What is Aletra
Aletra is building the next generation of data security: a unified data security platform for regulated companies, one AI-native control plane across data security, governance, and AI oversight.
We build for banks, fintechs, insurers, and the technology companies that serve them, deliberately, from India, ahead of launch, close to real regulation, real data, and real accountability.
This page is where we hire for that work.
Our Founders
Founder & CEO. Our founder sits at the intersection of regulation and technology, the rare seat in this category, where most data-security companies have to split that view across a legal, privacy, and compliance executive and an architect. Over a decade inside regulated software, financial services, and insurance businesses, he has built and operated privacy, security, and AI governance programmes, sat in the architecture and engineering reviews where those programmes had to function, helped build product architecture from the ground up, and evaluated the data-security and governance platforms those businesses relied on. He is leading Aletra.
Co-Founder & COO. Our co-founder brings the impact lens that turns regulation from a document into something a company can actually adopt, operate, and live inside. She brings a unique combination of a commercial and a compliance executive, and a psychologist, in one seat. Over a decade inside heavily regulated technology businesses, including healthtech and space and defence technology (one of the most heavily regulated environments in the world), she has implemented contract-lifecycle and GRC systems from the side that decides whether those systems get used by the people they were built for.
Our two founders bring two different lenses to Aletra. The first lens sees the rules and the technology. The second lens sees what the rules and the technology do to positioning, workflows, and the people who have to live with it.
Without both lenses, Aletra would not have existed.
Who we want to meet
We are looking for founding-team members who care about building serious software for serious customers, and we are especially interested in people with experience in:
- data security, privacy engineering, GRC, or security architecture;
- SaaS, fintech, BFSI, healthtech, or other regulated platforms;
- AI governance, trust operations, compliance engineering, or customer assurance;
- product, engineering, design, or founder-led GTM in enterprise software.
If your background lives in two or three of these at once, that is exactly the shape we are hiring for.
Building from India, for the world.
We are a small team, building deliberately, ahead of launch. The work carries real regulatory weight and real ownership, and there is not much hand-holding. If that is the kind of room you do your best work in, here is what is open.
What you will do
- Build our AWS landing zone with Terraform or OpenTofu.
- Set up AWS Organizations, accounts, least-privilege access, and break-glass.
- Configure the organisation security services: logging, monitoring, key management, threat detection.
- Set the standards for our infrastructure code: modules, environments, state, review gates, drift detection.
- Build the provisioning patterns for setting up customer environments.
- Partner with engineering on platform infrastructure, without taking over product code.
- Produce SOC2-ready infrastructure evidence as a by-product of ordinary work.
What you need
- Five to eight years in cloud infrastructure, DevOps, SRE, or platform engineering.
- Three years or more of production Terraform or OpenTofu.
- Real AWS depth across Organizations, IAM, security services, and cross-account access.
- Experience running multi-account AWS environments.
- The security basics done properly: least privilege, encryption, logging, isolation, secrets.
- A genuine habit of writing things down: decision records, runbooks, notes.
What also helps
- SOC2 or ISO 27001 readiness experience on AWS.
- Multi-region or data-residency work across India, Singapore, the EU, the US, or Canada.
- Customer-isolated SaaS environments or account vending.
- Tools such as Control Tower, Terragrunt, Atlantis, Spacelift, or Terraform Cloud.
Not the right fit if
- You have run Azure and Intune, not AWS and Terraform.
- You prefer the console to infrastructure as code.
- You want to own architecture without building it yourself.
- You do not write documentation.
What you will do
- Build the AWS-first backend: services, APIs, workers, queues, and data pipelines.
- Build the core data and processing platform at the heart of the product.
- Build the access-control and entitlement services, enforced server-side.
- Build the canonical data schemas behind the product.
- Build the APIs behind the product's core customer surfaces.
- Version model and rule changes and keep their outputs traceable.
- Write tests, migration plans, runbooks, and design notes.
