Platform Architect & Backend Lead

About the Role

We are building a multi-tenant, hardware-agnostic IoT platform from the ground up. We need a senior engineer who can design the system architecture in the morning and write production backend code in the afternoon. This is not an architecture-only role and not a coding-only role - it is both, simultaneously, in a fast-moving early-stage environment. You will also own cloud infrastructure as interim DevOps until we scale.

The Ideal Candidate

You have built IoT backend platforms before - not just used them. You understand the hard problems: device auth at scale, MQTT broker design, time-series ingestion performance, multi-tenant data isolation, and real-time delivery to web clients. You are comfortable making architectural decisions autonomously, documenting them clearly, and standing by them. You work remotely with discipline - you flag risks before they become problems.

Key Responsibilities

Platform Architecture

1. Design the full end-to-end IoT platform architecture: device connectivity layer MQTT/protocol ingestion stream processing time-series storage REST/GraphQL API layer real-time WebSocket delivery
2. Define the multi-tenant data model: strict data isolation between customers, tenant-scoped API tokens, row-level security
3. Design the device lifecycle system: provisioning, X.509/JWT authentication, device registry, status tracking, decommissioning
4. Architect the protocol abstraction layer so MQTT, Modbus, OPC-UA, CoAP, and HTTP devices all normalise to the same internal data model
5. Design a configurable rule engine: event-condition-action rules for alerts, automations, and integrations - no code required from customers
6. Plan OTA firmware update management: secure delivery, versioning, rollback, fleet orchestration
7. Write Architecture Decision Records (ADRs) for every major technical choice - nothing undocumented
8. Design the scaling path from 100 devices (pilot) to 500,000+ (production) without structural rework

Backend Development

1. Build core platform services from scratch: device management, telemetry ingestion, rule engine, notification/alerting, OTA update, multi-tenant API gateway
2. Develop REST and GraphQL APIs with full OpenAPI specification - version-controlled from Day 1
3. Implement WebSocket and SSE endpoints for real-time telemetry delivery to web and mobile clients
4. Build device command-and-control with acknowledgement, retry logic, and timeout handling
5. Implement device shadow service: last-known state of every device accessible even when offline
6. Write unit, integration, and load tests - no service reaches staging without test coverage
7. Own service reliability: SLO definitions, alerting runbooks, on-call incident response

Cloud Infrastructure (Interim)

1. Provision and manage all AWS environments (dev, staging, production) using Terraform - no click-ops
2. Configure AWS IoT Core: MQTT endpoint, topic namespace, rules engine, certificate management
3. Set up CI/CD pipelines via GitHub Actions for all backend services
4. Configure CloudWatch monitoring, log aggregation, and automated health alerts
5. Manage IAM for all team members - least-privilege access, no shared credentials
6. Hand off infrastructure fully documented when a DevOps engineer joins in Phase 2

Requirements

1. 7-12 years software or systems engineering; minimum 4 years specifically building IoT platform backends or connected product infrastructure
2. Expert-level, hands-on experience with AWS IoT Core or Azure IoT Hub - production deployments, not tutorials NON-NEGOTIABLE
3. Expert MQTT knowledge: v3.1 and v5.0, topic hierarchy design, QoS levels, retained messages, Last Will & Testament, broker sizing and clustering NON-NEGOTIABLE
4. Proficiency in Python and Node.js/TypeScript for production backend services - Go is a strong advantage
5. Hands-on experience with a time-series database: InfluxDB, TimescaleDB, or AWS Timestream
6. Terraform or AWS CloudFormation - you provision cloud infrastructure programmatically, not through the console
7. Multi-tenant SaaS backend architecture: data isolation patterns, tenant-scoped access control, shared infrastructure design
8. Security fundamentals applied in practice: TLS/mTLS, X.509 certificates, OAuth 2.0, JWT, secrets management (Vault or AWS Secrets Manager)
9. Message broker or streaming experience: Kafka, RabbitMQ, AWS Kinesis, or AWS IoT Rules Engine
10. Proven ability to work autonomously at a senior level - makes decisions, documents rationale, flags risks without needing to be prompted REMOTE DISCIPLINE

Nice to Have

1. Industrial protocol knowledge: Modbus TCP/RTU, OPC-UA, BACnet - even as a consumer or integrator
2. EMQX, HiveMQ, or VerneMQ broker deployment and production operation
3. Edge computing runtimes: AWS Greengrass v2, Azure IoT Edge, or Balena
4. Digital twin frameworks: AWS IoT TwinMaker, Azure Digital Twins
5. Container orchestration: Kubernetes, ECS, or equivalent for future Phase 2 migration
6. Open-source IoT contributions or published technical writing on platform architecture

Skills at a Glance

Architecture: IoT platform end-to-end design Multi-tenant SaaS patterns Device lifecycle management Protocol abstraction Rule engine design Horizontal scaling strategy

Backend: Python / Node.js / TypeScript / Go REST + GraphQL API design WebSocket / SSE real-time delivery MQTT broker configuration Time-series DB (InfluxDB / Timestream) PostgreSQL or equivalent RDBMS

Cloud & DevOps: AWS IoT Core / Azure IoT Hub Terraform / CloudFormation GitHub Actions CI/CD Docker containers CloudWatch monitoring IAM and security policy management

Security: TLS / mTLS configuration X.509 certificate management OAuth 2.0 / JWT implementation Secrets management Device authentication at scale