Usergems

Senior Security Engineer

1mo ago
WorldwideSeniorRemote
Usergems

Senior Security Engineer

1mo ago
WorldwideSeniorRemotesoc 2iso

Senior Security Engineer role focusing on operating security and compliance programs with hands-on SOC 2 / ISO ownership at UserGems, an AI platform for sales and marketing.

Responsibilities

  • You will be UserGems' single dedicated security person , taking over the operational majority of the security work the Sr. Director currently owns. This is a compliance-led role with hands-on operational components - heavy on SOC 2 / ISO ownership, customer security reviews, day-to-day program operations, and Drata-driven remediation in AWS. Compliance is the primary focus and over time you'll own the full technical scope described below as well. The Sr. Director approves direction; you propose, shape, and execute the program. Cadence is a bi-weekly 1:1 with the Sr. Director plus a weekly work discussion, same as every UserGems employee.
  • UserGems' security program is in great shape - no fires to put out. SOC 2 Type II is in place for years already, all compliance monitoring is centralized in Drata , scanner findings auto-flow into Linear and are auto-triaged by an in-house automation, and CrowdStrike Complete (managed MDR) handles runtime protection. There's no on-call rotation at UserGems - incident response is a whole-team effort, and the Sr. Director continues to cover during your time off.
  • The Sr. Director currently runs the whole program in roughly 25% of one person's time, so a dedicated owner has real headroom. Expect your time to split roughly 2–3 days per week on baseline operations and the remainder on new initiatives . The biggest near-term programs are ISO 27001 and likely ISO 42001 (AI management) - both held back today because no one has the dedicated capacity to drive them. That's the gap you fill.
  • Own SOC 2 - keep Drata green and audits clean.
  • Lead ISO 27001 implementation , then ISO 42001.
  • Run the customer security questionnaire process (SafeBase + Trust Center) - fast turnaround directly unblocks revenue.
  • Drata-driven AWS remediation. Action simple Drata findings directly in AWS yourself - IAM tweaks, S3 settings, secrets hygiene, audit-trail follow-ups. Larger or higher-risk changes go to engineering.
  • Vulnerability management. Oversee and extend the existing scanner-findings automation in Linear; hit SLAs.
  • Light secure code review. Spot-check high-risk features and new repositories (especially AI/LLM systems) before they go to production; escalate deeper AppSec questions to engineering and external pen testers.
  • Threat detection & response. Tune GuardDuty findings, evaluate central logging / SIEM options, run tabletop exercises, mature the IRP from written to rehearsed.
  • Offensive security. Run the annual external pen test, perform regular internal pen tests yourself, handle external researcher reports and bug bounty payouts.
  • Onboarding & offboarding. Own access provisioning and revocation.
  • Be the security person at UserGems. Internally and externally, you are the face of security - questions, escalations, customer security reviews, and audit conversations come to you.

Nice to have

  • Solid grasp of attacker techniques and modern application security (web/API, cloud, supply chain).
  • Hands-on secure code review experience, including AI/LLM systems.
  • Comfort tuning detection (GuardDuty / SIEM) and running incident response.
  • ISO 27001 Lead Implementer or Lead Auditor experience.
  • ISO 42001 / AI governance familiarity.
  • Hands-on Kubernetes / container security.
  • Light coding ability (Java preferred) - our security automation lives in code, and you'll extend it.
  • Experience with auditing LLM security

