Software Engineer, Governance

Location: San Francisco

Department: Engineering

Location Type: HYBRID

Employment Type: FULL_TIME

• Data Access Control Layer: Design and build the system that enforces table-level, column-level, and row-level access controls across Retool's database connectors. You might work on: policy modeling, query rewriting to inject security constraints at the data engine, and building the admin UX that makes complex rules intuitive to configure. The goal: when a builder creates an app, the data security is already handled, automatically and invisibly.
• Hub & Admin Setup: Redesign how administrators onboard and manage Retool. Build the landing page experience, global search, and the guided setup flow that gets enterprises from sign-up to first production app faster. Surface security insights, flag under-authenticated resources, and create the admin dashboard that makes platform health visible at a glance. Build the features that change Retool from something that admins manage to a system that is self managing and self healing, with proper admin oversight and controls.
• Projects: Build the new organizational primitive for Retool. Projects group apps, agents, and workflows into a shared space with their own membership and role-based permissions. You'd design the data model, build the permissions layer, and create the UI that gives teams a clear home base, replacing a flat, unstructured console with something that scales to hundreds of teams.
• Automated Security Center & Admin Control Panel: Build the intelligent layer that proactively keeps Retool secure and well-governed. Surface under-authenticated resources, flag potentially dangerous access patterns, monitor usage analytics and spend, and integrate with compliance and DLP tools so security and admin teams get actionable insights instead of raw data, and Retool gets smarter about protecting customers the more they use it.
• Spaces & Instance Management: Build the controls that let enterprises govern multiple Retool Spaces and instances from a single pane of glass. Enforce organization-wide policies, like requiring all Spaces to use a specific SSO provider or AI configuration, and proactively identify misconfigurations or deviations from compliance requirements.

• 2–8 years of professional software engineering experience, ideally some of which you've spent at startups
• Experience owning technically challenging, cross-functional projects from start to finish
• Strong fundamentals across the entire stack, with a strong grasp of backend systems design, data modeling, and building reliable, scalable software
• You communicate clearly in design docs, code reviews, and cross-functional discussions
• You care about code quality, testing, and leaving the codebase better than you found it
• You're motivated by solving real customer problems, not just writing clever code

• Familiarity with Terraform or infrastructure-as-code practices
• Exposure to dbt, Databricks, or data pipeline tooling
• Experience building authorization, access control, or security systems
• Experience with policy engines, query rewriting, or data governance platforms
• Familiarity with RBAC, ABAC, or relationship-based access control models (Zanzibar, OPA, Cedar)
• Familiarity with authentication and authorization protocols (OAuth, SAML, SCIM, or similar)
• Experience designing taming complexity in admin-facing UIs or platform management tools