product
Posted Apr 29Product Manager - Security & Trust (EMEA/AMER)
at supabase
Remote
Responsibilities
- Lead Supabase's platform security roadmap end-to-end, from the defaults that protect a developer prototyping their first project to the advanced controls a Fortune 500 CISO needs before approving us. - Hold the line between security and developer experience.
- Drive the roadmap for the security tooling customers use to operate safely on Supabase: firewall, security advisors, audit logs, Supabase Vault, just-in-time database access, and the IAM primitives that let regulated customers get to "yes" with their security team. - Define the unified access model across Supabase.
Requirements
- Supabase is the Postgres development platform, built by developers for developers to help them ship countless products that people love.
- Security is foundational to that trust, and as we move deeper into AI-native development, regulated industries, and enterprise, it shapes whether a developer chooses us on day one and whether a regulated company can build their most sensitive workloads on Supabase.
- ABOUT THE ROLE We're looking for a PM who can balance the constant tension between security and developer experience at platform scale.
- A control that's too strict pushes developers off the platform; one that's too easy to bypass doesn't protect anyone. - Lead our security strategy for AI agents.
- Supabase already runs a strong compliance program with SOC2 and HIPAA in place.
- Translate what you hear into a roadmap that earns trust at every customer size, from the indie hacker prototyping their first project to the Fortune 500 CISO evaluating us for their most regulated workloads. - Ship the docs that go with the code.
- - Have deep working knowledge of the security primitives our customers use like authentication, authorization (RBAC, RLS), audit logging, secrets management, OAuth.
- - Have a track record of leading cross-functional initiatives across Product, Engineering, Security, GTM, and Compliance, and driving multi-team RFCs from proposal to shipped code.
- You can draft a customer-facing security disclosure, an internal threat model, a docs page, or a one-pager for a CISO without losing voice or precision.
- You've worked alongside auditors and security teams on programs like SOC2, HIPAA, ISO 27001, PCI, or FedRAMP, and you can tell which
- requirements are real customer needs and which are checkbox theater. - Technical depth in Postgres, auth systems, or networking primitives. -