Job Title

Role: Platform EngineerLocation: Remote (India), with 3-4 hours overlap with AEST (Australia)Reports to: Founder / CTOCompensation: 12-15 LPA (negotiable on experience)Engagement: Full-time, individual contributorAbout Kapalins: Kapalins is an AI Governance Operating System for enterprise — multi-tenant SaaS that helps CISOs in regulated industries (banking, healthcare, government) audit, govern, and report on their AI tool usage. We ingest audit logs from M365 Copilot, OpenAI, GitHub Copilot, and AWS Bedrock into a unified compliance and FinOps view.We're past first paid pilot, moving toward GA. This role is replacing significant founder-engineering capacity to let the founder focus on GTM, customers, and partnerships.The Role:You will own the engineering side of the platform. Day-to-day this means:Implementing audit-log connectors against vendor admin APIs (next on the roadmap: Anthropic, Google Gemini Enterprise, Cohere)Owning the multi-tenant database layer — Postgres RLS, schema migrations, row-level isolation across 15+ tablesBuilding the Detection Engine (Policy Shield enforcement-mode) — real policy evaluation against ingested eventsOperating GCP production infrastructure — Cloud Run, Cloud SQL, Secret Manager, Workload Identity FederationWriting and maintaining architectural decision records (ADRs), gate closure sign-offs, and runbooksThis is NOT a /"ticket-taking/" role. You will own gates end-to-end: spec, implement, test, UAT, close. You will write the documents that future engineers read.Discipline we hold:We have a specific way of working. Honest version:Every gate closure requires live UAT against a real provider, not just static tests passingEvery commit pauses for diff review before landingEvery architectural decision is recorded in DECISIONS.md with trade-offs and review triggersEvery deferred finding lands in a running ledger with severity and target gateWe catch our own mistakes — the audit trail shows what was claimed, what was verified, and what was reverted when wrongWe use cross-implementation verification for cryptographic code (SigV4 was verified against the aws4 npm library; caught a real bug)We label everything: severity (Active/Hardening/Latent/Config), source gate, target resolutionIf /"I just want to ship features fast/" describes your preference, this role will frustrate you. If /"I want to build something that holds up to APRA / SOCI / SOC 2 audit and doesn't carry hidden debt/" describes your preference, this is the role.You must have:3+ years of backend engineering experience, with experience on production multi-tenant SaaSDeep PostgreSQL — you should be comfortable writing RLS policies from scratch, debugging abort-state issues, reasoning about ACL inheritance, and writing migrations that work cleanly under loadNode.js / JavaScript fluency — we use Express on the backend; familiarity with Knex query builder is a plus but not requiredStrong GCP or AWS — production-level, not coursework. You should have set up Cloud Run / Cloud SQL / IAM / Secret Manager for a real product, or the AWS equivalentsComfort with cryptographic code — you should be able to read AWS SigV4 signing documentation and implement it correctly without copy-pasting from a tutorialStrong written English — this role is heavy on async writing (ADRs, runbooks, sign-offs). You will write more documents than most engineers do in a year.You should have:Cybersecurity domain knowledge — RLS, IAM, OAuth, audit logging, compliance frameworks (SOC 2, ISO 27001, APRA CPS 234)Experience with React (frontend portals are React + Tailwind)Experience implementing or reviewing OAuth or OIDC flowsMulti-cloud experience (we run GCP today; AWS is a target environment for tenant data)Experience writing ADRs, RFCs, or design docs that other engineers actually usedNice to have:Australian or APAC SaaS experienceExperience with Firebase Auth or comparable identity-platform-as-a-serviceExperience with Knex.js, Express middleware patterns, or Postgres FORCE RLSExperience with ingesting and normalising third-party audit logs at scaleBedrock, Azure OpenAI, or OpenAI Admin API integration experienceOpen-source contributions visible on GitHubWHAT YOU WILL NOT DOReact Native / mobile workCustomer support — though you will read what customers report and decide if it's a code fix or a documentation fix - Sales / pre-salesPeople management in the first 12 months — you might lead a small team by year 2 if the company grows that wayInterview Process:30-min screening call with founderTake-home: implement a small connector against a documented API (timeboxed 4-6 hours, paid)Deep-dive technical interview on take-homeArchitecture discussion: we walk through one of our existing ADRs and you push back on itReference call (we will check 2-3 references with engineers you've worked with)Benefits:We offer a competitive compensation and benefits package, as well as the opportunity to work on challenging and rewarding projects.Regards,Kapalins