**About the role**
Our Company: Stellar One is on a mission to change how ERP software and
services are delivered to the Small and Midsize Business market. We are out to
disrupt the market and provide our customers with the fastest, most accurate,
cost-effective ERP solutions. To do this, we need outstanding individuals who
can deliver fast, creative, outstanding solutions while working closely with
business owners and executives to achieve their goals.
Stellar One, Inc. is looking for people who fit our core values:
· Maintain a Stellar Reputation
· Act with Integrity and Courage
· Be Adaptable
· Be Collaborative
· Be Nice people
We’re hiring a Security & Infrastructure Engineer with a single focus: making
sure our platform is secure, reliable, and ready to scale. Let’s be clear
about what this is: a hands-on individual contributor role, not a management
position. You won’t be hiring a team or delegating the work. You’ll be the one
doing the building. While the rest of the team ships functionality, you
design, implement, and operate the foundation underneath it: the threat model,
the compliance program, the infrastructure decisions, and the targets we hold
ourselves to.
You’ll work with the stack and agentic tooling we already have in place. One
of your first mandates: tell us, honestly and with data, whether that stack
can carry what we’re building, and what must change if it can’t.
**What you’ll do**
Everything below is yours to build and run, hands on the keyboard, not hands
on a roadmap someone else executes:
* Own the threat model. Build and maintain the threat model for our platform, including our AI agents and agentic workflows. Prompt injection, tool permission scoping, and data exfiltration paths are in scope, not an afterthought. Run security reviews on new functionality before it ships.
* Own compliance and audit readiness. Take us through SOC 2 (Type I, then Type II), from selecting a compliance automation platform to defining controls, gathering evidence, and managing the audit itself. Own our US privacy obligations (CCPA/CPRA, the Texas Data Privacy and Security Act, and the growing list of state laws) and answer member security questionnaires.
* Scope and manage payments compliance. Our products will touch payments. You’ll own PCI DSS scoping with our payment processor and keep us on the right side of it as the platform grows. You’ll also run vendor security reviews for third-party integrations, such as payroll.
* Design multi-tenancy and data isolation. Architect and enforce tenant isolation across the platform: row-level security in Supabase, encryption at rest and in transit, secrets and key management, and data retention and deletion policies that hold up under audit.
* Assess and own infrastructure scalability. Evaluate whether our current platform can support what we’re building, set capacity plans, and recommend changes with clear trade-offs. Own uptime, observability, and recoverability across local, test, and production environments.
* Stand up incident response and resilience. Much of this hasn’t been decided, and you’ll define it. Establish our incident response process, set and own recovery targets (RTO/RPO), implement and test backup and restore, and build our disaster recovery and business continuity plans.
* Run vulnerability management as a program. Dependency and patch management, continuous scanning built on our agentic automations, an external penetration testing cadence, remediation SLAs, and responsible disclosure, all owned end-to-end, not as one-off fixes.
* Build enterprise-grade identity. Design role-based access control, audit logging, and single sign-on (SAML/OIDC) with automated user provisioning (SCIM), so our members’ IT teams can manage access on their own terms.
* Raise the bar across the team. Set secure development standards, automate the checks, and make security something the whole team, not something they hand off to you.
**What we’re looking for**
* 5+ years securing and operating production SaaS, ideally multi-tenant systems handling financial or similarly sensitive data.
* A builder’s bias: you’d rather implement the control, write the automation, and configure the infrastructure yourself than produce a slide deck recommending that someone else do it. If your last few roles were primarily managing people or vendors, this probably isn’t the right fit.
* Hands-on experience taking a company through SOC 2. You’ve owned controls and lived through an audit, not just read about one.
* Working knowledge of PCI DSS scoping and payment processor integrations.
* Strong infrastructure judgment on managed and serverless platforms (Vercel, Supabase, or comparable) and the ability to assess scalability honestly, with data, even when the answer is inconvenient.
* Fluency in incident response, disaster recovery, and reliability targets (RTO/RPO, SLOs), and the drive to establish them where none exist yet.
* Comfort in TypeScript codebases and with agentic coding tools (Cursor, Codex, Claude Code). You’ll automate security work, not just document it.
* Clear communication: you can explain risk and trade-offs to leadership and members without the jargon.
**Tech stack**
You’ll secure and operate a platform built on:
* Next.js, Nitro, and TypeScript: application and backend layers
* Supabase: database, auth, and backend data services (row-level security lives here)
* Vercel: CI/CD and environment management
* Sentry: error monitoring and observability
* WDK (Workflow Development Kit) and AI tooling: AI gateways, OpenRouter, and the Cursor SDK power our agentic workflows; Cursor Automation drives security scans and automated fixes
* Playwright: end-to-end testing, alongside our unit and integration suites
We care more about how you think across these layers than about checking every
box on day one. Part of your job is to question this stack, and we want you
to.