← Trabajos

Senior Full-Stack Engineer (Python/FastAPI + React) — Enterprise GRC SaaS

Presupuesto: $2500.0 FIXED / ⭐ 5.00 (1) OMN

python, api-integration, automation

Overview I'm the founder and product owner of a multi-tenant GRC (Governance, Risk & Compliance) platform serving enterprise and regulatory clients. I'm looking for a senior full-stack engineer for a 10-week, fixed-scope engagement structured as three strictly gated milestones, delivering a major feature set for an enterprise client: a complete Vendor Risk Management (VRM) module with on-premise deployment, a compliance lifecycle automation pipeline, and an end-to-end risk management and treatment workflow. The codebase is established and well-structured. You will be extending existing domain models, services, and repository patterns — not greenfielding. Detailed specifications, acceptance criteria, and a GitHub issue backlog exist for every milestone. Tech Stack Backend: Python, SQLModel, PostgreSQL 16, Alembic, asyncpg, pytest Frontend: React (functional components + hooks only), CSS-only animations Infrastructure: Docker / Docker Compose, object storage, reverse proxy, Grafana observability Integrations: External security rating APIs (e.g., SecurityScorecard/BitSight), email/notification hooks, LLM-based AI validation stages Architecture: Multi-tenant with strict tenant isolation, role-based access control, ports-and-adapters pattern for external providers Scope of Work Milestone 1 (Weeks 1–4) — Vendor Risk Management, full scope + on-prem deployment Supplier onboarding with centralized vendor profiles (contacts, contracts, criticality, data-access attributes) Automated same-day inherent risk assessment on vendor creation, with factor-level explainability Per-tenant configurable risk tiers, weights, and thresholds Framework-aligned questionnaire templates (ISO 27001, SOC 2, NIST CSF, CIS) with automated dispatch, reminders, and response tracking One external security-ratings provider adapter + continuous monitoring signal pipeline (score drops, breaches, CVEs) Tier-gated approval workflows, reassessment scheduling, and a four-category alerting system Evidence repository with certification-expiry alerting Operational + executive dashboards with PDF/XLSX export, documented REST API (OpenAPI) Performance validation at 500+ vendors per tenant (pagination, indexing, no N+1s) Docker Compose on-premise deployment profile with a runbook good enough for a clean-VM install Milestone 2 (Weeks 5–7) — Compliance lifecycle automation + custom framework import XLSX/CSV framework importer with row-level validation (imported frameworks behave identically to seeded ones) Evidence collection orchestrator with integration, stub, and manual-upload legs — fully auditable attempts AI evidence validation and AI control assessment stages with persisted verdicts Automatic gap-record creation, control-owner assignment, and framework compliance-rate recalculation Configurable AI confidence gate routing low-confidence verdicts to human review Two-class notification model (informational / action-required) with due-date reminder cadence Milestone 3 (Weeks 8–10) — Risk management workflow + treatment lifecycle Risk dashboard (KPI cards, inherent/residual heat map, department drill-downs, treatment charts) Five-stage risk lifecycle: draft → review → approval with auto-generated register IDs, resend/reject paths Client-configurable risk matrix (Likelihood × Impact) driving inherent and residual scoring KRIs with green/amber/red thresholds and breach tracking Gap-to-risk integration: AI register search, create/update branches, owner approval, AI scoring AI treatment recommendation → approval workflow → auto-created remediation actions → evidence submission → AI re-test → residual risk recalculation → gated gap closure Compliance scoring engine extended to domain and control level with score history How This Engagement Works (please read before applying) Strictly sequential milestones. Milestone N+1 does not start until Milestone N is accepted against written acceptance criteria. Payment is milestone-gated (40% / 25% / 35%). Change maps before code. Structural or domain-logic changes require a short written map (files touched, before/after behavior) before implementation. All work is delivered as branches/PRs for my review — nothing merges directly. No new dependencies (pip or npm) without written approval. Tests are part of the deliverable. Build, lint, and pytest must be green at the end of every milestone; new logic ships with tests. Domain logic stays with me. Scoring formulas, tiering weights, risk-matrix semantics, and AI prompts/judges can be made configurable by you, but their defaults and semantics are proposal-only — I own final decisions. Secrets discipline. All credentials live in backend env / settings — never in code, logs, or frontend env. I commit to a 2-business-day review turnaround on change maps and milestone PRs to keep the schedule moving, and I will supply provider sandbox credentials, format-spec approvals, and prompt reviews on a published schedule. Required Experience 5+ years full-stack development with Python backends and React frontends Production experience with PostgreSQL, SQLModel or SQLAlchemy, and Alembic migrations Multi-tenant SaaS architecture (tenant isolation, RBAC) Third-party API integration behind a ports/adapters pattern Docker Compose deployments; comfort writing operational runbooks Strong testing discipline (pytest, integration tests) Clear written English — change maps and PR descriptions are a core part of the job Nice to Have GRC / compliance / security domain exposure (ISO 27001, SOC 2, NIST CSF, vendor risk) Experience integrating LLM APIs into structured validation/assessment pipelines On-premise or air-gapped deployment experience RTL/i18n awareness (the platform supports Arabic and English) To Apply Please include: A brief note on the most similar milestone-gated or spec-driven engagement you've delivered, and how you handled review gates One example of a multi-tenant or integration-heavy feature you built (a PR, repo, or written walkthrough) Your confirmation that the ground rules above (sequential milestones, change maps, no unapproved dependencies) work for you Availability to start and weekly hours you can commit for 10 weeks Applications that open with a relevant question about the spec, or that reference a specific item from the scope above, will be prioritized. Generic proposals will not be considered.
Abrir en Upwork