Senior DevOps Engineer (Security Compliance specialist)

Overview

• Start date: ASAP
• Visa sponsorship: Unfortunately, we are unable to offer visa sponsorship for this role. Applicants should have the right to work in the UK at the time of application.
• Background checks: Due to the nature of the work we do with global governments and partners, all employees need to pass background checks, verifying your identity, education (if relevant), work history, sanctions, criminal record, adverse financial history and right to work.
• You can expect to hear from us, no matter the outcome, by: 22nd August 2025
• Salary expectations: We aim for transparency on salary bands. If our range is misaligned with your expectations, we’d welcome an open conversation as early as possible.
• Recruiters: We don't need any agency support. Please do not get in contact.

Role

Apolitical is the global peer‑to‑peer platform for people transforming government. Our engineering team ships a modern, TypeScript‑first stack—Kubernetes on GKE, Helmfile‑driven releases, and GitHub Actions pipelines—serving public‑sector professionals in 170+ countries. We’re looking for a Senior DevOps Engineer who pairs operational excellence with a passion for security and data compliance. You’ll harden our infrastructure, steer us through ISO 27001 and GDPR audits, and make it effortless for product squads to ship secure code at speed.

You’ll be our internal security‑minded DevOps authority—sharing ownership of the CI/CD tool‑chain, cloud infrastructure and compliance controls that keep our platform safe, fast and auditable.

Tasks and remit

• Platform hardening – Maintain and evolve GKE + Helmfile deployments, Terraform modules and GitHub Actions workflows with security best practices baked‑in.
• Compliance liaison – Partner with our Data Protection Officer to interpret regulatory requirements (ISO 27001, GDPR, DPAs) and translate them into technical controls, policies and run‑books.
• Audit & pen‑test lead – Coordinate external auditors, manage evidence collection, track remediation tickets and present technical posture to stakeholders.
• Threat & vulnerability management – Run container‑image scanning (Snyk), dependency SBOM generation and orchestrate patch cycles across clusters.
• Incident readiness – Own on‑call playbooks, drill tabletop exercises, ensure logs/metrics/traces meet forensic standards.
• Security advocacy – Mentor engineers on secure‑by‑default patterns; propose and deliver projects (e.g. cluster network policies, secrets rotation, OIDC federation) that raise our security bar.

This role is exciting if you’re eager to grow technically and professionally in a supportive, pragmatic team. You’ll be empowered to own code, propose improvements and understand how your work impacts our users.

You will be:

• An experienced DevOps/SRE with deep knowledge of container orchestration (Kubernetes) and infrastructure‑as‑code.
• Fluent in CI/CD (GitHub Actions, Argo/CD or similar) and observability tooling.
• Comfortable mapping ISO 27001 controls to real‑world pipelines and cloud resources.
• A clear communicator who can bridge product squads, external auditors and non‑technical stakeholders.

You won’t be:

• Managing people—this is an individual‑contributor role with broad cross‑team influence.

Role expectations

Timelines may vary depending on individual onboarding and support needs, but we expect most team members to achieve the following milestones:

Within one month, you will…

• Ship your first secure Helmfile release to QA.
• Complete onboarding deep‑dive of existing CI/CD, Terraform and security policies.
• Shadow DPO on open compliance items to build context.

Within three months, you will…

• Lead the next quarterly vulnerability scan and deliver remediation plan.
• Introduce SBOM + container image scanning gates to GitHub Actions.
• Publish updated incident‑response runbook and run a tabletop drill.

Within six months, you will…

• Own technical track for ISO 27001 surveillance audit—zero major non‑conformities.
• Deliver at least two security posture projects (e.g. cluster network policies, secret rotation automation).
• Define long‑term security roadmap and metrics dashboard consumed by leadership.

About you

This is a great fit if you…

• Thrive at the intersection of DevOps and security, turning controls into code.
• Have led (or heavily contributed to) at least one successful external compliance audit.
• Enjoy mentoring engineers and championing a culture of "secure by default".
• Are pragmatic—optimising for measurable risk reduction and developer velocity.

Let us know if you have…

• Hands‑on GCP experience (GKE, Cloud SQL, IAM, Secret Manager).
• Implemented policy‑as‑code (OPA/Gatekeeper, Sentinel, Kyverno).
• Contributed to SRE practices (SLIs, SLOs, error budgets) or chaos engineering.

This likely won’t be the right role if you…

• Prefer narrowly scoped, siloed security roles.
• Are uncomfortable owning end‑to‑end delivery—from Terraform plan to audit evidence pack.

Don’t meet every single expectation? Studies have shown that women and people of colour are less likely to apply to jobs unless they meet every single qualification. Apolitical is dedicated to building a diverse and inclusive workplace, so if you’re excited about this role but your past experience doesn’t align perfectly with every qualification in the job description, we encourage you to apply anyways. You may be just the right candidate for this or other roles.

Application

The Applied platform asks some demographic questions before you start your application. No one at Apolitical sees the answers to these demographic questions with your application. We only see summary statistics to help us check if our candidate pool is balanced and if everyone has an equal chance to get hired irrespective of their background. If you prefer, you can easily opt out of answering these questions.