Platform Engineer

Role: Platform Engineer Location: Remote (India), with 3-4 hours overlap with AEST (Australia) Reports to: Founder / CTO Compensation: 12-15 LPA (negotiable on experience) Engagement: Full-time, individual contributor About Kapalins: Kapalins is an AI Governance Operating System for enterprise — multi-tenant SaaS that helps CISOs in regulated industries (banking, healthcare, government) audit, govern, and report on their AI tool usage. We ingest audit logs from M365 Copilot, OpenAI, GitHub Copilot, and AWS Bedrock into a unified compliance and FinOps view. We're past first paid pilot, moving toward GA.

This role is replacing significant founder-engineering capacity to let the founder focus on GTM, customers, and partnerships. The Role: You will own the engineering side of the platform. Day-to-day this means: Implementing audit-log connectors against vendor admin APIs (next on the roadmap: Anthropic, Google Gemini Enterprise, Cohere) Owning the multi-tenant database layer — Postgres RLS, schema migrations, row-level isolation across 15+ tables Building the Detection Engine (Policy Shield enforcement-mode) — real policy evaluation against ingested events Operating GCP production infrastructure — Cloud Run, Cloud SQL, Secret Manager, Workload Identity Federation Writing and maintaining architectural decision records (ADRs), gate closure sign-offs, and runbooks This is NOT a \"ticket-taking\" role.

You will own gates end-to-end: spec, implement, test, UAT, close. You will write the documents that future engineers read. Discipline we hold: We have a specific way of working.

Honest version: Every gate closure requires live UAT against a real provider, not just static tests passing Every commit pauses for diff review before landing Every architectural decision is recorded in DECISIONS.md with trade-offs and review triggers Every deferred finding lands in a running ledger with severity and target gate We catch our own mistakes — the audit trail shows what was claimed, what was verified, and what was reverted when wrong We use cross-implementation verification for cryptographic code (SigV4 was verified against the aws4 npm library; caught a real bug) We label everything: severity (Active/Hardening/Latent/Config), source gate, target resolution If \"I just want to ship features fast\" describes your preference, this role will frustrate you. If \"I want to build something that holds up to APRA / SOCI / SOC 2 audit and doesn't carry hidden debt\" describes your preference, this is the role. You must have: 3+ years of backend engineering experience, with experience on production multi-tenant SaaS Deep PostgreSQL — you should be comfortable writing RLS policies from scratch, debugging abort-state issues, reasoning about ACL inheritance, and writing migrations that work cleanly under load Node.js / JavaScript fluency — we use Express on the backend; familiarity with Knex query builder is a plus but not required Strong GCP or AWS — production-level, not coursework.

You should have set up Cloud Run / Cloud SQL / IAM / Secret Manager for a real product, or the AWS equivalents Comfort with cryptographic code — you should be able to read AWS SigV4 signing documentation and implement it correctly without copy-pasting from a tutorial Strong written English — this role is heavy on async writing (ADRs, runbooks, sign-offs). You will write more documents than most engineers do in a year. You should have: Cybersecurity domain knowledge — RLS, IAM, OAuth, audit logging, compliance frameworks (SOC 2, ISO 27001, APRA CPS 234) Experience with React (frontend portals are React + Tailwind) Experience implementing or reviewing OAuth or OIDC flows Multi-cloud experience (we run GCP today; AWS is a target environment for tenant data) Experience writing ADRs, RFCs, or design docs that other engineers actually used Nice to have: Australian or APAC SaaS experience Experience with Firebase Auth or comparable identity-platform-as-a-service Experience with Knex.js, Express middleware patterns, or Postgres FORCE RLS Experience with ingesting and normalising third-party audit logs at scale Bedrock, Azure OpenAI, or OpenAI Admin API integration experience Open-source contributions visible on GitHub WHAT YOU WILL NOT DO React Native / mobile work Customer support — though you will read what customers report and decide if it's a code fix or a documentation fix - Sales / pre-sales People management in the first 12 months — you might lead a small team by year 2 if the company grows that way Interview Process: 30-min screening call with founder Take-home: implement a small connector against a documented API (timeboxed 4-6 hours, paid) Deep-dive technical interview on take-home Architecture discussion: we walk through one of our existing ADRs and you push back on it Reference call (we will check 2-3 references with engineers you've worked with) Benefits: We offer a competitive compensation and benefits package, as well as the opportunity to work on challenging and rewarding projects.

Regards, Kapalins