What you need
- Five to eight years in backend, cloud, data, or security SaaS engineering.
- Strong production work in Python, Go, Java, or Node; Python preferred.
- Real AWS depth and the ability to debug production.
- Experience building APIs, pipelines, scanners, policy engines, or reporting workflows.
- Comfort around sensitive data: databases, repositories, warehouses, identity systems.
- Clear technical writing and an async working style.
What also helps
- DSPM, DLP, data governance, identity, or GRC product experience.
- Multi-tenant SaaS with isolated customer data boundaries.
- Building audit, monitoring, or anomaly-detection systems.
- Familiarity with model or rule registries, without needing to be an ML researcher.
Not the right fit if
- You design but do not build.
- You are DevOps-only or Terraform-only.
- Your background is SOC analyst, GRC consulting, or IT administration rather than product engineering.
- You treat AI output as authoritative.
What you will do
- Build the React and TypeScript surfaces customers actually use.
- Build permission-gated states that cannot be bypassed from the browser.
- Build the product's core customer surfaces as views over real platform output.
- Instrument how customers use the product, so the team learns from it.
- Work with compliance so customer-facing language is accurate and never overclaims.
- Write frontend tests, contract tests, and release notes.
What you need
- Four to seven years building SaaS web applications.
- Strong React and TypeScript, with enough backend fluency to debug a flow end to end.
- Experience with authentication, role-based access, entitlement-gated screens, or secure portals.
- The product taste to make a complex security state clear to a non-engineer.
- Comfort with early-stage ambiguity and backend contracts still taking shape.
What also helps
- Security, compliance, GRC, or analytics-dashboard product experience.
- Modern component systems such as Tailwind or shadcn.
- Building audit, reporting, or workflow-driven products.
Not the right fit if
- You are a visual designer without production engineering.
- You treat a locked state as client-side decoration.
- You want to invent new workflows rather than surface what the platform produces.
- Regulated-customer language and auditability make you uncomfortable.
What you will do
- Build the data collectors and connectors for scoped AWS, SaaS, data-store, and identity environments.
- Map raw source data into clean, canonical structures for data, identity, access, and flow.
- Build the data contracts the rest of the platform depends on.
- Build connector health, schema stability, and coverage metrics.
- Build the boundaries for coexisting safely with a customer's existing tooling.
- Track quality and source metadata for the signals you produce.
- Write integration runbooks, data-quality tests, and onboarding checklists.
What you need
- Five to eight years in data engineering, integrations, security SaaS, or platform engineering.
- Strong Python, Go, TypeScript, or JVM work, and real API and integration fluency.
- Experience with AWS events and logs, SaaS APIs, data stores, identity systems, or security telemetry.
- Comfort with schema design, event contracts, data quality, retries, idempotency, and lineage.
- The discipline to document assumptions, source confidence, and failure modes.
What also helps
- DSPM, DLP, SIEM, CSPM, IAM, or regulated data-platform experience.
- Feature engineering, anomaly-detection inputs, graph data, or temporal event systems.
- Working with BFSI or fintech data, cloud logs, or customer security environments.
Not the right fit if
- You are ETL-only, with no product or integration ownership.
- You treat a vendor feed as the intelligence rather than as enrichment.
- You cannot write a runbook or explain a data-quality tradeoff.
What you will do
- Build automated API and UI smoke and regression tests for the launch-critical flows.
- Test entitlement enforcement, including attempts to bypass permission and export controls.
- Validate end-to-end workflow consistency across the product's core flows.
- Define test cases for tenant boundaries, model and rule versioning, AI privacy, and redaction.
- Maintain the release checklist, defect taxonomy, and severity definitions.
- Make tests part of CI/CD without creating heavy process.
What you need
- Four to seven years in QA, test automation, SDET, or product quality.
- Experience testing APIs, web apps, authentication and authorisation, and SaaS workflows.
- Automation in Python, TypeScript, Playwright, Cypress, pytest, or equivalents.
