Platform Security & Governance Engineer

About the role

Clinical research data is among the most sensitive data there is — participant information, safety records, regulatory documents, and the evidence trials are ultimately inspected on. MAESTRO's job is not only to protect that data, but to prove it is protected, on demand, to auditors and regulators. This role owns both halves of that promise.

You'll own how MAESTRO enforces access, records every consequential action, and demonstrates compliance — from role-, study- and site-scoped access control, to immutable audit trails, to the governance program behind our certifications and our customers' inspections. Security and governance here aren't a gate at the end; they're a core part of the product we sell.

This is a hands-on role for someone who can move fluidly between engineering controls and the compliance program they satisfy.

What you'll do

• Design and enforce role-, study- and site-scoped access control and separation of duties across a multi-tenant platform.
• Own the immutable audit trail — a defensible record of who changed what, and when — across every module.
• Drive data governance: classification, retention, residency, encryption and key management, so sensitive data stays in-region and within policy.
• Lead PIPEDA alignment and SOC 2 / ISO 27001 readiness — owning policies, evidence collection, and vendor/third-party reviews.
• Run threat modelling and security reviews, and coordinate penetration testing and remediation.
• Translate regulatory expectations (21 CFR Part 11, EU Annex 11, ICH GCP, Health Canada) into concrete, testable engineering controls — and into the evidence that proves they work.

What you'll bring

• 4+ years in application/platform security or security engineering.
• Strong understanding of authentication and authorization, encryption, secrets management and audit logging.
• Familiarity with privacy and security frameworks — PIPEDA, GDPR, SOC 2, ISO 27001, NIST.
• The ability to turn compliance requirements into shipped engineering controls, not just documentation.

Nice to have

• Experience in healthcare, life-sciences or other regulated domains.
• Knowledge of 21 CFR Part 11 audit-trail and electronic-signature requirements.
• Hands-on experience with cloud security tooling and infrastructure-as-code security scanning.

Education

• A degree in Computer Science, Cybersecurity, Information Security/Systems or a related technical field from a recognized post-secondary institution — or equivalent practical experience that demonstrably matches the level of the role.
• Internationally educated candidates are welcome; foreign credentials should be assessed for Canadian equivalency (e.g. WES, ICAS or a comparable recognized service).
• An asset (not required): recognized security or privacy certifications (e.g. CISSP, CISM, CCSP, or equivalent).

Location & eligibility

This role is open only to candidates who are based in Canada and legally entitled to live and work in Canada (Canadian citizens, or permanent/legal residents with valid Canadian work authorization). We are not able to sponsor relocation or work authorization for this position.

Why join

Security and governance aren't an afterthought here — they're the product. You'll build the controls that let a customer hand an inspector a link instead of scrambling for evidence, and you'll see your work directly enable trials to keep moving.