The Opportunity
We're looking for a Security & Compliance Lead to own security and compliance across Pydantic, with a particular focus on Pydantic Logfire, our observability platform built for the AI engineering era. Logfire increasingly serves regulated customers, and passing their security reviews is now part of how we win and keep enterprise deals. This is our first dedicated hire in the domain: you'll own both the technical security posture and the compliance program, rather than inheriting an existing team or playbook.
At heart this is a platform / DevOps role with deep security and compliance responsibility. The best person for it is an engineer who has operated cloud infrastructure and Kubernetes in production and wants to own the security and compliance program around it — not a checkbox-compliance administrator. Your instinct should be to automate and guide: encode security into cloud provider policies, guardrails, and self-service infrastructure so autonomous teams move fast and safely, rather than routing every decision through you. You'll define the what — policy and best practice — and, more importantly, build the paved paths that make the secure way the easy way.
This role might appeal to you if you have experience in roles such as:
- DevOps, Platform, or SRE engineer who has taken ownership of security and compliance
- Security Engineer with a strong infrastructure/platform background
- Infrastructure engineer who has run SOC 2 or similar audits end to end
- Security consultant or auditor who wants to build and automate, not just assess
You are interested in getting in early at a company with genuine product-market fit. Pydantic Validation is downloaded 500M+ times a month, Pydantic AI is the fastest-growing agent framework, and Logfire is the observability platform the AI engineering ecosystem is converging on. The surface area is broad, and the leverage for someone who can make security a competitive advantage rather than a bottleneck is enormous.
Mission: Why This Role Exists
Your goal is to make security and compliance an asset that wins and retains regulated customers — by automating and guiding rather than gatekeeping, so that autonomous teams can build with confidence, scale without manual bottlenecks, and deals are never blocked on a security review we can't answer.
1. Own the Compliance Program
- Run SOC 2 Type II end to end: scoping, control design, evidence collection, and the auditor relationship
- Own our GDPR and HIPAA (and adjacent regulated) obligations: data protection, DPAs, and sub-processor management
- Be the single point of contact for customer security questionnaires and due diligence, and turn them around fast
- Keep policies current and actually followed, not shelfware written once and forgotten
2. Own the Technical Security Posture
- Threat-model our infrastructure and drive hardening across our cloud and Kubernetes footprint
- Review cluster configuration, network policy, secrets management, and IAM for least privilege
- Own vulnerability management, dependency and supply-chain security, and our incident response process
- Field enterprise customers' nuanced technical security questions with credibility — the ones that close, or block, deals
3. Automate and Guide, Don't Gatekeep
- Set up cloud provider policies, guardrails, and self-service infrastructure that let autonomous teams move fast and scale without creating manual bottlenecks
- Build the paved paths and automation that make the secure default the easy default — secure baselines, policy-as-code, and CI checks rather than manual sign-off
- Define the policies and best practices (the what) and guide engineering on implementation (the how), so security is a shared, self-service capability rather than one person's queue
- Right-size controls: enough to satisfy auditors and customers, not so much that you slow the team down
4. Handle Incidents and Reporting
- Own the incident response runbook and coordinate response when something happens
- Provide clear security reporting to leadership, and to customers where required
5. Build the Function
- We're early. There is no security team to inherit and no template library. You'll write the policies, choose what to build versus buy, and set up the tooling and automation that lets security scale without headcount.
- Your judgment on what's worth automating — and what's security theater — shapes how we scale.
Who You Are
- A platform / DevOps engineer at heart. You've operated cloud infrastructure and Kubernetes in production — writing Terraform, Helm, and CI pipelines — not just auditing them. You can hold your own in a design review with senior engineers and you reach for automation before manual process.
- An automator, not a gatekeeper. Your instinct is to encode security into cloud provider policies, guardrails, and self-service infrastructure so teams move fast and safely. You'd rather build a paved path than sit in an approval queue.
- Ready to take ownership. You want to own this end to end — the technical posture and the compliance program — and build the function from scratch. You bring structure and drive without waiting to be told what to do.
- A proven compliance operator. You've run SOC 2 (ideally Type II) end to end, and you know your way around GDPR and at least one regulated regime such as HIPAA. You can turn an intimidating customer questionnaire into a fast, confident yes.