Other

  • UserGems is the AI command center for go-to-market teams (think of it as an AI brain for sales and marketing). Powered by best-in-class contact data, its AI agents (Gem-E) automatically surface high-intent buyers, prioritize them, deploy personalized outbound, create ad audiences and ABM to drive more pipeline.
  • We’re backed by top Silicon Valley VCs (Craft Ventures, Uncork Capital, Battery Ventures, Tiger Global, and more) and have hundreds of happy customers from startups to public enterprises.
  • Operate UserGems' security and compliance program day-to-day, partnered with the Sr. Director on direction and strategy.
  • UserGems is an AI platform helping sales and marketing teams double pipeline impact. Our AI agent Gem-E turns signals from CRMs, buying intent, and public data into precise outreach - generating $4B in pipeline and $950M in revenue for customers like CrowdStrike, UserTesting, and SAP LeanIX (15X+ ROI).
  • UserGems is a ~70-person company with around 25 engineers across Europe and 45 team members in sales and marketing based in the U.S. Several of our customers are top-tier security companies themselves (e.g. CrowdStrike), so our own security posture directly influences how fast revenue can move.
  • Lean strongly into compliance/GRC operations - with enough hands-on AWS comfort to action Drata-flagged remediations independently.
  • Want to own operations end-to-end and influence direction - you propose, the Sr. Director approves, you ship.
  • Like a startup environment where priorities are clear, ownership is real, and you ship and move on.
  • UserGems is an AI company, and AI risk shows up in nearly every customer security review. A meaningful portion of this role is shaping how a modern, AI-native company secures both its product and its own internal AI usage - not just answering questionnaires about it.
  • We're already EU AI Act compliant - so you're extending a working baseline, not starting from zero.
  • You'll own:
  • ISO 42001 readiness from scratch.
  • Model & data governance for Gem-E and our self-hosted LLMs on Azure: data residency posture, prompt-injection threat modeling, access controls on training/inference data.
  • Internal AI tooling built by non-engineering teams. Sales, marketing, and ops are building their own AI-powered internal tools. You'll shape how this scales safely - guardrails, access boundaries, monitoring, and review.
  • AI in our own security stack - extending our in-house Linear/scanner automations, AI-assisted questionnaire workflows, and security review of AI-generated code.
  • Customer-facing AI security narrative - shaping the answers, Trust Center statements, and policies that prospects' security teams will scrutinize.
  • Cloud: AWS (primary), some Azure (self-hosted LLMs)
  • Compliance / GRC: Drata, SafeBase (Trust Center), Linear
  • Detection / Endpoint: AWS GuardDuty, CrowdStrike Complete (managed MDR)
  • Scanners feeding Linear: GitHub, AWS Inspector, ZAP
  • Infra (owned by engineering): Terraform, Kubernetes, Docker, GitHub
  • You have personally owned a SOC 2 or ISO audit end-to-end - as the operational owner accountable to the auditor, not "on the team" - and delivered a zero-exception report . If you can't honestly say "yes" to this, please don't apply.
  • Working AWS knowledge - you can navigate the AWS console, action Drata-flagged remediations yourself (IAM, S3, KMS, audit trails), and read CloudTrail when investigating an alert. You do not need to be a cloud-infrastructure engineer.
  • Can understand Terraform with AI help - fluency isn't required. What matters is that you can drive AI to explain a diff, follow it critically, and catch when AI is wrong about IaC. Engineering owns infrastructure authorship.
  • High ownership and accountability - you ship audits, questionnaires, and policy work without a project manager keeping you on track.
  • Excellent written English - questionnaires, Trust Center, and policies are customer-facing.
  • Comfortable with async collaboration across Europe and the U.S. Most US work is async, but some late-afternoon CET availability helps - around once a week, same-day US input turns a multi-day back-and-forth into a 10-minute conversation.
  • We're a lean team where everyone owns their work end-to-end. We trust people to manage their own time, and we expect real output plus the basic async hygiene that makes it work: flag blockers early, surface progress, don't go dark.
  • This is a high-commitment role, not a standard 9-to-5. If you're looking to coast, this isn't the right fit.
  • Target annual compensation range for the role is €80k €100k .Final seniority leveling and compensation package will be determined based on commensurate experience, qualifications, and demonstrated ability to perform in the senior level role.
  •  
  • You’ll be part of a fast-growing startup as it scales from 60 employees to 100+
  • Customers love us! (see our Customers page and G2 Reviews ). They see ROI in Closed Won revenue generated
  • Employees love us! (see our Glassdoor & RepVue page) 
  • We're a remote-first company with employees across the Americas and Europe
  • We have weekly standups, virtual happy hours, and in-person off-sites around the world so that everyone stays connected
  • We are customer-focused and data-driven in everything we do
  • We value individual differences in the workforce and strive to make everyone feel welcomed and accepted, regardless of their skin color, gender, or sexual orientation
  • We offer a competitive salary and benefits