Senior Full-Stack Engineer (Python/FastAPI + React) — Enterprise GRC SaaS

Posted yesterday

Worldwide

Summary

Overview I'm the founder and product owner of a multi-tenant GRC (Governance, Risk & Compliance) platform serving enterprise and regulatory clients. I'm looking for a senior full-stack engineer for a 10-week, fixed-scope engagement structured as three strictly gated milestones, delivering a major feature set for an enterprise client: a complete Vendor Risk Management (VRM) module with on-premise deployment, a compliance lifecycle automation pipeline, and an end-to-end risk management and treatment workflow. The codebase is established and well-structured. You will be extending existing domain models, services, and repository patterns — not greenfielding. Detailed specifications, acceptance criteria, and a GitHub issue backlog exist for every milestone. Tech Stack Backend: Python, SQLModel, PostgreSQL 16, Alembic, asyncpg, pytest Frontend: React (functional components + hooks only), CSS-only animations Infrastructure: Docker / Docker Compose, object storage, reverse proxy, Grafana observability Integrations: External security rating APIs (e.g., SecurityScorecard/BitSight), email/notification hooks, LLM-based AI validation stages Architecture: Multi-tenant with strict tenant isolation, role-based access control, ports-and-adapters pattern for external providers Scope of Work Milestone 1 (Weeks 1–4) — Vendor Risk Management, full scope + on-prem deployment Supplier onboarding with centralized vendor profiles (contacts, contracts, criticality, data-access attributes) Automated same-day inherent risk assessment on vendor creation, with factor-level explainability Per-tenant configurable risk tiers, weights, and thresholds Framework-aligned questionnaire templates (ISO 27001, SOC 2, NIST CSF, CIS) with automated dispatch, reminders, and response tracking One external security-ratings provider adapter + continuous monitoring signal pipeline (score drops, breaches, CVEs) Tier-gated approval workflows, reassessment scheduling, and a four-category alerting system Evidence repository with certification-expiry alerting Operational + executive dashboards with PDF/XLSX export, documented REST API (OpenAPI) Performance validation at 500+ vendors per tenant (pagination, indexing, no N+1s) Docker Compose on-premise deployment profile with a runbook good enough for a clean-VM install Milestone 2 (Weeks 5–7) — Compliance lifecycle automation + custom framework import XLSX/CSV framework importer with row-level validation (imported frameworks behave identically to seeded ones) Evidence collection orchestrator with integration, stub, and manual-upload legs — fully auditable attempts AI evidence validation and AI control assessment stages with persisted verdicts Automatic gap-record creation, control-owner assignment, and framework compliance-rate recalculation Configurable AI confidence gate routing low-confidence verdicts to human review Two-class notification model (informational / action-required) with due-date reminder cadence Milestone 3 (Weeks 8–10) — Risk management workflow + treatment lifecycle Risk dashboard (KPI cards, inherent/residual heat map, department drill-downs, treatment charts) Five-stage risk lifecycle: draft → review → approval with auto-generated register IDs, resend/reject paths Client-configurable risk matrix (Likelihood × Impact) driving inherent and residual scoring KRIs with green/amber/red thresholds and breach tracking Gap-to-risk integration: AI register search, create/update branches, owner approval, AI scoring AI treatment recommendation → approval workflow → auto-created remediation actions → evidence submission → AI re-test → residual risk recalculation → gated gap closure Compliance scoring engine extended to domain and control level with score history How This Engagement Works (please read before applying) Strictly sequential milestones. Milestone N+1 does not start until Milestone N is accepted against written acceptance criteria. Payment is milestone-gated (40% / 25% / 35%). Change maps before code. Structural or domain-logic changes require a short written map (files touched, before/after behavior) before implementation. All work is delivered as branches/PRs for my review — nothing merges directly. No new dependencies (pip or npm) without written approval. Tests are part of the deliverable. Build, lint, and pytest must be green at the end of every milestone; new logic ships with tests. Domain logic stays with me. Scoring formulas, tiering weights, risk-matrix semantics, and AI prompts/judges can be made configurable by you, but their defaults and semantics are proposal-only — I own final decisions. Secrets discipline. All credentials live in backend env / settings — never in code, logs, or frontend env. I commit to a 2-business-day review turnaround on change maps and milestone PRs to keep the schedule moving, and I will supply provider sandbox credentials, format-spec approvals, and prompt reviews on a published schedule. Required Experience 5+ years full-stack development with Python backends and React frontends Production experience with PostgreSQL, SQLModel or SQLAlchemy, and Alembic migrations Multi-tenant SaaS architecture (tenant isolation, RBAC) Third-party API integration behind a ports/adapters pattern Docker Compose deployments; comfort writing operational runbooks Strong testing discipline (pytest, integration tests) Clear written English — change maps and PR descriptions are a core part of the job Nice to Have GRC / compliance / security domain exposure (ISO 27001, SOC 2, NIST CSF, vendor risk) Experience integrating LLM APIs into structured validation/assessment pipelines On-premise or air-gapped deployment experience RTL/i18n awareness (the platform supports Arabic and English) To Apply Please include: A brief note on the most similar milestone-gated or spec-driven engagement you've delivered, and how you handled review gates One example of a multi-tenant or integration-heavy feature you built (a PR, repo, or written walkthrough) Your confirmation that the ground rules above (sequential milestones, change maps, no unapproved dependencies) work for you Availability to start and weekly hours you can commit for 10 weeks Applications that open with a relevant question about the spec, or that reference a specific item from the scope above, will be prioritized. Generic proposals will not be considered.

  • $2,500.00

    Fixed-price
  • Intermediate
    Experience Level
  • Remote Job
  • Complex project
    Project Type
Skills and Expertise
Mandatory skills
AI Agent Development
Python
Activity on this job
  • Proposals:50+
  • Last viewed by client:yesterday
  • Interviewing:
    1
  • Invites sent:
    1
  • Unanswered invites:
    0
About the client
Member since Jun 27, 2026
  • OMN
    Muscat10:02 PM
  • $1.4K total spent
    1 hire, 0 active

Explore similar jobs on Upwork

JavaScript
Web Development
Android
WordPress
Web Design
PHP
HTML
HTML5
iOS
Graphic Design
Looking for iso26262 ExpertHourly‐ Posted 4 weeks ago
Data Entry
Social Media Marketing
Risk Analysis
HAZOP
Data Analysis
YouTube Development
Test Development
Risk Assessment
Analytical Presentation
Content Editing
HazID
Email Marketing Strategy
Social Media Optimization
Web Design

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo