PermitFlow is an applied AI company redefining how America builds by addressing significant information challenges in construction. The Security Engineer will be responsible for architecting and implementing secure infrastructure solutions, maintaining compliance, and collaborating across teams to enhance security practices.
Responsibilities:
- Architect, design, and implement secure, compliant, scalable, and cost-efficient infrastructure solutions to protect a rapidly growing product
- Lead the execution and maintenance of our SOC2 compliance program and other security-related certifications
- Design, implement, and audit Role-Based Access Controls (RBAC), Identity and Access Management (IAM), and secrets management systems
- Design and implement security best practices for backend, frontend services, APIs, and data pipelines
- Own security features end-to-end, from architecture and implementation to testing and production deployment
- Develop and maintain security automation, Infrastructure as Code, and secure CI/CD pipelines
- Implement and manage security monitoring, threat detection, and vulnerability management across our cloud infrastructure
- Establish and enforce security best practices for authentication, authorization, logging, and alerting
- Lead and participate in incident response, troubleshooting complex security issues and driving postmortem learning and improvements
- Collaborate across engineering teams to embed security into the software development lifecycle and balance compliance, velocity, and cost
Requirements:
- 5+ years of experience in Security Engineering, AppSec, GRC, or similar roles
- Proven experience designing and implementing security controls for SOC2, ISO 27001, or similar compliance frameworks
- Deep expertise in Role-Based Access Controls (RBAC), Identity and Access Management (IAM), and secrets management
- Strong experience with container security and orchestration (Docker, ECS, Kubernetes a plus)
- Expertise with secure CI/CD pipelines and modern security automation tools
- Coding and scripting proficiency (TypeScript, Python, Go, Bash, etc.)
- Hands-on experience with cloud security (GCP preferred) and securing distributed systems
- Familiarity with monitoring, observability, and incident management best practices
- Comfortable working in a fast-paced, compliance-focused startup environment, where adaptability and security ownership are essential