Key skills
TypeScriptAIAWSTerraformIAMOAuthCI/CDOWASP
About this role
Fanvue is one of the fastest-growing creator monetisation platforms globally, and they are seeking a Principal Security Engineer to build and own their security posture. This role includes designing security controls, driving compliance initiatives, and establishing a security culture across the organization.
Responsibilities:
- Design and implement security controls across AWS infrastructure, application layer, CI/CD pipelines, and payment flows
- Write RFCs/ADRs for security architecture decisions; maintain the security chapter in the engineering-rfcs-and-adrs repo
- Establish and run a security champion network across Platform, Growth, AI, Creator Earnings, and other engineering streams, including weekly security office hours
- Own the SOC 2 Type II and PCI DSS roadmap and execution — manage auditor relationships, evidence collection, and remediation tracking
- Conduct threat modelling for new features including iframe patterns, AI Creator Studio integrations, and live streaming surfaces
- Perform hands-on security reviews: IAM policies, secrets management, API authorisation, data encryption, and vendor contracts
- Build incident response playbooks and run quarterly tabletop exercises with the on-call rotation
- Partner with Legal on compliance across PCI DSS, GDPR, age verification, and content moderation policy
- Configure and tune SIEM, vulnerability scanning, and dependency checks — own alerting and response
- Review PRs for security-critical changes and embed security gates into the project checklist
Requirements:
- A senior security engineer with 8+ years of experience, including 3+ years as the solo or founding security hire at a scaling company
- Deep AWS security expertise: IAM, GuardDuty, Security Hub, VPC design, service control policies, and multi-account strategy
- Strong application security fundamentals: OWASP, OAuth/OIDC, API authorisation, cryptography, and secrets management
- Hands-on compliance experience — SOC 2, PCI DSS Level 1, GDPR and data residency
- Proficient in TypeScript; can read and review application code for vulnerabilities
- A track record of writing clear technical documentation — HLDs, RFCs, and runbooks that others can actually follow
- Comfortable with infrastructure as code (CDK/Terraform), CI/CD security, and container scanning
- Experience building a security champion programme and influencing cross-functionally without formal authority