Security and Compliance Engineer

Security & Compliance Engineer

San Francisco • Hybrid • Full-time

BackOps AI is transforming supply chain operations with agentic AI solutions that automate complex workflows, freeing operations teams to focus on what matters most. Headquartered in the San Francisco Bay Area with flexible remote-friendly options, we foster a culture of innovation, ownership, and measurable impact.

Role Overview

As a Security & Compliance Engineer, you will own and strengthen the operational security, compliance, and privacy foundations of our company and platform. You will work across engineering, infrastructure, and business operations to design practical controls, reduce risk, improve audit readiness, and help us meet the expectations of enterprise customers. This is a hands-on individual contributor role for someone who can translate frameworks into working processes and technical safeguards without slowing down delivery. This role is not an SRE role. While you will partner closely with infrastructure and engineering teams, your primary focus will be security posture, control effectiveness, compliance execution, privacy coordination, and customer trust.

What You'll Do

• Own and improve our security and compliance program across frameworks such as SOC 2 TYPE I/II, SOC 3, ISO 27001, COBIT, and GDPR
• Translate control requirements into practical technical and operational implementations across engineering, cloud infrastructure, access management, vendor management, and internal business processes
• Partner with engineering and infrastructure teams to strengthen areas such as IAM, least privilege, secrets management, audit logging, endpoint and device controls, vulnerability management, network/security hardening, backup governance, and data retention/deletion
• Drive audit readiness by maintaining evidence, control mappings, policies, procedures, risk registers, and remediation tracking
• Lead recurring access reviews, control reviews, and risk assessments across systems, vendors, and internal workflows
• Own or coordinate security policy development and lifecycle management, including periodic review and updates
• Support privacy and data governance processes, including data classification, retention, deletion, handling of customer data, and coordination on GDPR-related requirements
• Run vendor and subprocessor security reviews, due diligence, and ongoing monitoring
• Help define and operationalize incident response governance, including response procedures, roles, escalation paths, and post-incident follow-up from a security perspective
• Partner with product and engineering teams on secure development practices, change management, and control design early in the lifecycle
• Respond to customer-facing security and compliance requests, including security questionnaires, due diligence reviews, and trust documentation
• Build scalable security/compliance workflows so that controls are automated, repeatable, and measurable wherever possible
• Promote a strong security culture through lightweight training, clear guidance, and practical enablement for engineers and cross-functional teams

What We're Looking For

• Experience: 4+ years in security, compliance, GRC, cloud security, security engineering, or a similar hands-on role in a modern SaaS or cloud-native environment
• Framework Depth: Working knowledge of one or more major frameworks such as SOC 2 TYPE I/II, SOC 3, ISO 27001, COBIT, GDPR, and the ability to map controls across frameworks
• Technical Fluency: Comfortable working with engineering and infrastructure teams on cloud security fundamentals such as IAM, logging, secrets, vulnerability remediation, endpoint controls, and secure configuration
• Audit & Evidence Discipline: Able to maintain clean documentation, control evidence, remediation plans, and audit artifacts without turning the role into pure paperwork
• Risk Mindset: Strong judgment in identifying material risks, prioritizing remediation, and balancing speed with practical security outcomes
• Communication: Can write clear policies, standards, procedures, risk summaries, and customer-facing responses; able to work effectively across technical and non-technical teams
• Execution: You are organized, hands-on, and able to independently drive programs from requirement to implementation to review
• Startup Fit: Comfortable operating in a fast-moving environment where you may define structure while also doing the work directly

Nice to Have

• Experience with Vanta, Drata, or similar compliance automation tooling
• Experience supporting SOC 2 Type I/II, SOC 3, ISO 27001 certification, or similar audits end-to-end
• Familiarity with cloud environments such as AWS and/or GCP
• Experience with vendor risk management, security questionnaires, and enterprise customer diligence workflows
• Familiarity with privacy operations and data governance practices in B2B SaaS environments
• Experience with security awareness programs, endpoint/device management, or identity lifecycle management
• Exposure to secure SDLC, application security reviews, or vulnerability management programs
• Experience working in AI, automation, or operationally sensitive product environments

What Success Looks Like

• Our controls are not just documented — they are actually operating, measurable, and sustainable
• Audit readiness improves with less scramble and clearer ownership
• Security and compliance become embedded into engineering and business workflows instead of bolted on later
• Enterprise customers gain confidence in our maturity through strong security posture and clear responses
• Risk is identified earlier, prioritized better, and remediated faster

What We Offer

• Equity & Ownership: Competitive equity so you grow alongside the company
• Impact & Visibility: Direct access to leadership; your work directly improves customer trust and company readiness
• Collaborative Culture: Tight-knit team of seasoned operators and AI experts
• Flexible Work: Hybrid with core Bay Area presence and remote flexibility