DevSecOps Engineer

The company is systematically building out its security and compliance function. We have already launched the SOC 2 and ISO 27001 processes on Drata, with the goal of completing them by the end of Q2. In the mid-term roadmap, we also plan to cover GDPR, HIPAA, and HITRUST.

We are looking for our first dedicated DevSecOps Engineer who will take ownership of this area.

Above all, we are seeking a strong, hands-on engineer, someone who can not only describe security and compliance processes but also independently implement them across infrastructure, CI/CD, Kubernetes, cloud environments, and production services.

This role is not about “paper compliance”. However, working with policies, procedures, and evidence will also be an important part of the responsibility. We need someone who can connect compliance requirements to real technical controls and ensure they are properly implemented, validated, documented, and audit-ready.

Requirements

• 5+ years of hands-on experience in security / DevSecOps for production infrastructure.
• Direct experience with SOC 2 implementation: controls, evidence collection, audit preparation, and communication with auditors. Experience with Drata, Vanta, or a similar compliance automation platform.
• Ability to write security policies and procedures yourself — and implement them in a way that actually works in day-to-day operations, not just sits in Notion as a checkbox.
• Strong hands-on experience with Docker, Kubernetes, and cloud environments — GCP and/or AWS. This includes IAM, network policies, secrets management, hardening, and production operations, not just theory.
• Strong understanding of IAM/SSO: centralized access management, provisioning/deprovisioning, and periodic access reviews.
• Experience building onboarding and offboarding processes from a security and compliance perspective.
• Ability to automate routine work using Python and/or Bash.
• Ownership mindset: you take responsibility for a task, drive it to completion, and think one step ahead.
• Friendly, non-toxic, and pleasant to work with.
• Strong communication with developers: you can clearly and constructively explain your position, defend it when needed, and find common ground.
• Willingness and ability to mentor, teach, and share knowledge with others.
• Analytical mindset: you dig down to the root cause instead of just treating symptoms.
• Proactivity: you would rather prevent an outage than heroically fight it later.
• Strong attention to detail and reliability.

Nice to have

• Experience with GDPR, HIPAA, and HITRUST — these are the next steps on our roadmap.
• Experience in regulated industries such as banking, fintech, or healthcare, including customer/vendor security audits.
• Experience with both on-prem and SaaS environments.
• Kubernetes security tooling: Falco, OPA/Gatekeeper, Pod Security Standards, Trivy.
• Experience using AI agents to automate routine tasks — this is already part of our engineering culture.
• Terraform/Ansible and GitOps experience.
• Experience with bug bounty or responsible disclosure programs.

Responsibilities

• Own Drata, controls, evidence collection, and communication with auditors. Support SOC 2 and ISO 27001, with GDPR, HIPAA, and HITRUST planned next.
• Develop and maintain security policies and procedures, including Vulnerability Management, Access Control, Incident Response, Data Protection, and others. These should be practical, living documents that reflect how we actually work, not generic templates.
• Build onboarding, offboarding, and access review as a real process. Today, this is mostly handled through manual tickets; you will own the process and automate it through SSO, centralized IAM, and automated provisioning/deprovisioning across GCP, AWS, GitHub, and SaaS tools.
• Drive SDLC security: Dependabot, CodeQL/SAST, SCA, dependency update policies, secrets management, and related controls. The goal is to find the right balance between compliance requirements, common sense, and a smooth developer experience.
• Own vulnerability management: scanning, CVE triage, patching, annual penetration testing, vendor selection, coordination, and follow-up on findings.
• Participate in response to critical vulnerabilities and security incidents.
• Improve security observability: audit logging, change tracking, and reporting across all production platforms.
• Spend around 60% of your time on the general infrastructure track: Kubernetes, deployments, monitoring, automation, and on-call. Infrastructure should not be a black box for you.

What we offer

• The team has built award-winning AI products for tech corporations — devices, voice assistants, products that are actually in the world 
• Cutting-edge tech stack: Speech Technologies, NLP, Generative AI (LLMs, diffusion models), voice-first agentic architecture with privacy-first and on-premises deployment
• High engineering bar and real ownership — the team cares about what actually works in production, not what looks good in a demo, and you'll see the impact of your work directly 
• Fast career progression — a senior-heavy team and a high volume of real problems means you grow faster than you would anywhere else 
• Startup pace with enterprise stability — real clients, real revenue, no bureaucracy 
• Fully remote across Europe
• 21 vacation days + public holidays + 5 sick days 
• Private English lessons via Preply