Senior/Staff Security Engineer
Collective· HF1
- San Francisco
- Remote
- Engineering
About Collective: Financial solutions for self-employed business owners — formation, tax, accounting, and bookkeeping
About Collective:
Collective is on a mission to redefine the way businesses-of-one work. Our technology and team of trusted advisors help members achieve financial independence by taking care of everything from business incorporation to accounting, bookkeeping, tax services, and access to a thriving community, all in one integrated platform. We believe in empowering self-employed people to enjoy the same tax savings that big companies get, so they can focus on their passion, not paperwork.
Featured in Forbes, Business Insider, Yahoo, Bloomberg, Financial Times, TechCrunch, and more. We are backed by General Catalyst, Sound Ventures (Ashton Kutcher and Guy Oseary), QED Investors, Google’s Gradient Ventures, Expa, and other investors who have financed iconic companies like YouTube, Substack, Twitch, Box, Hims, Instacart, and Lyft.
About the role:
We're hiring a Senior/Staff Product Security Engineer to build the security-critical systems at the heart of Collective's member platform. This is a software engineering role first: you'll design and ship the code that governs how our platform authenticates users and services, what they're authorized to do, and how our members' data is protected. You'll own the authentication and authorization architecture end to end — not as a reviewer or advisor, but as the engineer whose commits land in production. You'll set the direction of this work, not just execute it: what gets built and in what order. As Collective expands its use of AI and agent-based workflows, you'll build the patterns those systems use to authenticate and operate safely. You'll sit on the Security team and spend your days in the product codebase, working alongside product engineers.
What you'll do:
- Own the end-to-end authentication and authorization architecture of Collective's member platform — session management, multi-factor authentication, authorization enforcement, and machine-to-machine authentication — and personally design, write, and ship the changes that improve it.
- Extend those patterns to delegated and agent-based access: how AI agents and third parties act on a member's behalf with scoped, time-boxed, revocable authority — and how their actions are attributed and audited.
- Drive the programmatic protection of sensitive member data: design and implement application-layer encryption for member documents and data — key management, envelope encryption, rotation — and build the controls that protect sensitive data in code (scoped access, tokenization, redaction in logs and pipelines) rather than in policy.
- Lead the design process for the systems you own: write RFCs, run design reviews, and bring product engineers along on security-critical changes.
- Threat-model the identity and data-protection systems you build, and own remediation of findings that touch your domain.
- Ground encryption and access-control decisions in the regulatory requirements that apply to a platform handling sensitive member data.
What you'll bring:
- 8+ years of software engineering experience, including significant time building or owning authentication, identity, authorization, or data-protection systems in production.
- Strong backend engineering skills — you're fluent shipping production code in a modern web stack (we run Python/Django on AWS), and you're comfortable making substantial changes to a codebase other teams depend on.
- Deep working knowledge of authentication standards and their failure modes: OAuth 2.0 (including token exchange and delegation patterns), OIDC, SAML, JWT, session management, and the differences between securing user-facing and machine-to-machine flows.
- Practical applied-cryptography literacy: envelope encryption, KMS-based key management, key rotation, and the tradeoffs of encrypting data at the field, document, and storage layers. You don't need to be a cryptographer — you need to know how to use cryptography correctly in a production system.
- Enough security fluency to reason about threats to the systems you build and to hold your own in a threat-modeling session. Deep security specialization is not required — you'll have teammates who bring it; what can't be delegated is the engineering.
- Comfort operating as a senior individual contributor who influences platform direction through RFCs, design reviews, and working code rather than a management chain.
- Product empathy: the ability to hold security rigor and member experience in the same frame — auth flows are the front door of the product, and getting them wrong in either direction is expensive.
What we offer:
- Hybrid Work Model: Based in San Francisco with a balance of in-office and remote flexibility.
- Fresh Lunch: Provided on in-office days.
- Commuter Support: $150 monthly reimbursement for transit expenses.
- Health & Wellness: $200 quarterly reimbursement to support your well-being.
- Time Off: Flexible PTO plus 14 company holidays.