- Pragmatic. You right-size controls, you're allergic to security theater, and you treat compliance as an enabler of revenue rather than a paperwork tax.
- A strong writer and communicator. Most of our work is async and remote. You write clear policies, crisp questionnaire responses, and can explain a control to an auditor and an engineer in the same afternoon.
- Comfortable with early-stage ambiguity. We're ~25 people with no existing security function. You bring structure and automation without bureaucracy.
- Bonus: observability, DevTools, or AI infra background. Familiarity with the space helps you ramp faster and engage customers sooner.
Nice to have (not required): Security certifications such as CISSP, CISM, or ISO 27001 Lead Auditor. We value them, but demonstrated hands-on experience matters more.
What Success Looks Like
- Month 1–2: You've mapped our current security posture and compliance state, and questionnaire turnaround is already faster and more consistent.
- Quarter 1: SOC 2 Type II is on a clear, credible track (or maintained without drama), and a prioritized hardening roadmap — with the first self-service guardrails in place — is underway.
- Quarter 2+: Security reviews have stopped being a deal blocker, secure defaults and automation let teams self-serve, and engineers see security as a paved path rather than a gate.
Non-Technical Requirements
- Required: Live and work in a timezone between PT (UTC-8) and CET (UTC+1)
- Required: Able to travel to EU, UK, and US up to 4 times a year to join our off-sites
- Required: Fluent in English
About Us
Pydantic Validation is the data validation library that powers modern Python development - 500 million downloads per month, used by virtually every tech company you've heard of. Why? Because we obsess over developer experience and write code we'd actually want to use ourselves.
We're applying that same engineering mindset to Pydantic Logfire, our observability platform with first class support for AI engineering, built for today's development reality: AI workloads, multi-language environments, and cloud infrastructure that's designed to be straightforward to set up and maintain.
We build with technologies developers actually want to work with:
- OpenTelemetry for standardized instrumentation
- SQL for intuitive querying (no proprietary query language to learn)
- Rust, Python, and TypeScript for performance and productivity
- Postgres, DataFusion, and object storage for scalable backends
Unlike other companies that pay lip service to open source, we commit over 20% of our engineering team to maintaining and expanding our open source ecosystem. This includes the core Pydantic Validation library and Pydantic AI - our rapidly growing framework that's becoming the standard for AI application development. We're signatories of the open source pledge and build on open standards because we believe in interoperability, not lock-in. Use our OpenTelemetry-based SDK with any compatible backend - we're confident you'll choose us on merit.
We're backed by Sequoia Capital and run a fully remote team across multiple time zones (with regular in-person offsites - next one is June 2026 in London).
Join our team of exceptional engineers who value substance over hype, practical approaches over perfectionism, and meaningful progress over busyness. We've built a culture that balances technical ambition with sustainable practices—minimal meetings and respect for your expertise and time. We're creating tools that genuinely improve developers' lives, and we're looking for thoughtful contributors who share our commitment to quality and our passion for elegant solutions.
Perks & Benefits
- 💰 Compensation: Competitive salary and stock options
- 🌍 Truly Remote: Work from anywhere within our timezone range - no office requirements
- 🌐 Global & Diverse: Join a multi-cultural team of 8+ nationalities
- 💪 Impact: Direct influence on tools used by millions of developers worldwide
- 🎯 Focus on Growth: Regular opportunities for learning and professional development
- 🤝 Team Gatherings: Connect with the team at our regular international off-sites
- 🏥 Healthcare: Comprehensive health coverage for you and your dependents
- 🎮 Flexible Hours: Work when you're most productive
- 💻 Equipment: Budget for your home office setup
- ⚖️ Work-Life Balance: flexible working hours and 33 days PTO no matter where you live (including public holidays, which you can choose to take or not)
Apply
To apply, email careers@pydantic.dev with the job title in the subject line. We'd also appreciate a few lines explaining why you think you'd be a good fit for the role and what you've done in the past that evidences that.
No recruiters or agencies please. Unsolicited recruiters will be marked as spam.
To make your application stand out, please share something you've owned end to end — a SOC 2 you drove, guardrails or self-service infrastructure you built that let teams move faster and safer, or a hands-on security problem you solved in production.
Explore Logfire.
Explore our open source packages