Startup Jobs
Post a Job
Duffel

Senior Security Engineer, Governance, Risk and Compliance (London)

London , United Kingdom
full-time Hybrid

AI overview

Architect systems that enforce compliance standards while leading initiatives for SOC 2 certification and enhancing PCI DSS compliance within a collaborative security culture.
We are making travel effortless. Join us. Whether it’s to visit the people closest to us, starting an exciting adventure, or a career-defining business trip, travel is an essential part of our lives. Yet we've all experienced the aches and pains of getting to our destination. Today, more than 4 billion airline passengers rely on technology that hasn't kept up with the expectations of the modern connected traveller. That’s why we’ve started to rebuild the infrastructure that underpins the travel industry. We’re on a mission to unravel travel — simplifying systems and building the tools that will make the future of travel effortless. We were part of Y Combinator S18's cohort and we are backed by Benchmark, Blossom, Index Ventures and Kima Ventures. A fantastic set of investors that has helped build some of the world's largest companies. About Foundations at Duffel The Foundations team is responsible for the reliability, performance, resilience, and security of Duffel's infrastructure and applications. We work closely with engineering teams across the company to meet the demands of our platform as we scale globally. About the Role As a Senior Security Engineer on the Foundations team, you will bridge the gap between rigorous compliance standards and modern cloud engineering. You won’t just write policies; you will architect the systems that enforce them. You will play a pivotal role in maturing Duffel’s security posture, leading our transition into SOC 2 Type I and II certification while maintaining our PCI DSS compliance.
What You'll Do
Compliance & Governance
- Take ownership of Duffel’s PCI program (the next assessment will be in June 2026) and lead the end-to-end implementation of our inaugural SOC 2 Type I and Type II certifications.
- Drive compliance initiatives end-to-end: scoping, control design, implementation, evidence collection, and QSA engagement
- Develop and execute internal audit programmes; respond to external audits and customer due diligence requests
- Manage vendor security assessments and continuously improve our third-party risk processes

Security Engineering
- Design and implement technical security controls, working directly in our infrastructure and codebase
- Partner with Engineering and Product to build data governance capabilities: data classification, access controls, audit logging, de-identification, and lifecycle management
- Contribute to our vulnerability management and incident response programmes
- Evaluate and secure vendor solutions from a technical perspective

Culture & Collaboration
- Shape Duffel's security policies and standards—we want your opinions on what good looks like
- Contribute to our security awareness programme and help build a strong security culture
- Partner with Legal to ensure security practices align with regulatory requirements, particularly around data privacy

What We're Looking For
- Proven experience leading or significantly contributing to SOC 2 (Type I or II) and PCI DSS audits. You know what auditors look for and how to speak their language.
- You have a software/infrastructure engineering background but have pivoted into the GRC space (or vice versa). You are comfortable reading code *and* regulatory standards.
- Track record of designing and implementing security controls, not just documenting them
- Solid understanding of risk management frameworks and how to apply them pragmatically
- Ability to make trade-offs between security ideals and business realities
- Clear communication skills you can explain technical risks to non-technical stakeholders and translate compliance requirements into engineering work
- Collaborative approach: strong opinions, loosely held

Bonus Points
- Experience in travel technology, e.g. airline, hotel, or car rental distribution systems, travel payments.

What you can expect from us

We’re dedicated to your personal growth. Our environment is comfortable physically, but also in that our ears are always open to any ideas, concerns and questions. We believe that everyone should have pride in their work, taking full ownership of it and its impact. That’s why everyone who joins Duffel owns a share of the company.

We are an equal opportunities employer. We believe that the key to our success is employing a diverse team, that’s why recruitment decisions are only based on your experience and skills. We value your ability to problem solve and build amazing things so we welcome applications for everyone – regardless of age, sex, disability, sexual orientation, race, religion or belief.

Note to recruitment agencies

Duffel does not accept speculative CV's from external parties. Any unsolicited CV's sent to us will be treated as property of Duffel, and any attached terms and conditions associated with these CV's will be null and void.
Duffel

We offer the most powerful and intuitive tools for starting and growing a travel business. With Duffel, you can search, book and manage flights across more than 20 airlines through one platform.

Website LinkedIn
View all jobs
Ace your job interview

Understand the required skills and qualifications, anticipate the questions you may be asked, and study well-prepared answers using our sample responses.

Senior Security Engineer Q&A's
Report this job
Apply for this job