Information Security Engineer

Grow With Us

We are hiring an Information Security Engineer to be the first dedicated security engineer at Workstream. This is a hands-on, builder-oriented role focused primarily on application and product security, with ownership of our security posture as the company scales.

This role is not about writing policies or running tools in isolation. You will work directly with our product and platform engineers to identify risks, fix vulnerabilities, and build secure-by-default patterns that allow teams to move fast without compromising safety.

This is a full-time, hybrid role requiring presence three days per week in our San Francisco or Menlo Park office.

What You’ll Do

Application & Product Security (Primary Focus)

• Work side-by-side with software engineers to locate, triage, and fix security issues directly in the codebase, including authorization flaws, multi-tenant isolation bugs, sensitive data exposure, and business logic vulnerabilities.
• Review and provide security input on designs, APIs, and changes involving authentication, authorization, and sensitive employee data.
• Threat-model critical (“Tier-1”) APIs and workflows and help teams design safer defaults.
• Build practical guardrails and reference implementations that can be reused across teams.

Security Program & Blue Team Ownership

• Build practical guardrails and reference implementations that can be reused across teams.
• Act as the primary Blue Team owner, coordinating external security testing and responsible disclosure.
• Translate findings into concrete engineering work and drive remediation through to verification.
• Help define and mature incident response processes and participate in real incidents when they occur.
• Establish a clear baseline of Workstream’s security posture and propose a prioritized roadmap for improvement.

Compliance & Privacy (Ownership, Not Busywork)

• Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive.
• Partner with engineering and legal teams on privacy-related workflows, including data access and deletion.
• Ensure compliance supports product development rather than slowing it down.

Infrastructure & Corporate Security (Selective Involvement)

• Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive.
• Partner with engineering and legal teams on privacy-related workflows, including data access and deletion.
• Ensure compliance supports product development rather than slowing it down.

Who You Are

Required Qualifications

• Strong software engineering background with the ability to read and write production-level code.
• Hands-on experience securing real systems, not just writing policies or reports.
• Comfortable auditing Node.js and Ruby on Rails codebases.
• Experience working in SaaS environments with enterprise customers and sensitive data.
• A pragmatic, collaborative mindset: you believe security should enable innovation, not block it.
• Able to communicate risk clearly to engineers and non-technical stakeholders.

Nice to Have (Not Required)

• Experience owning security end-to-end at a startup or mid-stage company.
• Exposure to bug bounty programs or external security testing.
• Experience with SOC 2 or similar compliance frameworks.
• Familiarity with securing multi-tenant SaaS platforms.
• Be comfortable operating with broad ownership, ambiguity, and limited specialization.

What We Offer

• A mission-driven company building software that impacts millions of hourly workers
• An opportunity to shape security from the ground up at a growing Series B company
• Competitive salary and equity
• Comprehensive health coverage (95% employee / 85% dependents)
• 401(k), pre-tax commuter benefits, and flexible PTO
• Learning and development stipend
• In-office amenities and stocked kitchen

Salary Range

In compliance with the British Columbia Pay Transparency Act, the base salary range for this role is between $150,000 - $180,000 in Vancouver, Canada. This range is not inclusive of our discretionary bonus or equity package. When determining a candidate’s compensation, we consider a number of factors including skillset, experience, job scope, and current market data.