Hybrid Security Engineer, Governance, Risk and Compliance en Duffel

Whether it’s to visit the people closest to us, starting an exciting adventure, or a career-defining business trip, travel is an essential part of our lives. Yet we've all experienced the aches and pains of getting to our destination. Today, more than 4 billion airline passengers rely on technology that hasn't kept up with the expectations of the modern connected traveller.

That’s why we’ve started to rebuild the infrastructure that underpins the travel industry. We’re on a mission to unravel travel — simplifying systems and building the tools that will make the future of travel effortless. Central to this mission is ensuring seamless, secure, and reliable payment experiences, which are crucial for every transaction and a cornerstone of trust in our platform.

We were part of Y Combinator S18's cohort and we are backed by Benchmark, Blossom, Index Ventures, and Kima Ventures. A fantastic set of investors that has helped build some of the world's largest companies.

Our team in London is growing, and we’re looking for talented people to join us on our journey.

The Foundations team is responsible for the reliability, performance, resilience and security of our infrastructure and applications. The team is working closely with our various engineering teams to understand their needs and help meet the demands of our platform as we scale globally.

As a Security Engineer on our Foundations team, you will play a crucial role in establishing and maintaining a robust security governance framework. Your work will be instrumental in ensuring the organisation's compliance with industry standards and regulations, safeguarding our data and systems and building trust with key partners. You will contribute to fostering a culture of security awareness and operational excellence, directly impacting the company's ability to achieve its ambitious goals.

Spearhead the development of Duffel's Information Security Management System (ISMS) and guide the organisation through SOC 2 certifications.

Implement and continuously improve security policies and technical controls, ensuring alignment with industry best practices and operational excellence.

Monitor and maintain compliance with regulations, third-party requirements, and internal security policies, identifying and proactively addressing potential gaps.

Partner with Engineering, Product, and Legal to implement robust data governance solutions, encompassing data labelling, access control, audit trails, de-identification, and data lifecycle management.

Develop and execute internal audit programs, and effectively respond to external audits and due diligence requests.

Leverage your technical knowledge to define risk management plans, secure vendor solutions and meet third party requirements.

Actively contribute to Duffel’s security awareness program, fostering a strong security culture throughout the organisation.

Manage Vendor Security Assessment operations and drive continuous improvement of these processes.

Support the implementation and enhancement of Incident Management and Vulnerability Management policies.

Partner with our Legal team to ensure security practices align with legal and regulatory requirements, particularly concerning data privacy and protection.

Strong software and cybersecurity technical background, including experiences with major cloud platforms.

Demonstrated experience developing and implementing security policies, standards, and procedures.

Solid understanding of risk management frameworks, and industry-specific compliance requirements (e.g., PCI, SOC 2, GDPR).

Experience with external audits and leading certification processes.

Opinions on what good security standards and processes look like as we define ours at Duffel.

Big-picture thinking – you can make trade-offs on technical work streams against business impact.

Fantastic communication skills. You're able to articulate what you're working on and why to the team in a clear and structured way.

You thrive in a collaborative environment. You believe in your own methods but keep an open mind, taking suggestions and feedback onboard as well.

Experience guiding an organisation through PCI-DSS certification.

Experience in travel, flights, hotels, or cars.

We're dedicated to your personal growth. Our environment is comfortable both physically and in that our ears are always open to any ideas, concerns, and questions. We believe that everyone should have pride in their work, taking full ownership of it and its impact. That's why everyone who joins Duffel owns a share of the company.