Security Engineer

Role: Security Engineer — Data Security

Function: Security Engineering / Data Security

Location: Bengaluru, India (In-office)

Type: Full-time

Industry: Information Technology & Services, Computer Software, Fintech

About Company

The company is a Bengaluru-based enterprise tech startup founded in 2016. It powers digital identity verification, e-signing, document automation, and payment automation for over 1,500 enterprises and 100 million users across India.

It handles some of the most sensitive data in Indian fintech — Aadhaar, PAN, KYC packets, and executed agreements. The company is certified for security and compliance and is RBI-authorised as a payment aggregator.

With a 90-person team, it is building security infrastructure to match India's growing DPDP regulatory landscape. What gets built here won't just protect the company — it will become the foundation of a data security product for the Indian market.

Position Overview

This is a builder-operator role. You will own the company's data security program end-to-end — covering discovery, classification, access review, breach readiness, and regulator-ready evidence — and build the engineering tooling that makes the program work. You'll operate in an AWS-heavy fintech environment handling DPDP-regulated, Aadhaar-class data, and your work will form the foundation of a data security product the company intends to bring to market.

Role & Responsibilities

• Own and operate the company's data security program: data inventory, classification, access review, third-party data flow mapping, retention/erasure execution, and DPDP 72-hour breach notification readiness
• Build and maintain the data discovery, scanning, and classification engine across AWS (RDS/Aurora, S3, DynamoDB), SaaS tools, and code repositories
• Design and maintain a unified data asset graph — making the company's data posture queryable and auditor-ready in minutes, with evidence
• Build the code-scanning subsystem that maps data flow from application repos: endpoints, models, egress points, and third-party SDK usage
• Implement access-path analysis to surface toxic privilege combinations and validate that actual access matches policy across all data stores
• Wire findings into actionable remediation workflows — tickets, alerts, or automated fixes — not CSV exports
• Run data security incidents: scoping, containment, post-mortem, and regulator communication; exercise breach readiness drills, not just document them

Must Have Criteria

• 7+ years in security engineering, with 4+ years specifically in data security, DSPM, DLP, CASB, database security, or privacy engineering
• Owned a data security program at a real company — incidents had your name on them; not a consulting or advisory role
• Hands-on AWS expertise: IAM identity vs. resource policies, RDS/Aurora, S3 bucket policies, DynamoDB, Object Lambda — designed least-privilege access for production systems
• Strong production coder in Go and Python — writing code regularly in both, with shipped security tooling to show for it
• Built security tooling relied upon by other engineers: a classifier, scanner, policy engine, detection pipeline, access graph, or IR tool — not dashboards
• Practical working knowledge of at least one regulatory regime: DPDP, PCI-DSS, GDPR, or RBI Cybersecurity Master Directions — mechanics, not headlines
• Run a real security incident end-to-end: scoping, containment, post-mortem; can speak to detection coverage, MTTR, and false-positive rates

Nice to Have

• Experience as a builder or integrator at a DSPM/DLP/privacy-engineering vendor: Cyera, BigID, Securiti, Varonis, Privado, Normalyze, Symmetry, or Microsoft Purview
• Deep BFSI or fintech background with hands-on familiarity with UIDAI Aadhaar handling rules, Account Aggregator framework, CKYCR, or RBI circulars
• Internal tooling that became a product or open-source project
• Open-source contributions in security, data engineering, or developer tooling
• Experience designing tooling to run in-tenant in a customer's VPC with minimal egress

What We Offer

• Direct ownership of the company's data security posture — a program you build from the ground up, not inherit from a committee
• A clear product arc: what you build internally becomes the foundation of a data security product for the Indian market
• Close collaboration with engineering leadership and the CISO — your work is visible and consequential
• Based out of the Bengaluru office — work closely with engineering and security leadership in person
• The chance to work on India's most sensitive data infrastructure at a company that takes security seriously as a product, not a checkbox