Wait, What Do You Do?

<table> <tbody> <tr> <td> About Paidy Inc. </td> </tr> <tr> <td> Paidy is Japan's pioneer and leading BNPL service company. At Paidy, we believe in creating simple, instant experiences to take the hassle out of shopping with a touch of magic. Paidy offers instant, monthly-consolidated credit to consumers by removing hassles from payment and purchase experiences. Paidy uses proprietary models and machine learning to underwrite transactions in seconds and guarantee payments to merchants. Paidy increases revenue for merchants by reducing the number of incomplete transactions, increasing conversion rates, boosting average order values, and facilitating repeat purchases from consumers.  Paidy has reached an agreement to join PayPal, the global payments company. Paidy will continue to operate its existing business, maintain its brand and support a wide variety of consumer wallets and marketplaces by providing convenient and innovative services. Paidy continues to innovate to make shopping easier and more fun both online and offline. For more information, please visit http://www.paidy.com.  </td> </tr> <tr> <td> About the Position  </td> </tr> <tr> <td> Cybersecurity is everyone’s responsibility, but our security team leads the charge on solving some of the most challenging and consequential problems facing our organization and industry. As a fintech company operating within a larger corporate group, we navigate a dynamic regulatory landscape while integrating our security program with our parent company’s broader initiatives. The AppSec & Mobile Cybersecurity Lead is responsible for designing, implementing, and scaling security across Paidy’s iOS and Android applications, mobile APIs, and backend services. This role hardens the systems that power our consumer and merchant experiences by embedding security into the software development lifecycle, building automation that scales with engineering velocity, and staying ahead of an evolving threat landscape that now includes AI-driven attacks and AI-generated fraud. The successful candidate will collaborate closely with mobile engineering, platform, and compliance teams, as well as external auditors and our parent company’s security teams. </td> </tr> <tr> <td> Key Role & Responsibilities </td> </tr> <tr> <td> Application & Mobile Security Architecture: <ul> <li>Define and enforce application and mobile security standards across iOS/Android apps, mobile APIs, backend services, and the SDLC</li> <li>Lead AppSec and mobile security architecture, ensuring strong access controls, secure data handling, resilient client-server interactions, and appropriate platform-level protections</li> <li>Partner with mobile and backend engineering teams to design secure-by-default services that balance usability, fraud and abuse resistance, and privacy requirements</li> <li>Conduct threat modeling to proactively identify and mitigate risks across the mobile and application stack</li> <li>Own the design and security of REST and GraphQL APIs, with a solid command of the OAuth2 protocol and mobile authentication flows</li> </ul> CI/CD Security & Automation: <ul> <li>Build and scale security testing within CI/CD pipelines: SAST, SCA, DAST, secrets scanning, container scanning, IaC checks, MAST, binary analysis, and SBOMs for mobile build infrastructure</li> <li>Integrate security gates into CircleCI and GitHub workflows, ensuring security findings are surfaced early and tracked to resolution</li> <li>Build custom security tooling to automate recurring security validation, coverage measurement, and control verification tasks</li> <li>Own container image and runtime scanning across mobile and application build infrastructure</li> </ul> Vulnerability Management & Threat Landscape: <ul> <li>Own the vulnerability management lifecycle for applications and mobile: triage SLAs, risk ratings, remediation guidance, verification, and recurring root-cause fixes through secure coding patterns and hardened libraries</li> <li>Monitor the mobile and application threat landscape (e.g. OWASP MASVS/MSTG, OWASP Top 10, API threats, and mobile fraud patterns) and translate intelligence into actionable engineering priorities</li> <li>Track and respond to emerging AI-era threats including LLM and agent supply chain attacks, prompt injection, model abuse in integrated AI features, and AI-generated fraud patterns targeting mobile payment flows</li> <li>Communicate vulnerability risk and remediation posture clearly to engineering teams and security leadership</li> </ul> Compliance Support: <ul> <li>Support audit and compliance programs including SOC 2 (Type 1 and Type 2), ISO 27001, the Japan Act on the Protection of Personal Information (APPI), and the Japan Installment Sales Act (割賦販売法)</li> <li>Provide AppSec and mobile security evidence, control mapping, and remediation tracking in support of internal and external audits led by the GRC & Cybersecurity Lead</li> <li>Develop and maintain secure coding