Workstream is a mission-driven company building the all-in-one HR, payroll, and hiring platform for managing the hourly workforce. There are 2.7 billion hourly workers, making up 80% of the global workforce, but this market has been heavily underserved by technology and deserves better. Workstream has been purpose-built for the hourly workforce from day one so that these businesses and their employees can thrive.

Our customers include leading brands from multiple sectors, including Burger King, Carl's Jr./Hardee's, IHOP, KFC, and Culvers. We are a high growth series B company and quickly expanding our product portfolio to deliver on our vision. We are backed by legendary VCs and industry experts like Founders Fund, BOND, and Coatue.

Grow With Us

We are hiring an Information Security Engineer to be the first dedicated security engineer at Workstream. This is a hands-on, builder-oriented role focused primarily on application and product security, with ownership of our security posture as the company scales.

This role is not about writing policies or running tools in isolation. You will work directly with our product and platform engineers to identify risks, fix vulnerabilities, and build secure-by-default patterns that allow teams to move fast without compromising safety.

This is a full-time, hybrid role requiring presence three days per week in our San Francisco or Menlo Park office.

What You’ll Do

Application & Product Security (Primary Focus)

Work side-by-side with software engineers to locate, triage, and fix security issues directly in the codebase, including authorization flaws, multi-tenant isolation bugs, sensitive data exposure, and business logic vulnerabilities.
Review and provide security input on designs, APIs, and changes involving authentication, authorization, and sensitive employee data.
Threat-model critical (“Tier-1”) APIs and workflows and help teams design safer defaults.
Build practical guardrails and reference implementations that can be reused across teams.

Security Program & Blue Team Ownership

Build practical guardrails and reference implementations that can be reused across teams.
Act as the primary Blue Team owner, coordinating external security testing and responsible disclosure.
Translate findings into concrete engineering work and drive remediation through to verification.
Help define and mature incident response processes and participate in real incidents when they occur.
Establish a clear baseline of Workstream’s security posture and propose a prioritized roadmap for improvement.

Compliance & Privacy (Ownership, Not Busywork)

Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive.
Partner with engineering and legal teams on privacy-related workflows, including data access and deletion.
Ensure compliance supports product development rather than slowing it down.

Infrastructure & Corporate Security (Selective Involvement)

Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive.
Partner with engineering and legal teams on privacy-related workflows, including data access and deletion.
Ensure compliance supports product development rather than slowing it down.

Who You Are

Required Qualifications

Strong software engineering background with the ability to read and write production-level code.
Hands-on experience securing real systems, not just writing policies or reports.
Comfortable auditing Node.js and Ruby on Rails codebases.
Experience working in SaaS environments with enterprise customers and sensitive data.
A pragmatic, collaborative mindset: you believe security should enable innovation, not block it.
Able to communicate risk clearly to engineers and non-technical stakeholders.

Nice to Have (Not Required)

Experience owning security end-to-end at a startup or mid-stage company.
Exposure to bug bounty programs or external security testing.
Experience with SOC 2 or similar compliance frameworks.
Familiarity with securing multi-tenant SaaS platforms.
Be comfortable operating with broad ownership, ambiguity, and limited specialization.

What We Offer

A mission-driven company building software that impacts millions of hourly workers
An opportunity to shape security from the ground up at a growing Series B company
Competitive salary and equity
Comprehensive health coverage (95% employee / 85% dependents)
401(k), pre-tax commuter benefits, and flexible PTO
Learning and development stipend
In-office amenities and stocked kitchen

Salary Range

In compliance with the British Columbia Pay Transparency Act, the base salary range for this role is between $150,000 - $180,000 in Vancouver, Canada. This range is not inclusive of our discretionary bonus or equity package. When determining a candidate’s compensation, we consider a number of factors including skillset, experience, job scope, and current market data.

Know More About Workstream

Additional Information

Workstream provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

We are committed to the full inclusion of all qualified individuals.

Information Security Engineer

TLDR