- A security instinct for entitlement, tenant isolation, access control, and data leakage.
- Strong written bug reports and release notes.
What also helps
- Security, compliance, fintech, GRC, or data-platform testing experience.
- SOC2 evidence experience around SDLC, testing, and change management.
- Testing export workflows, audit logs, or reporting products.
Not the right fit if
- You are a manual-only tester who cannot automate.
- You are pentest-only, with no product QA discipline.
- You block releases without risk-based prioritisation.
- You do not think in terms of authorisation and data-boundary risk.
What you will do
- Define the architecture for the platform's machine-learning systems.
- Design the feature schemas the models depend on.
- Define the feature store and its tenant-isolation boundaries.
- Design the model and rule registry: version, training window, approval, deployment, rollback, evaluation.
- Define inference logging so every output traces back to its model and features.
- Design the feedback loop from labelled outcomes and true and false positives.
- Define drift detection across coverage, data quality, and connector health.
- Partner with compliance and security on AI privacy and human-oversight governance.
What you need
- Eight years or more in applied ML, ML systems, anomaly detection, behavioural analytics, or security analytics.
- Experience designing production ML that depends on event data, feature stores, registries, and monitoring.
- A strong grasp of privacy, data minimisation, explainability, and customer-data boundaries.
- The product sense to know when rules and statistics beat a premature model.
- The ability to write architecture decisions a team can implement.
What also helps
- Security analytics, fraud and risk, IAM, DSPM, DLP, or graph ML experience.
- Model monitoring, drift detection, active learning, or AI governance experience.
- Familiarity with LLM privacy risks and model-gateway architectures.
- Early-stage startup or small-team experience.
Not the right fit if
- You are research-only and cannot produce implementation-ready architecture.
- You assume an LLM is the source of truth.
- You set aside privacy, residency, or compliance boundaries.
- You would train shared models on one customer's data to serve another.
What you will do
- Build the feature pipelines for the models from the platform's data.
- Build the tenant-isolated feature store the models depend on.
- Build early statistical baselines, rules, anomaly checks, and confidence scoring, with clear caveats.
- Integrate the model and rule registry and inference logging.
- Build evaluation datasets, feedback loops, and drift and coverage monitoring.
- Partner with QA on tests, and with compliance and security on AI privacy boundaries.
- Document assumptions, feature definitions, scoring limits, and safe claims.
What you need
- Five to eight years in applied ML, data engineering, ML engineering, risk analytics, or data platforms.
- Strong Python and SQL, and practical AWS and data-pipeline experience.
- Experience with feature engineering, event data, model evaluation, and production analytics.
- The discipline to build useful systems without overclaiming model maturity.
- Strong documentation and collaboration with product, compliance, and engineering.
What also helps
- Security analytics, fraud and risk, IAM, DSPM, DLP, or temporal graph analytics experience.
- Model monitoring, drift detection, active learning, or AI governance experience.
- Familiarity with privacy-preserving ML and customer-data boundaries.
Not the right fit if
- You are research-only and need large datasets and long timelines before producing value.
- You are prompt-engineering-only, with no data or ML systems depth.
- You treat external LLM output as authoritative evidence.
- You would train shared models on one customer's data to serve another.
What you will do
- Own SOC2 readiness end to end: gap assessment, evidence calendar, control mapping, audit preparation.
- Design the compliance programme across SOC2, DPDP, CERT-In, RBI, SEBI, FEMA, and AI privacy.
- Hold the line on claims: keep internal language from becoming a false regulatory claim.
- Review customer-facing claims so they stay accurate and never overreach.
- Partner with engineering on access control, logging, encryption, and isolation.
- Handle customer security reviews and support customer trust conversations.
- Own vendor risk, the external AI-provider approval process, and incident regulatory response.
What you need
- Six to eight years in compliance, with at least three years owning a programme.
- A completed SOC2 Type2 or ISO 27001 cycle you carried yourself.
