At Upvest, we are on a mission to make investing as easy as spending money. Upvest empowers businesses to offer a wide range of investment products and the best experience in the field of capital market investment and retirement planning. Upvest’s Investment API is easy to integrate so that fintechs and financial institutions can save resources and fully focus on their core business. We are proud to partner with Europe’s leading Fintechs and financial institutions such as DKB, Revolut, N26 and Raisin. Founded in 2017 by Martin Kassing, Upvest now brings together over 270 talented professionals from more than 70 nationalities. Upvest is backed by €280M in total funding from world-class investors, including BlackRock, Tencent, Sapphire Ventures, and Bessemer Venture Partners, Earlybird, Notion Capital, and Motive. Our latest €105M funding round in March 2026 - led by Sapphire and Tencent - serves as a massive catalyst for our growth, allowing us to offer premier investment experience. # What you’ll do:

• Set the multi-quarter strategy for application and cloud security across Upvest's Investment API platform — aligned with our product roadmap, our tenant commitments, and our regulatory obligations under DORA, MiFID II, and BaFin's MaRisk / BAIT requirements. - Lead, mentor, and grow our Security Engineering and Upvest's security culture. You'll inherit a small, talented team and own hiring, onboarding, growth, and retention as we scale. And you'll create initiatives to build security into the development and product life cycle. - Own how Upvest performs encryption, authN/authZ, CI/CD, data, and network surfaces. We want fewer security review queues and more security baked into the templates. - Threat modeling, secure code review, SAST/DAST/SCA tooling integration in our GitHub Actions CI/CD, and vulnerability management. - — IAM, VPC Service Controls, Cloud KMS, CSPM (Wiz), Binary Authorization for GKE, Terraform-driven infrastructure security baselines, and our Linkerd service mesh posture. - Partner with our risk and compliance functions to translate DORA's ICT risk framework (Art. 5–9), secure development testing requirements (Art. 16), and threat-led penetration testing (Art. 24–27) into engineering work programmes — and into evidence we can show auditors and regulators. - Partner deeply with product and engineering teams. Architecture reviews, design partnerships, security champions across product squads, collaboration beats gatekeeping. - AI / LLM security, agentic identities, and the secure use of AI tooling in our own engineering workflow are an active concern