Security Engineer, Governance, Risk and Compliance (copy)

Security Engineer, Governance, Risk and Compliance Create the future of travel with us

Whether it's to visit the people closest to us, starting an exciting adventure, or a career-defining business trip, travel is an essential part of our lives. Yet we've all experienced the aches and pains of getting to our destination. Today, more than 4 billion airline passengers rely on technology that hasn't kept up with the expectations of the modern connected traveller.

That's why we've started to rebuild the infrastructure that underpins the travel industry. We're on a mission to unravel travel - simplifying systems and building the tools that will make the future of travel effortless. Central to this mission is ensuring seamless, secure, and reliable payment experiences, which are crucial for every transaction and a cornerstone of trust in our platform.

We were part of Y Combinator S18's cohort and we are backed by Benchmark, Blossom, Index Ventures, and Kima Ventures. A fantastic set of investors that has helped build some of the world's largest companies.

Our team in London is growing, and we're looking for talented people to join us on our journey.

Foundations at Duffel

The Foundations team is responsible for the reliability, performance, resilience and security of our infrastructure and applications. The team is working closely with our various engineering teams to understand their needs and help meet the demands of our platform as we scale globally.

What you'll do

• Establish and maintain a robust security governance framework to ensure the organisation's compliance with industry standards and regulations, safeguarding our data and systems.
• Spearhead the development of Duffel's Information Security Management System (ISMS) and guide the organisation through SOC 2 certifications.
• Implement and continuously improve security policies and technical controls, ensuring alignment with industry best practices and operational excellence.
• Monitor and maintain compliance with regulations, third party requirements, and internal security policies, identifying and proactively addressing potential gaps.
• Partner with Engineering, Product, and Legal to implement robust data governance solutions, encompassing data labelling, access control, audit trails, de identification, and data lifecycle management.
• Develop and execute internal audit programmes, and effectively respond to external audits and due diligence requests.
• Leverage your technical knowledge to define risk management plans, secure vendor solutions and meet third party requirements.
• Actively contribute to Duffel's security awareness program, fostering a strong security culture throughout the organisation.
• Manage Vendor Security Assessment operations and drive continuous improvement of these processes.
• Support the implementation and enhancement of Incident Management and Vulnerability Management policies.
• Partner with our Legal team to ensure security practices align with legal and regulatory requirements, particularly concerning data privacy and protection.

What we're looking for in you

• Strong software and cybersecurity technical background, with experience on major cloud platforms.
• Demonstrated experience developing and implementing security policies, standards, and procedures.
• Solid understanding of risk management frameworks and industry specific compliance requirements (e.g., PCI, SOC 2, GDPR).
• Experience with external audits and leading certification processes.
• Clear opinions on what good security standards and processes look like as we define ours at Duffel.
• Big picture thinking - ability to make trade offs on technical work streams against business impact.
• Fantastic communication skills; able to articulate work and rationale in a clear, structured way.
• Collaborative mindset; open to suggestions and feedback while maintaining confidence in your methods.

Bonus points if you have

• Experience guiding an organisation through PCI DSS certification.
• Experience in travel, flights, hotels, or cars.

What you can expect from us

We're dedicated to your personal growth. Our environment is comfortable both physically and in that our ears are always open to any ideas, concerns, and questions. We believe that everyone should have pride in their work, taking full ownership of it and its impact. That's why everyone who joins Duffel owns a share of the company.

We are an equal opportunities employer

We believe that the key to our success is employing a diverse team; that's why recruitment decisions are only based on your experience and skills. We value your ability to problem solve and build amazing things, so we welcome applications from everyone - regardless of age, sex, disability, sexual orientation, race, religion, or belief.

Note to recruitment agencies

Duffel does not accept speculative CVs from external parties. Any unsolicited CVs sent to us will be treated as property of Duffel, and any attached terms and conditions associated with these CVs will be null and void.