Senior Security Engineer

# Senior Security Engineer

**Location:** Remote Europe

## Overview

Operate UserGems' security and compliance program day-to-day, partnered with the Sr. Director on direction and strategy.

UserGems is an AI platform helping sales and marketing teams double pipeline impact. Our AI agent Gem-E turns signals from CRMs, buying intent, and public data into precise outreach - generating $4B in pipeline and $950M in revenue for customers like CrowdStrike, UserTesting, and SAP LeanIX (15X+ ROI).

UserGems is a ~70-person company with around 25 engineers across Europe and 45 team members in sales and marketing based in the U.S. Several of our customers are top-tier security companies themselves (e.g. CrowdStrike), so our own security posture directly influences how fast revenue can move.

## The Role

You will be UserGems' single dedicated security person, taking over the operational majority of the security work the Sr. Director currently owns. This is a compliance-led role with hands-on operational components - heavy on SOC 2 / ISO ownership, customer security reviews, day-to-day program operations, and Drata-driven remediation in AWS. Compliance is the primary focus and over time you'll own the full technical scope described below as well. The Sr. Director approves direction; you propose, shape, and execute the program. Cadence is a bi-weekly 1:1 with the Sr. Director plus a weekly work discussion, same as every UserGems employee.

UserGems' security program is in great shape - no fires to put out. SOC 2 Type II is in place for years already, all compliance monitoring is centralized in Drata, scanner findings auto-flow into Linear and are auto-triaged by an in-house automation, and CrowdStrike Complete (managed MDR) handles runtime protection. There's no on-call rotation at UserGems - incident response is a whole-team effort, and the Sr. Director continues to cover during your time off.

The Sr. Director currently runs the whole program in roughly 25% of one person's time, so a dedicated owner has real headroom. Expect your time to split roughly 2–3 days per week on baseline operations and the remainder on new initiatives. The biggest near-term programs are ISO 27001 and likely ISO 42001 (AI management) - both held back today because no one has the dedicated capacity to drive them. That's the gap you fill.

## You'll Thrive Here If You:

- Lean strongly into compliance/GRC operations - with enough hands-on AWS comfort to action Drata-flagged remediations independently. - Want to own operations end-to-end and influence direction - you propose, the Sr. Director approves, you ship. - Like a startup environment where priorities are clear, ownership is real, and you ship and move on.

## What You'll Do

- **Own SOC 2** - keep Drata green and audits clean. - **Lead ISO 27001 implementation**, then ISO 42001. - **Run the customer security questionnaire process** (SafeBase + Trust Center) - fast turnaround directly unblocks revenue. - **Drata-driven AWS remediation.** Action simple Drata findings directly in AWS yourself - IAM tweaks, S3 settings, secrets hygiene, audit-trail follow-ups. Larger or higher-risk changes go to engineering. - **Vulnerability management.** Oversee and extend the existing scanner-findings automation in Linear; hit SLAs. - **Light secure code review.** Spot-check high-risk features and new repositories (especially AI/LLM systems) before they go to production; escalate deeper AppSec questions to engineering and external pen testers. - **Threat detection & response.** Tune GuardDuty findings, evaluate central logging / SIEM options, run tabletop exercises, mature the IRP from written to rehearsed. - **Offensive security.** Run the annual external pen test, perform regular internal pen tests yourself, handle external researcher reports and bug bounty payouts. - **Onboarding & offboarding.** Own access provisioning and revocation. - **Be the security person at UserGems.** Internally and externally, you are the face of security - questions, escalations, customer security reviews, and audit conversations come to you.

## AI Security & Governance

UserGems is an AI company, and AI risk shows up in nearly every customer security review. A meaningful portion of this role is shaping how a modern, AI-native company secures both its product and its own internal AI usage - not just answering questionnaires about it.

We're already EU AI Act compliant - so you're extending a working baseline, not starting from zero.

You'll own:

- **ISO 42001 readiness from scratch.** - **Model & data governance** for Gem-E and our self-hosted LLMs on Azure: data residency posture, prompt-injection threat modeling, access controls on training/inference data. - **Internal AI tooling built by non-engineering teams.** Sales, marketing, and ops are building their own AI-powered internal tools. You'll shape how this scales safely - guardrails, access boundaries, monitoring, and review. - **AI in our own security stack** - exte

Apply directly on RemoteJobs.org: https://remotejobs.org/remote-jobs/senior-security-engineer-usergems-