Data Protection Engineer

About InvoiceCloud: 

InvoiceCloud is a fast-growing fintech leader recognized with 20 major awards in 2025, including USA TODAY and Boston Globe Top Workplaces, multiple SaaS Awards wins for Best Solution for Finance and FinTech, and national customer service honors from Stevie and the Business Intelligence Group. Judges also highlighted our mission to reduce digital exclusion and restore simplicity and dignity to how people pay for essential services, as well as our leadership in AI maturity and responsible innovation. It’s an award-winning, purpose-driven environment where top talent thrives. To learn more, visit InvoiceCloud.com. 

Data Protection Engineer

InvoiceCloud is a fast-growing fintech leader recognized with 20 major awards in 2025, including USA TODAY and Boston Globe Top Workplaces, multiple SaaS Awards wins for Best Solution for Finance and FinTech, and national customer service honors from Stevie and the Business Intelligence Group. Judges also highlighted our mission to reduce digital exclusion and restore simplicity and dignity to how people pay for essential services, as well as our leadership in AI maturity and responsible innovation. It’s an award-winning, purpose-driven environment where top talent thrives. To learn more, visit InvoiceCloud.com. 

Job Details:

We are seeking a highly technical and delivery-focused Data Protection Engineer to support the Cybersecurity, Engineering, and Compliance organizations. This role is responsible for designing, implementing, and continuously improving technical safeguards that protect sensitive corporate and customer data across cloud, endpoint, and enterprise environments.

As a subject matter expert in data security and privacy engineering, this individual deploys and tunes data discovery, classification, DLP, encryption, and key management controls. The Data Protection Engineer partners closely with Engineering, IT, Compliance, Legal, and Privacy stakeholders to embed privacy-by-design principles into how data is created, stored, shared, retained, and monitored.

Success in this role means measurably reducing data exposure risk, strengthening compliance alignment (e.g., SOC 2, PCI, privacy obligations), improving signal quality in data protection tooling, and delivering audit-ready, scalable controls that enable teams to operate quickly and responsibly.

Success Profile:

This role is anchored in our company’s core competencies. These competencies reflect the mindsets and behaviors that define success in this role. We outline how each competency translates into real-world actions and outcomes specific to this role.

Results Driven

• Leads Data Discovery, Classification & DLP Implementation by deploying and tuning data discovery and classification tooling across corporate and cloud environments, expanding coverage of sensitive data repositories and improving DLP signal quality.


• Implements and strengthens Encryption, Tokenization & Key Management Controls, including key rotation, access control enforcement, and break-glass procedures, reducing exposure risk for sensitive corporate and customer data.


• Drives measurable improvements in Data Lifecycle Management & Retention Enforcement in partnership with system owners, ensuring appropriate storage patterns, retention schedules, and secure disposal of data assets.


• Delivers documented 30-, 150-, and 210-day outcomes including expanded classification coverage, reduced DLP false positives, improved encryption posture, and executive-ready reporting on data protection KPIs.

Takes Ownership

• Integrates Data Protection Tooling with Governance & Incident Response Systems (e.g., SIEM/SOAR, ticketing) to ensure DLP alerts, misconfigurations, and exposure risks are investigated and resolved in a structured and auditable manner.


• Partners with Compliance, Legal, and Privacy stakeholders to translate regulatory and contractual obligations into enforceable technical controls aligned to SOC 2, PCI, and privacy requirements.


• Investigates and supports response to Data Protection Incidents, including DLP events, accidental exposure, and misconfiguration scenarios, ensuring corrective actions are tracked to closure.


• Develops and maintains documentation, operational standards, and runbooks that support audit readiness, evidence integrity, and repeatable control execution.

Drives Efficiency

• Automates audit evidence collection and continuous control validation workflows using scripting and APIs (e.g., PowerShell, Python), reducing manual effort and improving reliability of compliance reporting.


• Standardizes data protection configurations, labeling models, and DLP policy structures to improve consistency across systems and reduce operational friction.


• Establishes repeatable dashboards and metrics to measure data protection coverage, control effectiveness, false-positive rates, and remediation timelines.


• Embeds privacy-by-design principles into product and engineering workflows by providing structured guidance on secure data flows, storage patterns, logging, and access controls.

Innovative

• Applies forward-looking data protection strategies to address evolving cloud, collaboration, and SaaS risks, ensuring controls adapt to modern work patterns and distributed environments.


• Leverages AI and automation to enhance data classification accuracy, improve anomaly detection in DLP alerts, and generate actionable insights from data protection telemetry.


• Continuously evaluates emerging data governance and privacy engineering capabilities, translating new tooling and best practices into scalable improvements across the enterprise.

Requirements

• Bachelor’s degree in Information Security, Computer Engineering, or a related field (or equivalent experience).


• 5+ years of experience in data security, privacy engineering, or security engineering roles.


• Hands-on experience with data discovery, classification, and governance platforms (e.g., Microsoft Purview, OneTrust, or similar).


• Experience implementing and tuning DLP controls across endpoints, email, collaboration platforms, and cloud storage environments.


• Experience implementing encryption, tokenization, and key management controls.


• Familiarity with compliance frameworks such as SOC 2, PCI, and privacy regulations.


• Ability to automate workflows and integrations using scripting and APIs (PowerShell, Python, or similar).


• Strong documentation and cross-functional collaboration skills.


• Certifications such as CDPSE, CIPT, Security+, or similar are a plus.


• High integrity and sound judgment when handling sensitive and confidential information.

InvoiceCloud is committed to providing equal employment opportunities to all employees and applicants. We do not tolerate discrimination or harassment of any kind based on race, color, religion, age, sex, nationality, disability, genetic information, veteran or military status, sexual orientation, gender identity or expression, or any other characteristic protected under applicable laws.

This commitment applies to all aspects of employment, including recruitment, hiring, placement, promotion, termination, layoff, recall, transfer, leave, compensation, and training.

If you require a disability-related or religious accommodation during the application or recruitment process, and wish to discuss possible adjustments, please contact [email protected].

Click here to review InvoiceCloud’s Job Applicant Privacy Policy.

For recruitment agencies: InvoiceCloud does not accept unsolicited resumes from agencies. Please do not forward resumes to our job aliases, employees, or any other company location. InvoiceCloud is not responsible for any fees associated with unsolicited submissions.