Information Security Engineer

Workstream is a mission-driven company building the all-in-one HR, payroll, and hiring platform for managing the hourly workforce. There are 2.7 billion hourly workers, making up 80% of the global workforce, but this market has been heavily underserved by technology and deserves better. Workstream has been purpose-built for the hourly workforce from day one so that these businesses and their employees can thrive.

Our customers include leading brands from multiple sectors, including Burger King, Carl's Jr./Hardee's, IHOP, KFC, and Culvers. We are a high growth series B company and quickly expanding our product portfolio to deliver on our vision. We are backed by legendary VCs and industry experts like Founders Fund, BOND, and Coatue.

Grow With Us

We are hiring an Information Security Engineer to be the first dedicated security engineer at Workstream. This is a hands-on, builder-oriented role focused primarily on application and product security, with ownership of our security posture as the company scales.

This role is not about writing policies or running tools in isolation. You will work directly with our product and platform engineers to identify risks, fix vulnerabilities, and build secure-by-default patterns that allow teams to move fast without compromising safety.

This is a full-time, hybrid role requiring presence three days per week in our San Francisco or Menlo Park office.

What You'll Do

Application & Product Security (Primary Focus)

• Work side-by-side with software engineers to locate, triage, and fix security issues directly in the codebase, including authorization flaws, multi-tenant isolation bugs, sensitive data exposure, and business logic vulnerabilities.

• Review and provide security input on designs, APIs, and changes involving authentication, authorization, and sensitive employee data.

• Threat-model critical ("Tier-1") APIs and workflows and help teams design safer defaults.

• Build practical guardrails and reference implementations that can be reused across teams.

Security Program & Blue Team Ownership

• Act as the primary Blue Team owner, coordinating external security testing and responsible disclosure.

• Translate findings into concrete engineering work and drive remediation through to verification.

• Help define and mature incident response processes and participate in real incidents when they occur.

• Establish a clear baseline of Workstream's security posture and propose a prioritized roadmap for improvement.

Compliance & Privacy (Ownership, Not Busywork)

• Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive.

• Partner with engineering and legal teams on privacy-related workflows, including data access and deletion.

• Ensure compliance supports product development rather than slowing it down.

Infrastructure & Corporate Security (Selective Involvement)

• Collaborate with DevOps and IT partners on infrastructure and corporate security where needed.

• Provide security guidance on access controls, logging, and monitoring, without owning day-to-day infrastructure operations.

• As Workstream expands its use of AI-powered features, you'll help ensure these integrations follow the same secure-by-default principles as the rest of the platform.

Who You Are

Required Qualifications

• Strong software engineering background with the ability to read and write production-level code.

• Hands-on experience securing real systems, not just writing policies or reports.

• Comfortable auditing Node.js and Ruby on Rails codebases.

• Experience working in SaaS environments with enterprise customers and sensitive data.

• A pragmatic, collaborative mindset: you believe security should enable innovation, not block it.

• Able to communicate risk clearly to engineers and non-technical stakeholders.

Nice to Have (Not Required)

• Experience owning security end-to-end at a startup or mid-stage company.

• Exposure to bug bounty programs or external security testing.

• Experience with SOC 2 or similar compliance frameworks.

• Familiarity with securing multi-tenant SaaS platforms.

• Be comfortable operating with broad ownership, ambiguity, and limited specialization.

What We Offer

• A mission-driven company building software that impacts millions of hourly workers

• An opportunity to shape security from the ground up at a growing Series B company

• Competitive salary and equity

• Comprehensive health coverage (95% employee / 85% dependents)

• 401(k), pre-tax commuter benefits, and flexible PTO

• Learning and development stipend

• In-office amenities and stocked kitchen

Salary Range

In compliance with the California Pay Transparency Law, the base salary range for this role is $180,000 - $220,000 in San Francisco, not including bonus or equity. Compensation is based on experience, scope, and market data.

Know More About Workstream

• https://www.workstream.us/blog/funding-series-b
• https://techcrunch.com/2021/08/26/workstreams-text-based-recruitment-tool-gets-a-48m-bet-from-bond-and-beyond/
• https://techbuzz.news/buzzworthy-august-27-2021/

Additional Information

Workstream provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

We are committed to the full inclusion of all qualified individuals.