Glossier is giving voice through beauty as a direct-to-consumer company that leverages the power of personal narrative to own the beauty conversation on the internet. We do this by building products, growing our community, and making decisions in inclusive, customer-devoted, curious, courageous, and discerning ways.
We’re hiring our first Security Engineer to build a robust security discipline for our application development and cloud infrastructure. You’d join our Technology team, working closely with site reliability and performance engineers to ensure Glossier keeps our customer’s trust.
You’d continuously improve our engineering practices and tooling to help us deliver a secure and reliable e-commerce experience.
6 Month Expectations:
- Implement controls to ensure AWS IAM roles and Security groups are configured appropriately.
- Review our configuration management practices, and help implement new tools and practices to enable the engineering team to configure new environments quickly, reliably, and securely.
- Manage our bug bounty program, working with Product Managers and Tech Leads to ensure issues are triaged and fixed appropriately.
- Conduct penetration tests of glossier.com and other key business applications.
- Conduct due diligence with potential vendors to ensure they have appropriate security practices.
- Consult with engineers implementing new features and architectural patterns as a Subject Matter Expert on AppSec.
- Build threat models, and train the tech team on how to use them when developing new features.
- Conduct security reviews on new systems and architectural patterns being introduced at Glossier.
12+ Month Expectations:
- Create policies and tools to ensure new services can easily follow recommended security practices, such as least-privileged access, audit trails for sensitive actions, and centralized logs for investigating incidents.
- Build cloud governance tooling to automatically monitor and enforce our AWS security policies.
- Implement a set of automated scanning and reporting tools to ensure software dependencies are kept up to date, and source code is statically analyzed for vulnerabilities.
- Facilitate red team and security incident response drills.
Our Technology Stack
- GraphQL for our API
- React and Apollo on the frontend
- AWS to host our infrastructure
- Postgres, Redis, DynamoDB, and Redshift as our data stores
- Swift for our retail point-of-sale application
- Datadog and PagerDuty for monitoring and alerting
Our Ideal Candidate
- Has 3+ years of security engineering experience, preferably at a high-growth tech company
- Has written code to fix web app vulnerabilities, patched dependencies, and configured production cloud infrastructure
- Is comfortable participating in our on-call rotation (we get about 1 page per month outside of regular work hours)
- Has implemented frameworks and tooling to continuously monitor for security vulnerabilities
- Is an effective communicator to help other stakeholders understand security concerns
- Can appropriately align security goals with business value and make effective tradeoffs
- Can incrementally deliver value
Glossier is a beauty company that lives in NYC, is sold on the internet, and promotes a skincare first philosophy that celebrates beauty in real life.
We are an Equal Employment Opportunity (“EEO”) Employer. It has been and will continue to be a fundamental policy of Glossier not to discriminate on the basis of race, color, creed, religion, gender, gender identity, pregnancy, marital status, partnership status, domestic violence victim status, sexual orientation, age, national origin, alienage or citizenship status, veteran or military status, disability, medical condition, genetic information, caregiver status, unemployment status or any other characteristic prohibited by federal, state and/or local laws. This policy applies to all aspects of employment, including hiring, promotion, demotion, compensation, training, working conditions, transfer, job assignment, benefits, layoff, and termination.
Last Updated: November 25, 2019
While this Policy is intended to describe the broadest range of our processing activities globally, those activities may be more limited in some jurisdictions based on local laws. For example, the laws of a particular country may limit the types of personal information we can collect or the manner in which we use that information. In those instances, we adjust our internal policies and practices to reflect the requirements of local law. The data controller in each case will be the Glossier entity to which the applicant submits his or her application, as specified below.
I. APPLICABILITY OF OTHER POLICIES
II. INFORMATION WE COLLECT
We collect information in connection with your application to work with us, the categories of personal information we may process about you include:
- Information you provide on our application forms, including full name, telephone number, personal email address, gender, location, availability, employment history (including whether you have previously worked for Glossier), qualifications, references, LinkedIn profile and website (if provided voluntarily), work authorization status, and how you heard about the job;
- Information you provide to us in your resumé, cover letter and any other files you choose to upload or share with us regarding your qualifications, such as design portfolios;
- Information you provide to us during an interview or that we collect through the recruitment process (g. work authorization status, willingness to relocate, salary expectations, type of employment contract, interview notes, results of any assessment);
- Reference information and/or information received from background checks if you are offered a job (where applicable), including information provided by third parties such as past employers, educational institutions and references; and
- Information about your educational and professional background from publicly available sources, including online, that we believe is relevant to your application (g. your LinkedIn profile).
