Security Operations and Compliance Engineer
Role details
Job location
Tech stack
Job description
You'll be the person who owns security and compliance end-to-end - not as a checkbox exercise, but as an operational discipline that runs through everything the platform does. DeepBlue OS handles live customer conversations in regulated verticals (financial services, healthcare, energy), stores PII across a multi-tenant architecture, processes payments through Stripe, and integrates with third-party telephony and AI providers. The security and compliance posture of this platform is not a background concern - it's a commercial requirement that directly affects whether enterprise customers will buy.
The foundations are in place: a security audit log built to SOC 2 CC6.1 and ISO 27001 A.12.4, a compliance incident model with automated action sets, RBAC with tenant-scoped permissions, MFA enforcement for platform users, encrypted secrets management, Semgrep and dependency audit in CI, rate limiting with Redis-backed middleware, and a compliance reference document covering PCI DSS, UK GDPR, HIPAA, and FCA. What's missing is the person who takes ownership of this - who maintains it, extends it, drives the certifications, responds to incidents, and makes sure security doesn't become the thing that only gets attention after something goes wrong., Security operations - platform and infrastructure
- Own the day-to-day security posture of the platform: vulnerability management, dependency patching, secrets rotation, access control reviews, and incident response
- Monitor and triage security alerts from CI/CD scanning (Semgrep, dependency audit), cloud infrastructure (AWS CloudTrail, GuardDuty), and application-level audit logs
- Conduct and coordinate regular penetration testing - both automated scanning and periodic manual assessments - and manage remediation through to closure
- Maintain and extend the security audit log infrastructure, ensuring coverage of new features, event types, and access patterns as the platform evolves
- Manage the security aspects of the deployment pipeline: container image scanning, secrets injection, IAM role boundaries, and network segmentation across environments
Compliance frameworks - certification and maintenance
- Drive the platform toward SOC 2 Type II certification, owning the evidence collection, control mapping, policy documentation, and auditor relationship
- Prepare and maintain ISO 27001 readiness - information security management system (ISMS) documentation, risk assessments, control implementation evidence, and internal audit scheduling
- Scope and initiate ISO 27701 (privacy information management) readiness alongside the existing UK GDPR compliance work, particularly as the platform expands into EU and international markets
- Monitor and assess the impact of emerging regulation - EU AI Act obligations for AI system providers, UK AI regulation developments, and any sector-specific requirements from the verticals the platform serves (FCA, healthcare, energy)
- Maintain the compliance reference documentation as a living resource - not a one-time deliverable
Data protection and privacy
- Own the GDPR compliance posture across the platform: data processing records (Article 30), data subject access request (DSAR) processes, data retention policies, cross-border transfer mechanisms, and breach notification procedures
- Ensure the multi-tenant architecture enforces data isolation at every layer - RLS policies, schema separation, database-tier isolation for regulated tenants - and that this isolation is testable and auditable
- Work with engineering to ensure PII handling (contact data, conversation transcripts, voice recordings) meets the requirements of each tenant's regulatory context, including FCA call recording retention, HIPAA PHI handling, and GDPR right-to-erasure
- Assess data protection implications of new features (marketplace data sharing, international expansion, CRM integrations) before they ship, not after
Internal security culture
- Establish and maintain security policies that the engineering team actually follows - access management, code review security checks, secrets handling, and incident response procedures
- Run periodic security awareness sessions - not annual compliance training theatre, but practical, relevant guidance tied to the risks the team actually faces
- Be the point of contact for customer security questionnaires, due diligence requests, and enterprise procurement security reviews - translating the platform's security posture into the language buyers and their InfoSec teams expect
- Manage the vendor security assessment process for third-party providers (Twilio, ElevenLabs, OpenAI, Stripe, AWS) - ensuring their security posture meets the commitments made to customers
Requirements
You've done this before - not in theory, but in a company where you were the person responsible for getting and keeping a compliance certification, responding when something went wrong, and explaining the security posture to a customer who was deciding whether to buy.
- 3+ years in a security engineering, SecOps, or compliance engineering role - with hands-on responsibility, not just advisory input
- Direct experience with at least one of: SOC 2 Type II audit, ISO 27001 certification, or ISO 27701 implementation - including the evidence collection and auditor interaction, not just reading the standard
- Working knowledge of GDPR at a practical level - data processing agreements, DSARs, breach notification timelines, lawful basis assessment - not just awareness that it exists
- Comfortable in a cloud-native AWS environment: IAM, CloudTrail, GuardDuty, VPC architecture, S3 bucket policies, secrets management. You don't need to be a cloud architect, but you need to understand what you're securing
- Able to read code well enough to assess whether a pull request introduces a security concern - you're not writing the application, but you can spot an unauthenticated endpoint, a missing tenant check, or a hardcoded secret
- Strong written communication - policies, risk assessments, audit evidence, and customer security questionnaire responses all require clear, precise writing
- Comfortable working as the sole security/compliance specialist in a small engineering team - you'll have support from leadership and external advisors, but the day-to-day ownership is yours
What sets you apart
- Experience with AI-specific compliance considerations - model governance, EU AI Act risk classification, AI system transparency obligations
- Familiarity with financial services (FCA) or healthcare (HIPAA/NHS DSPT) compliance requirements in a technology platform context
- Experience with multi-tenant SaaS security - tenant isolation testing, data residency controls, cross-tenant access prevention
- You've completed a SOC 2 Type II audit from scratch at a startup or scale-up - not inherited an existing certification at an enterprise
Benefits & conditions
- Writing application code - this is a security and compliance role, not a software engineering role with a security hat
- Working in isolation - you'll be embedded with the engineering team, reviewing PRs, joining architecture discussions, and shaping features before they ship
- Treating compliance as paperwork - if your approach is "write a policy and file it," this isn't the right fit. The policies here need to reflect what the platform actually does, and be maintained as it changes
Diversity and Inclusion
We're building something global at Narwhal, and we mean that in every sense. The work we do requires different ways of thinking - and different ways of thinking come from different people.
At Narwhal, we're committed to building a diverse and inclusive team. We welcome applications from people of all backgrounds, identities, and experiences, and we actively work to ensure our hiring process is fair and accessible for everyone. Reasonable adjustments are available at every stage, just reach out and we'll make it happen.
Pay: £40,000.00-£50,000.00 per year