Application Security Lead

About the Role

This is our first dedicated security hire, and it's a rare chance to define the function from the ground up. You'll own Hightouch's application security posture end-to-end. We have strong engineering fundamentals and a solid foundation; now you'll shape what security looks like here as we scale from 70 to 140+ engineers.

This is a hands-on, high-autonomy role. You'll spend most of your time in the codebase, not in meetings. You’ll be solving hard problems at the intersection of security and distributed systems:

• Multi-tenant isolation on a system running ~1M data syncs per day and ingesting 100K+ events/sec
• Sub-tenant access control - for multi-team and multi-brand use cases, requiring differentiated access to configuration and data
• Security architecture - Build and refine our frameworks for compute isolation and perform threat modeling and hardening of new products
• Internet-facing APIs - Our high-throughput, internet-facing architecture services customer data at scale. You’ll improve our rate limiting, abuse detection, and granularity of access control
• Multi-Region and Multi-Cloud - Supporting our multi-region and multi-cloud backend, including extending it to launch Hightouch on in new regions to support data residency requirements of our global customer base

You'll own your roadmap. We're not looking for someone to run a checklist — we're looking for someone who can look at our architecture, identify the highest-leverage problems, and go fix them.

About You

You’ve been an early security hire at a SaaS company before and moved the needle on how they approach security. You can read application code, threat model a distributed system, and ship production fixes. You have significant distributed systems expertise so that you can understand and influence what is being built by the product teams and influence from a place of trust.

Experience that's relevant:

• Being an early security hire (first 1-3) at a SaaS or data infrastructure company
• Securing multi-tenant platforms: tenant isolation, authorization models, etc
• Cloud security on systems that span more than one cloud and operate against customer-owned accounts
• Design and build of data infrastructure as an early engineer, not just a user. You helped secure it from early design or during major redesigns. You understand how it scales and how it’s secured
• Privacy-adjacent security (PII handling, data residency, GDPR/CCPA technical controls)

We don't care about certifications. We care about what you've built.

Interview Process

1. Recruiter Screen [30m] - Introductory mutual fit assessment

2. Security Architecture Interview [60m] - Threat model discussion of a real-ish system, followed by a systems design exercise

3. Core interview [90m] - deep dive on distributed systems knowledge

4. Hiring Manager Interview [60m] - What you've built in the past, how you work

5. Security Program Interview [60m] with Head of Engineering — How you've run security programs in practice: bug bounty, pentest engagements, working with external researchers, and partnering across engineering to drive adoption.