standards and application security policies in collaboration with engineering and compliance stakeholders</li> </ul> Engineering Enablement & AI-Augmented Tooling: <ul> <li>Mentor engineering teams on secure design patterns, mobile hardening, and threat-aware development</li> <li>Build and maintain security automation using scripting, workflow tools, and AI coding tools including Claude Code to scale security coverage, reduce manual burden, and track KPI and KRI metrics</li> <li>Leverage AI-driven tooling to continuously validate security controls, detect regressions, and surface risk trends across the application and mobile estate</li> <li>Deliver security awareness and enablement programs tailored to mobile and application engineers</li> </ul> </td> </tr> <tr> <td> Skills & Requirements </td> </tr> <tr> <td> Required Qualifications & Experience: <ul> <li>5+ years of experience in application security, mobile security, or DevSecOps with demonstrated technical depth</li> <li>Strong hands-on Android and iOS development and security hardening expertise</li> <li>Experience with end-to-end vulnerability management including SAST, SCA, and DAST tooling </li> <li>Proven experience building security controls into CI/CD pipelines on AWS</li> <li>Experience with container scanning (image and runtime) and infrastructure as code security checks</li> <li>Solid understanding of the OAuth2 protocol and experience designing and securing REST and GraphQL APIs at scale</li> <li>Broad software development experience in one or more of: Rust, Scala, Python, Java, or equivalent modern languages</li> <li>Extensive experience with AWS cloud security across common services (API Gateway, Lambda, ECS, RDS, and related)</li> <li>Confidence with Docker and Terraform as development and infrastructure tools</li> <li>Hands-on experience using AI coding tools (e.g., Claude Code) to build or automate security workflows</li> <li>Effective communicator with a pragmatic approach to security — able to build strong relationships with engineering and business stakeholders</li> <li>Business-level English required; Japanese language ability is helpful but not required</li> <li>B.S. in Computer Science, Information Security, or a related field, or equivalent practical experience</li> </ul> Desired Qualifications & Experience: <ul> <li>Japanese language proficiency (JLPT 2 or above)</li> <li>Experience securing mobile payments or fintech applications in regulated environments</li> <li>Demonstrated history of building custom internal security tools, not only consuming commercial products</li> <li>Familiarity with the Japanese regulatory environment including APPI and the Installment Sales Act (割賦販売法)</li> <li>Prior experience defending mobile platforms at scale against fraud, abuse, and automated attacks</li> </ul> The Paidy team will ask about your user experiences with the Paidy App during the interview. Please download the Paidy App and try it out! <ul> <li>iOS: <a href="https://apps.apple.com/jp/app/paidy/id1220373112">https://apps.apple.com/jp/app/paidy/id1220373112</a></li> <li>Android: https://play.google.com/store/apps/details?id=com.paidy.paidy&hl=en&gl=US</li> </ul> For those who are not able to download the Paidy App, due to the regional restrictions, please be advised that you download the similar App, such as Klarna, Afterpay, Affirm and so forth, and come up with your opinions on these applications and services. Please note that you must be eligible to work in Japan. </td> </tr> <tr> <td> What We Offer You </td> </tr> <tr> <td> <ul> <li>Diversified team with 230+ colleagues from 35+ countries</li> <li>Exciting work opportunities in a rapid-growing organization</li> <li>Cross-functional collaboration</li> <li>Hybrid remote work model - minimum 2 times in office per week (subject to change at company discretion)</li> <li>Competitive salary and benefits</li> </ul> </td> </tr> <tr> <td> Paidy Values </td> </tr> <tr> <td> Be a winner / 勝ちにこだわる <ul> <li>Always seek to beat expectations. / 期待値を超える為に常に努力する。</li> <li>Display surprising speed and resourcefulness. / 人をスピードと機知で驚かす。</li> <li>Overcome weaknesses by leveraging the strength and help of others to win. / 仲間の強みを活かしたり協力を得ることで、自身の弱みや足りない点を克服する。</li> </ul> Own it and deliver, together / 共に結果を出す <ul> <li>Fully support the final decision even if at times you may disagree. / たとえ意見が対立することがあったとしても、最終決定を全面的に受け入れ支持する。</li> <li>Acknowledge and gather the power of others, by communicating and collaborating with them. / 仲間の力を認めて活用し、積極的にコミュニケーションをとり、協力する。</li> <li>Show a will to own actions and go the extra mile without being asked. / 行動について強いオーナーシップを持ち、言われずとも業務を遂行しきる覚悟を持つ。</li> </ul> Be a valuable team member / 価値を認められるメンバーになる <ul> <li>Strive to play an integral role. / 替えの効かない役割を果たす。</li> <li>Embrace and bridge differences in perspective, language, and culture. / 異なる意見・考え方、言語と文化の架け橋になる。</li> <li>Don’t compromise - raise the bar for yourself and others. / スタンダードを上げ続けることに妥協しない。</li> </ul> </td> </tr> </tbody> </table>