Information Security Engineer

Workstream is a mission-driven company building the all-in-one HR, payroll, and hiring platform for managing the hourly workforce. There are 2.7 billion hourly workers, making up 80% of the global workforce, but this market has been heavily underserved by technology and deserves better. Workstream has been purpose-built for the hourly workforce from day one so that these businesses and their employees can thrive. Our customers include leading brands from multiple sectors, including Burger King, Carl's Jr./Hardee's, IHOP, KFC, and Culvers. We are a high growth series B company and quickly expanding our product portfolio to deliver on our vision. We are backed by legendary VCs and industry experts like Founders Fund, BOND, and Coatue. Grow With Us We are hiring an Information Security Engineer to be the first dedicated security engineer at Workstream. This is a hands-on, builder-oriented role focused primarily on application and product security , with ownership of our security posture as the company scales. This role is not about writing policies or running tools in isolation. You will work directly with our product and platform engineers to identify risks, fix vulnerabilities, and build secure-by-default patterns that allow teams to move fast without compromising safety. This is a full-time, hybrid role requiring presence three days per week in our San Francisco or Menlo Park office. What You’ll Do Application Product Security (Primary Focus) Work side-by-side with software engineers to locate, triage, and fix security issues directly in the codebase, including authorization flaws, multi-tenant isolation bugs, sensitive data exposure, and business logic vulnerabilities. Review and provide security input on designs, APIs, and changes involving authentication, authorization, and sensitive employee data. Threat-model critical (“Tier-1”) APIs and workflows and help teams design safer defaults. Build practical guardrails and reference implementations that can be reused across teams. Security Program Blue Team Ownership Act as the primary Blue Team owner, coordinating external security testing and responsible disclosure. Translate findings into concrete engineering work and drive remediation through to verification. Help define and mature incident response processes and participate in real incidents when they occur. Establish a clear baseline of Workstream’s security posture and propose a prioritized roadmap for improvement. Compliance Privacy (Ownership, Not Busywork) Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive. Partner with engineering and legal teams on privacy-related workflows, including data access and deletion. Ensure compliance supports product development rather than slowing it down. Infrastructure Corporate Security (Selective Involvement) Collaborate with DevOps and IT partners on infrastructure and corporate security where needed. Provide security guidance on access controls, logging, and monitoring, without owning day-to-day infrastructure operations. As Workstream expands its use of AI-powered features, you’ll help ensure these integrations follow the same secure-by-default principles as the rest of the platform. Who You Are Required Qualifications Strong software engineering background with the ability to read and write production-level code. Hands-on experience securing real systems, not just writing policies or reports. Comfortable auditing Node.js and Ruby on Rails codebases. Experience working in SaaS environments with enterprise customers and sensitive data. A pragmatic, collaborative mindset: you believe security should enable innovation, not block it. Able to communicate risk clearly to engineers and non-technical stakeholders. Nice to Have (Not Required) Experience owning security end-to-end at a startup or mid-stage company. Exposure to bug bounty programs or external security testing. Experience with SOC 2 or simi ... (truncated, view full listing at source)