Senior Platform Engineer (Azure DevSecOps)

Senior Platform Engineer (Azure DevSecOps)

AI x Biotech Startup
Full-time
Toronto, ON / Montreal, QC

Company Overview:
Join our visionary and rapidly growing AI x Biotech startup, based in the heart of the MaRS Discovery District in Toronto. Intrepid Labs is at the forefront of revolutionizing pharmaceutical development through the integration of machine learning, automation and advanced computing. Our team of scientists and engineers is dedicated to advancing drug development and improving patient outcomes. As we embark on this exciting journey, we are seeking a talented and passionate Security and Compliance Engineer to join our founding team in our pursuit of transforming drug development.

Our Company Culture:
At Intrepid Labs, we believe in fostering an environment of collaboration, innovation, and continuous learning. Our team members are not only passionate about the work they do but also about creating a workplace that encourages inclusivity, adaptability, and mutual respect.

The Role
We're looking for a Senior Platform Engineer to own the design and execution of our new isolated-tenant Azure architecture end-to-end. You will be the technical authority on how we provision, deploy, secure, and operate dozens (and eventually hundreds) of independent client environments.
You'll partner directly with our engineering team and the founders. You'll have the autonomy to choose tools, set patterns, and define how this platform is built for the next five years. If you've ever wanted to draw the architecture on a whiteboard and be the one who ships it, this is that role.
This is not a maintenance role. The first twelve months are a build.
What You Will Do
? Architect the isolated-tenant infrastructure. Design and build the Infrastructure as Code (Terraform or Azure Bicep) that lets us “stamp out” a fully isolated client environment — VNet, subnets, Private Endpoints, Azure Front Door, compute, and PostgreSQL Flexible Server — in a
single, repeatable, audited workflow. Developers should never touch the Azure Portal to provision a tenant.
? Own the multi-tenant CI/CD pipelines. Design pipelines (GitHub Actions or Azure DevOps) that can safely roll out Python/FastAPI services and orchestrate zero-downtime PostgreSQL schema migrations across dozens of independent client databases in parallel, with progressive rollout, automated rollback, and per-tenant gating.
? Codify security and compliance into the platform. Work alongside our Security Lead to make compliance a property of the infrastructure itself: Azure Policy as guardrails, Customer-Managed Keys (CMK) via Key Vault, Zero Trust networking with Private Endpoints and no public data-plane exposure, Just-In-Time (JIT) and PIM-based access, and immutable Azure Log Analytics retention designed to satisfy FDA 21 CFR Part 11 audit requirements.
? Define the operational model. Build the observability, alerting, runbooks, and on-call patterns for a fleet of identical-but-isolated environments. Drift detection, cost attribution per tenant, and disaster recovery (per-tenant RPO/RTO) all live in your domain.
? Set the engineering bar for the platform. Establish IaC module standards, state management strategy, code review patterns, and the contract between platform and application teams. You will mentor engineers who touch infrastructure and raise the floor across the org.

Requirements
? 5+ years of deep Azure networking experience, including hands-on design of Private Link / Private Endpoints, VNet peering, hub-and-spoke topologies, NSGs, Azure Firewall or equivalent, and DNS strategy for private workloads.
? Mastery of Infrastructure as Code with Terraform and/or Azure Bicep, including managing complex remote state, module design for fleet-scale reuse, and safe handling of breaking changes across many environments.
? Strong, demonstrable expertise in fleet-wide database migrations — coordinating zero-downtime schema changes across many independent PostgreSQL databases using tools like Flyway, Liquibase, Alembic, or equivalent. You have opinions about expand/contract migrations and have lived through the consequences of getting them wrong.
? Production CI/CD ownership with GitHub Actions or Azure DevOps Pipelines, including matrix/fan-out deployments, environment promotion, and progressive delivery.
? Security-first mindset. You design assuming breach. You can speak fluently about Zero Trust, identity-based access, secrets management, key rotation, and the difference between “encrypted” and “actually encrypted the way an auditor wants.”
? Comfort operating Python services in production (FastAPI a plus) — you don't need to write the application code, but you need to deploy, observe, and debug it credibly.
? Strong written communication. You will write the design docs that our customers' CISOs eventually read.

Nice-to-Haves
? Direct experience with regulated industries — pharma, healthcare, financial services — and compliance frameworks like FDA 21 CFR Part 11, GxP, HIPAA, or SOC 2 Type II.
? Experience operating PostgreSQL Flexible Server at scale on Azure, including HA, PITR, and major-version upgrades.
? Familiarity with Azure Front Door, WAF, and DDoS Protection in multi-tenant routing scenarios.
? Background working with Customer-Managed Keys, HSM-backed Key Vault, and key rotation across a fleet.
? Prior experience leading a multi-tenant ? single-tenant (“silo”) architectural migration.
? Kubernetes (AKS) experience, particularly with workload identity and private clusters.
? Cost engineering chops — you know how to keep a per-tenant architecture from becoming a per-tenant invoice problem.