Infrastructure & Security Engineer

About Purelend

Purelend is an early-stage company operating at the frontier of FinTech and AI. Our platform handles some of the most sensitive data in a person's life (SINs, bank statements, T4s, NOAs, mortgage applications) on behalf of brokers, lenders, and regulated financial institutions across Canada.

Our customers trust us with that data because we've taken the work seriously from day one: infrastructure as code on Terraform, encryption in transit and at rest, strong identity controls, a security program that holds up in vendor due diligence. As the pipeline of institutional deals grows, we're investing in senior leadership for this discipline so we can keep raising the bar.

Our AI Stance

We're all in on AI, and not just in the product. Engineering, infrastructure, design, customer support, sales: every function here uses the best AI tooling we can find to maximize quality and throughput on a small team. We're looking for someone who wants to help us push that bet further inside platform and security work too, not someone who's skeptical of it.

The Role

We're hiring a senior or staff-level engineer to drive infrastructure and security as a single, coupled discipline, working closely with the CTO. Together you'll shape how we run our services, how we protect customer data, how we prove that protection to lenders and auditors, and how we keep the rest of the team moving fast without compromising any of it.

This isn't a paper-pushing security role and it isn't a pure SRE role. We need someone who writes code, builds platforms other engineers love using, and treats security as something you engineer rather than something you document.

What You'll Actually Do

Cloud Infrastructure

You'll drive how we deploy, scale, and operate every service we ship. We're already on Terraform with a real codebase you'll extend and harden, raising the bar on modules, review, and drift detection, and keeping deploys boring: safe by default, fast to roll forward, fast to roll back.

Data Protection

The data we hold matters. You'll drive our encryption posture, key management, secret rotation, tokenization for the most sensitive fields, and the auditability that comes with all of it. When a lender asks “how do you protect a SIN from the moment it enters your system,” you'll be able to answer with a diagram, not a marketing slide.

Identity, Access, and Authorization

You'll drive how humans and services get access to data and systems: SSO, MFA enforcement, RBAC and ABAC inside the product, least-privilege everywhere, and a clean answer to the question “who saw what, when” for any record in the system.

Compliance and Control Hygiene

Our customers are regulated Canadian financial institutions, including federally regulated Schedule I banks, and we operate accordingly. SOC 2, PIPEDA, vendor risk questionnaires, and lender-specific controls are part of every enterprise deal, and we run the program in a manner consistent with OSFI's expectations of third-party technology providers — specifically Guideline B-13 (Technology and Cyber Risk Management) and Guideline B-10 (Third-Party Risk Management).

We're inside our SOC 2 audit window, running the program on Vanta. You'll drive it from here: carrying us through the audit, maturing the program afterwards, and making sure the controls map to real engineering practices so the evidence is a byproduct of how we already work.

Threat Modeling and AppSec

You'll work alongside the product engineers on threat models for new features, especially anything touching AI, third-party integrations, or customer data exports. You'll drive the guardrails: SAST and dependency scanning calibrated to be useful rather than noisy, secrets scanning, dependency review, and a sane vulnerability response process for when something does surface.

Observability and Incident Response

You'll drive our logging, tracing, and alerting, keeping it useful for the on-call engineer instead of noisy enough to be ignored. You'll run the postmortem when something does go wrong, and make sure the same mistake isn't possible twice.

Detection and Response

You'll drive the detection capability that catches suspicious activity inside the product (anomalous data exports, credential stuffing attempts, lateral movement) and the runbooks the team uses when something fires.

What You Bring

• 7–12 years of experience across infrastructure, platform, or security engineering. You've been the senior or staff engineer accountable for the production environment of a real product. Bonus if some of that experience was at a fintech, payments company, health tech company, or any business where one mistake on the security side ends the business.
• Deep cloud experience on AWS, GCP, or Azure. You can argue why you'd pick one over another for a specific workload, and you've been on the hook for the bill at the end of the month.
• Terraform discipline. You've owned a real Terraform codebase in production. You believe modules, reviews, and drift detection matter, and you can prove it with what you've built.
• Modern container and orchestration experience. Kubernetes, ECS, Cloud Run, Fly, or similar. Pragmatic over religious.
• Hands-on AppSec. You've done threat modeling on real features, not just read about STRIDE. You've responded to a CVE that actually mattered. You know what good dependency hygiene looks like.
• Compliance experience. You've been through at least one SOC 2 audit (ideally Type 2) as the technical owner, not just an observer. Hands-on with Vanta (or a comparable platform) is a plus. Bonus for ISO 27001, PCI DSS, or experience answering enterprise vendor risk assessments.
• You write code. TypeScript, Go, Python, or whatever the right tool is. You're comfortable shipping a CLI, a control plane service, or a Lambda that does real work. Security tooling you can't modify isn't enough.
• Calm under incident pressure. You've been the IC on at least one serious incident and walked out the other side with a clear postmortem, not a shouting match.
• Strong written communication. Your infrastructure docs, threat models, and incident reports are the artifacts other people use to do their jobs. They need to be good.
• An AI-first mindset for your own work. You use the best AI tooling available to compound your output: coding agents for IaC and platform code, log triage and incident analysis, policy and runbook generation, code review. You see AI as a force multiplier on a small platform team, not a risk to be managed away.

What We're Not Looking For

• Pure-paper security people who write policies they wouldn't implement themselves.
• Engineers who treat security as a separate department that says no.
• Folks looking for a role at a 500-person company with a fully built platform team underneath them. This is early-stage. You're the platform team for a while.

Why This Role Is Interesting

We've taken infrastructure and security seriously from the start, which is part of why the lenders we work with trust us. Now we're investing in senior leadership for this discipline so we can keep raising the bar as the platform scales to bigger institutions and more sensitive workflows. You'll help shape the foundation that future engineers, brokers, and millions of mortgage applications run on top of, with real ownership inside your domain and the runway to do it right.

Compensation

Our total compensation, a blend of cash and equity, is market competitive.

Details

• Location: Calgary, AB — in-office
• Reports to: Seb Hiscock (CTO)