Your decision to apply for a position and provide your personal information to us is voluntary. We will tell you if information is required to move forward with your application.
Sensitive Information: In certain countries, where permitted by law and on a voluntary basis, we may ask questions about race or ethnicity, veteran status and disabilities for specific purposes, such as to accommodate a disability or illness and to comply with legal obligations relating to diversity and anti-discrimination. You are entirely free to decide whether or not to provide such information and your application will not be affected either way. Except as specifically requested, we ask that you avoid submitting information which may qualify as sensitive information under applicable law, including race, religion, ethnicity, nationality, age, gender identity, sexual life or sexual orientation, medical or health information, genetic or biometric data, political opinions, political party or trade union membership and judicial data such as criminal records.
Information About Others: If you provide us with personal information of a reference or any other individual as part of your application, it is your responsibility to obtain consent from that individual prior to providing such information to us.
III. HOW WE COLLECT YOUR INFORMATION
Most of the personal data we process is obtained directly from you, such as when you submit a job application or when we conduct a phone or in-person interview. We may also receive information about you from other sources, such as from your named references, persons who referred you for a position, from background checks (if applicable), recruiting agencies, third party recruitment sources and websites and publicly available sources such as your LinkedIn profile.
- URLs that refer visitors to our websites;
- Search terms used to reach our websites;
- Details about the devices that are used to access our websites (such as IP address, browser information, device information, and operating system information);
- Details about your interaction with our websites (such as the date, time, length of stay, and specific pages accessed during your visits to our websites, and which emails you may have opened); and
- Usage information (such as the number and frequency of visitors to our websites).
We may associate this information with your Glossier account if you have one, the device you use to connect to our Services, or email or social media accounts that you use to engage with Glossier.
IV. HOW WE USE YOUR INFORMATION
We use your personal information to evaluate a potential employment relationship with you and for other business purposes. Such uses include:
- Assessment of your skills, qualifications, and suitability for the role;
- Communication with you about the recruitment process;
- Verification of your information and completion of reference and/or background checks (where applicable) if we offer you a position;
- Retention of records related to our hiring processes, including a record of the name of unsuccessful applicants, the date of their application and the reason that their application was not successful, in order to streamline future hiring processes;
- Legal and compliance purposes, such as responding to suspected fraud, security incidents, or other illegal activity, protecting Glossier’s and others’ rights and property, exercising a legal claim, cooperating with law enforcement investigations and complying with applicable laws, regulations, legal processes or governmental requests;
- Other uses with your consent, which you may withdraw at any time; and
- Other legitimate interests, including our interests in considering candidates for current and future employment opportunities and in managing and improving our recruitment and hiring process.
V. WHO MAY HAVE ACCESS TO YOUR INFORMATION
Within Glossier: We may disclose your personal data to Glossier personnel and affiliates who need to know the information, including personnel in the recruiting, human resources and information technology departments, and in the department responsible for the position for which you are applying.
Third-Party Service Providers: We may use third party service providers acting on Glossier’s behalf to perform some of the services described above. For example, we share certain information with service providers who facilitate our applicant tracking system, video interviews, travel booking and expenses, reporting and analytics and verification/background checking services. We also may share information about you with recruitment agencies working with us in relation to your recruitment as well as with our professional advisors, including accountants, auditors, lawyers, insurers and bankers. These service providers may change over time, but we will always use trusted service providers who we require to take appropriate security measures to protect your personal information in line with our policies. We only permit them to process your personal information for specified purposes and, as appropriate, in accordance with our instructions and the provisions of this Policy and applicable law.
Other Third Parties: In certain limited circumstance, we share and/or are obligated to share your personal information with other third parties, including (a) to comply with our obligations, to protect the rights and property of Glossier, our customers and the public, to cooperate with law enforcement investigations, and to detect and respond to suspected illegal activity and threats to the health or safety of any person or of our systems or services; (b) in connection with, or during negotiations of, any merger, joint venture, sale of company assets, financing, or acquisition of all or a portion of our business, assets or stock by another company (including in connection with any bankruptcy or similar proceedings); and/or (c) with your consent and at your direction.
We may also share aggregated or de-identified information, which cannot reasonably be used to identify you.
