, and want to build alongside people who care deeply about each other and our customers, we'd love to meet you.

About the Role

This is our first dedicated security hire, and it's a rare chance to define the function from the ground up. You'll own Hightouch's application security posture end-to-end. We have strong engineering fundamentals and a solid foundation; now you'll shape what security looks like here as we scale from 70 to 140+ engineers.

This is a hands-on, high-autonomy role. You'll spend most of your time in the codebase, not in meetings. You'll be solving hard problems at the intersection of security and distributed systems:

• Multi-tenant isolation on a system running ~1M data syncs per day and ingesting 100K+ events/sec
• Sub-tenant access control - for multi-team and multi-brand use cases, requiring differentiated access to configuration and data
• Security architecture - Build and refine our frameworks for compute isolation and perform threat modeling and hardening of new products
• Internet-facing APIs - Our high-throughput, internet-facing architecture services customer data at scale. You'll improve our rate limiting, abuse detection, and granularity of access control
• Multi-Region and Multi-Cloud - Supporting our multi-region and multi-cloud backend, including extending it to launch Hightouch on in new regions to support data residency requirements of our global customer base

You'll own your roadmap. We're not looking for someone to run a checklist — we're looking for someone who can look at our architecture, identify the highest-leverage problems, and go fix them.

We are looking for talented, intellectually curious, and motivated individuals who are interested in tackling the problems above. This is a senior role, but we focus on impact and potential for growth more than years of experience. The salary range for this position is $180,000 - $400,000 USD per year, which is location independent in accordance with our remote-first policy. We also offer meaningful equity compensation in the form of ISO options, and offer early exercise and a 10 year post-termination exercise window.

About You

You've been an early security hire at a SaaS company before and moved the needle on how they approach security. You can read application code, threat model a distributed system, and ship production fixes. You have significant distributed systems expertise so that you can understand and influence what is being built by the product teams and influence from a place of trust.

Experience that's relevant:

• Being an early security hire (first 1-3) at a SaaS or data infrastructure company
• Securing multi-tenant platforms: tenant isolation, authorization models, etc
• Cloud security on systems that span more than one cloud and operate against customer-owned accounts
• Design and build of data infrastructure as an early engineer, not just a user. You helped secure it from early design or during major redesigns. You understand how it scales and how it's secured
• Privacy-adjacent security (PII handling, data residency, GDPR/CCPA technical controls)

We don't care about certifications. We care about what you've built.

Interview Process

1. Recruiter Screen [30m] - Introductory mutual fit assessment

2. Security Architecture Interview [60m] - Threat model discussion of a real-ish system, followed by a systems design exercise

3. Core interview [90m] - deep dive on distributed systems knowledge

4. Hiring Manager Interview [60m] - What you've built in the past, how you work

5. Security Program Interview [60m] with Head of Engineering — How you've run security programs in practice: bug bounty, pentest engagements, working with external researchers, and partnering across engineering to drive adoption.

E-Verify Statement

Hightouch participates in E-Verify. After you join the team, we'll verify your eligibility to work in the U.S. by submitting information from your Form I-9 to the Social Security Administration and, if needed, the Department of Homeland Security. This process happens post-hire only — we never use E-Verify to pre-screen applicants.

E-Verify Notice E-Verify Notice (Spanish) Right to Work Notice Right to Work Notice (Spanish)