- Experience designing a compliance programme from scratch.
- Working knowledge of DPDP and at least one international privacy or regulatory framework.
- Familiarity with BFSI, fintech, RBI, FEMA, CERT-In, or SEBI evidence workflows.
- The judgment to engage engineers, founders, auditors, and customers without blocking everything.
What also helps
- Compliance experience in SaaS, fintech, BFSI, or a security startup.
- Compliance automation platforms such as Sprinto, Vanta, Drata, or Secureframe.
- AI governance, model risk, vendor risk, or data-residency review experience.
Not the right fit if
- Your experience is evidence collection without programme ownership.
- You have Type I exposure but no Type 2 operating-period ownership.
- You cannot work alongside engineering decisions.
- You default to a legalistic no without commercial judgment.
What you will do
- Collect, label, and maintain SOC2 readiness evidence across code, cloud, IT, access reviews, HR, and vendor records.
- Keep the compliance platform current: control owners, test status, refresh dates, exceptions.
- Draft customer security questionnaire responses in approved language, and escalate anything non-standard.
- Support access reviews, vendor reviews, policy acknowledgements, and document requests.
- Track audit requests, evidence gaps, remediation owners, and closure.
- Keep compliance documentation under version control.
What you need
- Two to four years in compliance, audit, security assurance, GRC, or SaaS evidence operations.
- Hands-on evidence collection for SOC2, ISO 27001, or similar.
- Strong spreadsheet and document discipline, and comfort with compliance automation tools.
- The discipline to follow evidence standards without inventing policy or overpromising.
- Clear written English and real attention to detail.
What also helps
- Experience with Sprinto, Vanta, Drata, Secureframe, Hyperproof, or AuditBoard.
- Startup or SaaS customer security questionnaire experience.
- Awareness of DPDP, CERT-In, RBI, SEBI, or FEMA.
Not the right fit if
- You want to be the compliance head right away.
- You treat evidence collection as filing screenshots without control context.
- You struggle with disciplined documentation and deadlines.
- You make customer or regulatory commitments without approval.
What you will do
- Run lightweight but rigorous application-security and architecture reviews.
- Review entitlement bypass paths, API authorisation, export gating, and server-side redaction.
- Review tenant isolation and data-leakage test cases with QA.
- Review data integrity, tamper-resistance, and access control.
- Threat-model any external model use: prompt injection, data exfiltration, provider boundaries.
- Review the boundaries of human oversight: monitoring, override, rollback, approvals, audit trails.
- Write actionable findings with severity, owner, due date, and verification criteria.
What you need
- Seven years or more in AppSec, product security, cloud security, or regulated SaaS security review.
- A strong grasp of authentication, authorisation, tenant isolation, API security, audit logs, encryption, and secure SDLC.
- Experience threat-modelling SaaS and reviewing design and code without heavyweight process.
- The ability to explain risk clearly to founders, engineers, compliance, and customers.
What also helps
- Security or compliance SaaS, data security, AI security, or model-gateway experience.
- SOC2 or ISO readiness and customer security questionnaire experience.
- AWS SaaS security architecture experience.
Not the right fit if
- You are pentest-only and cannot review architecture.
- You write long theoretical reports with no practical remediation path.
- You cannot work at startup speed.
- You treat AI privacy as a marketing issue rather than a data-boundary one.
What you will do
- Set up and run Apple Business Manager, device management, enrolment, disk encryption, and patching.
- Administer Google Workspace: users, groups, shared drives, audit logs, retention, offboarding.
- Operate the password manager, MFA enforcement, access requests, and SaaS provisioning.
- Maintain asset and vendor inventory, IT runbooks, and SOC2 evidence records.
- Support procurement, device issuance, onboarding, exits, and IT-related security questionnaires.
- Run monthly access reviews and device compliance checks with the Compliance Manager.
- Escalate policy exceptions and security incidents using documented runbooks.