IV. DATA RETENTION
If your application for employment is unsuccessful (or you withdraw from the process or decline our offer), we will retain your information for a reasonable period of time beyond the end of the application process for the purposes described above, including complying with our legal obligations, resolving disputes and as necessary for our legitimate interests, such as to consider you for other current and future employment opportunities at Glossier. If you do not want us to contact you regarding other roles, please contact email@example.com. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.
VII. YOUR RIGHTS
You may have certain rights under U.S. and international privacy laws in relation to your personal information. This may include the right to access, rectify, port or erase certain personal information we have about you. You may also have the right to object to and restrict certain processing of your data. Certain information may be exempt from such requests pursuant to applicable data protection laws. You can contact firstname.lastname@example.org to exercise your rights in relation to your personal information. We will respond to your request consistent with applicable law.
VIII. CALIFORNIA RESIDENTS
If you are a California resident, the California Consumer Privacy Act (“CCPA”) requires us to disclose the following information with respect to our collection and use of personal information.
Categories of Personal Information Collected: Over the preceding 12 months, we have collected the following categories of personal information: (1) identifiers, (2) characteristics of protected classifications under California or U.S. law, (3) internet or other electronic activity information, (4) audio, electronic, visual, thermal, olfactory, or similar information, (5) professional or employment-related information, (6) education information, (7) inferences, and (8) other information that identifies, relates, to, describes, or is otherwise reasonably capable of being associated with you. For examples of the precise data points we collect, please see “Information We Collect” [link] above.
Business Purposes for Collecting and Disclosing Information: We collect each category of personal information for the business purposes in the “How We Use Your Information” section above.
IX. EUROPEAN RESIDENTS
If European privacy laws apply to you, our processing of personal information for the purposes mentioned above is based on the following legal grounds:
- As necessary to evaluate and potentially enter into an employment relationship with you;
- With your consent, which you may withdraw at any time;
- To comply with our legal obligations;
- Where necessary to protect your vital interests or those of others; and
- For our (or others’) legitimate interests, including our interests in considering candidates for current and future employment opportunities and in managing and improving our recruitment and hiring process, unless those interests are overridden by your interests or fundamental rights and freedoms.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal information for an unrelated purpose, we will notify the relevant individual and we will explain the legal basis which allows us to do so. Where the collection or processing of personal information is based on your consent, you may withdraw your consent at any time to the extent permitted by applicable law.
X. INTERNATIONAL DATA TRANSFERS
Due to the global nature of our business, Glossier may transfer your personal information across international borders, consistent with applicable data protection laws, including to the U.S., Canada and European Economic Area (“EEA”). Where personal information is transferred within Glossier to countries outside of the EEA that are not recognized as providing an adequate level of protection under European privacy laws, we do so through a series of intercompany agreements that implement the Standard Contractual Clauses authorized under European privacy laws. We also use a variety of safeguards to ensure that your personal information is adequately protected when processed by our third-party service providers operating in the U.S. or another country outside of the EEA including by signing EU standard contractual clauses or verifying the recipient adheres to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework. You may request additional information concerning such safeguards from the Privacy team by contacting email@example.com.
Glossier is committed to protecting the security of your personal information and ensuring a level of security appropriate to the risk our data processing presents. Taking into account the costs of implementation, the sensitivity of the data and nature of the data processing, Glossier has implemented organizational, technical and administrative measures to prevent the unauthorized access, destruction, loss, alteration or misuse of personal information.
XII. DATA CONTROLLER
If you apply to a position in the U.S., Glossier, Inc. will be the data controller of your personal information. If you reside in the United Kingdom or EEA, or apply to a position in the EEA, Phase EU Limited will be the data controller. If you reside in Canada, or apply to a position in Canada, Glossier Canada, Inc. will be the data controller.
XIII. CONTACTING GLOSSIER
If you have questions or concerns regarding this Policy, please contact us using the information provided below.
Glossier, Inc. Phase EU Limited
233 Spring Street 5 New Street Square
East 10th Floor London EC 4A 3TW
New York, NY 10012 United Kingdom
If European privacy laws apply to you and you have a concern about our processing of personal information that we are not able to resolve, you have the right to lodge a complaint with the relevant data privacy authority (this may be linked to where you reside, work or the place of any alleged infringement). For contact details of the relevant Data Protection Authority, please see http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
XIV. POLICY UPDATES
We may change this Policy from time to time. The effective date of this Policy is noted in the header at the top of this page. If we make changes to this Policy that have a material impact on your rights with respect to how we process your personal information, we will post the revised version here and use other methods, as appropriate, to notify you. By continuing the recruitment process after those changes become effective, you agree to be bound by the revised Policy.