Senior Full-Stack Engineer (Python/FastAPI + React) — Enterprise GRC SaaS
Budget: $2500.0
FIXED /
⭐ 5.00 (1)
OMN
python, api-integration, automation
Overview
I'm the founder and product owner of a multi-tenant GRC (Governance, Risk & Compliance) platform serving enterprise and regulatory clients. I'm looking for a senior full-stack engineer for a 10-week, fixed-scope engagement structured as three strictly gated milestones, delivering a major feature set for an enterprise client: a complete Vendor Risk Management (VRM) module with on-premise deployment, a compliance lifecycle automation pipeline, and an end-to-end risk management and treatment workflow.
The codebase is established and well-structured. You will be extending existing domain models, services, and repository patterns — not greenfielding. Detailed specifications, acceptance criteria, and a GitHub issue backlog exist for every milestone.
Tech Stack
Backend: Python, SQLModel, PostgreSQL 16, Alembic, asyncpg, pytest
Frontend: React (functional components + hooks only), CSS-only animations
Infrastructure: Docker / Docker Compose, object storage, reverse proxy, Grafana observability
Integrations: External security rating APIs (e.g., SecurityScorecard/BitSight), email/notification hooks, LLM-based AI validation stages
Architecture: Multi-tenant with strict tenant isolation, role-based access control, ports-and-adapters pattern for external providers
Scope of Work
Milestone 1 (Weeks 1–4) — Vendor Risk Management, full scope + on-prem deployment
Supplier onboarding with centralized vendor profiles (contacts, contracts, criticality, data-access attributes)
Automated same-day inherent risk assessment on vendor creation, with factor-level explainability
Per-tenant configurable risk tiers, weights, and thresholds
Framework-aligned questionnaire templates (ISO 27001, SOC 2, NIST CSF, CIS) with automated dispatch, reminders, and response tracking
One external security-ratings provider adapter + continuous monitoring signal pipeline (score drops, breaches, CVEs)
Tier-gated approval workflows, reassessment scheduling, and a four-category alerting system
Evidence repository with certification-expiry alerting
Operational + executive dashboards with PDF/XLSX export, documented REST API (OpenAPI)
Performance validation at 500+ vendors per tenant (pagination, indexing, no N+1s)
Docker Compose on-premise deployment profile with a runbook good enough for a clean-VM install
Milestone 2 (Weeks 5–7) — Compliance lifecycle automation + custom framework import
XLSX/CSV framework importer with row-level validation (imported frameworks behave identically to seeded ones)
Evidence collection orchestrator with integration, stub, and manual-upload legs — fully auditable attempts
AI evidence validation and AI control assessment stages with persisted verdicts
Automatic gap-record creation, control-owner assignment, and framework compliance-rate recalculation
Configurable AI confidence gate routing low-confidence verdicts to human review
Two-class notification model (informational / action-required) with due-date reminder cadence
Milestone 3 (Weeks 8–10) — Risk management workflow + treatment lifecycle
Risk dashboard (KPI cards, inherent/residual heat map, department drill-downs, treatment charts)
Five-stage risk lifecycle: draft → review → approval with auto-generated register IDs, resend/reject paths
Client-configurable risk matrix (Likelihood × Impact) driving inherent and residual scoring
KRIs with green/amber/red thresholds and breach tracking
Gap-to-risk integration: AI register search, create/update branches, owner approval, AI scoring
AI treatment recommendation → approval workflow → auto-created remediation actions → evidence submission → AI re-test → residual risk recalculation → gated gap closure
Compliance scoring engine extended to domain and control level with score history
How This Engagement Works (please read before applying)
Strictly sequential milestones. Milestone N+1 does not start until Milestone N is accepted against written acceptance criteria. Payment is milestone-gated (40% / 25% / 35%).
Change maps before code. Structural or domain-logic changes require a short written map (files touched, before/after behavior) before implementation. All work is delivered as branches/PRs for my review — nothing merges directly.
No new dependencies (pip or npm) without written approval.
Tests are part of the deliverable. Build, lint, and pytest must be green at the end of every milestone; new logic ships with tests.
Domain logic stays with me. Scoring formulas, tiering weights, risk-matrix semantics, and AI prompts/judges can be made configurable by you, but their defaults and semantics are proposal-only — I own final decisions.
Secrets discipline. All credentials live in backend env / settings — never in code, logs, or frontend env.
I commit to a 2-business-day review turnaround on change maps and milestone PRs to keep the schedule moving, and I will supply provider sandbox credentials, format-spec approvals, and prompt reviews on a published schedule.
Required Experience
5+ years full-stack development with Python backends and React frontends
Production experience with PostgreSQL, SQLModel or SQLAlchemy, and Alembic migrations
Multi-tenant SaaS architecture (tenant isolation, RBAC)
Third-party API integration behind a ports/adapters pattern
Docker Compose deployments; comfort writing operational runbooks
Strong testing discipline (pytest, integration tests)
Clear written English — change maps and PR descriptions are a core part of the job
Nice to Have
GRC / compliance / security domain exposure (ISO 27001, SOC 2, NIST CSF, vendor risk)
Experience integrating LLM APIs into structured validation/assessment pipelines
On-premise or air-gapped deployment experience
RTL/i18n awareness (the platform supports Arabic and English)
To Apply
Please include:
A brief note on the most similar milestone-gated or spec-driven engagement you've delivered, and how you handled review gates
One example of a multi-tenant or integration-heavy feature you built (a PR, repo, or written walkthrough)
Your confirmation that the ground rules above (sequential milestones, change maps, no unapproved dependencies) work for you
Availability to start and weekly hours you can commit for 10 weeks
Applications that open with a relevant question about the spec, or that reference a specific item from the scope above, will be prioritized. Generic proposals will not be considered.
Öppna på Upwork