What you need
- Around five years in IT operations at a SaaS or cloud-native company.
- Two years or more of hands-on device management; Scalefusion preferred, Jamf, Kandji, or Intune fine.
- Two years or more administering Google Workspace, including shared drives and audit logs.
- You have personally set up Apple Business Manager for an employer.
- You have worked inside a SOC2 evidence effort on a compliance automation platform.
- Working knowledge of SAML, OIDC, and SCIM provisioning, and light scripting.
What also helps
- Pre-Series A SaaS startup experience.
- ISO 27001 or NIST CSF exposure.
- Familiarity with the Indian vendor ecosystem, such as Keka, AuthBridge, and Scalefusion.
Not the right fit if
- You want a DevOps, cloud infrastructure, or product engineering role.
- You cannot tell internal IT apart from production platform ownership.
- You are a helpdesk operator who cannot build a process from zero.
- You do not have hands-on Apple Business Manager and device-management experience.
What you will do
- Run customer technical onboarding: access planning, scope, stakeholders, and data discovery.
- Coordinate instrumentation across a customer's AWS, SaaS, and data systems.
- Map their current data and evidence sources, owners, gaps, and sign-off flow.
- Prepare the onboarding baseline and implementation documentation.
- Track implementation time, blockers, data-access risk, and product gaps.
- Train customer technical stakeholders on the platform, in approved language.
- Escalate scope creep, data-access risk, and any unsupported claim.
What you need
- Four to seven years in solutions engineering, implementation, technical customer success, or security SaaS onboarding.
- Comfort in AWS, SaaS, data, and security environments, and with technical customer stakeholders.
- The ability to map workflows, data sources, access paths, and owners.
- Strong customer communication, without becoming a salesperson or overcommitting engineering.
- Crisp implementation notes, runbooks, and handoff memos.
What also helps
- DSPM, DLP, GRC, data governance, or regulated SaaS implementation experience.
- BFSI or fintech security review experience.
- Python and API integration fluency.
- SOC2 or audit evidence familiarity.
Not the right fit if
- You are a sales engineer who cannot operate the implementation detail.
- You accept unlimited custom scope.
- You avoid customer conversations.
- You state compliance conclusions without compliance approval.
What you will do
- Own demand generation: build and run the pipeline that brings qualified buyers to Aletra.
- Plan and run multi-channel campaigns across content, email, events, search, and paid.
- Build and nurture the lead funnel, from first touch to qualified handoff to sales.
- Build campaign assets and buyer-facing collateral, with a claims glossary.
- Coordinate compliance review of every public and customer-facing claim.
- Maintain CRM and marketing-operations hygiene: stages, attribution, and campaign records.
- Measure, report, and optimise pipeline, conversion, and cost per qualified lead.
What you need
- Five to eight years in B2B SaaS demand generation, growth, or pipeline marketing.
- Experience owning a demand funnel and pipeline targets for technical or regulated buyers.
- Multi-channel campaign skill across content, email, events, search, and paid.
- Comfort with CRM and marketing-operations tooling, attribution, and funnel metrics.
- Excellent written English and structured collateral.
What also helps
- Security, compliance, fintech, data infrastructure, or AI governance experience.
- Experience supporting enterprise or mid-market sales.
- Familiarity with DPDP, CERT-In, RBI, SEBI, FEMA, SOC2, DSPM, or DLP.
Not the right fit if
- You are a brand marketer who wants broad campaigns before there is proof.
- You run campaigns but cannot own pipeline and conversion.
- You want to make loud public claims before there is customer proof.
- You treat paid media as a substitute for disciplined customer discovery.
How we hire
A first conversation, a focused technical or domain deep-dive, a short practical exercise, and a final conversation with a founder. We move quickly, and we tell you where you stand.
Apply to Aletra.
Submit your application below. Your resume, cover letter, and response come to our hiring inbox.
Thank you for applying to Aletra. If your background fits a current role, we will be in touch.