Job Application for AppSec & Mobile Cybersecurity Lead at Paidy Inc/Paidy合同会社

New

About Paidy Inc.

Paidy is Japan's pioneer and leading BNPL service company. At Paidy, we believe in creating simple, instant experiences to take the hassle out of shopping with a touch of magic.

Paidy offers instant, monthly-consolidated credit to consumers by removing hassles from payment and purchase experiences. Paidy uses proprietary models and machine learning to underwrite transactions in seconds and guarantee payments to merchants. Paidy increases revenue for merchants by reducing the number of incomplete transactions, increasing conversion rates, boosting average order values, and facilitating repeat purchases from consumers.

Paidy has reached an agreement to join PayPal, the global payments company. Paidy will continue to operate its existing business, maintain its brand and support a wide variety of consumer wallets and marketplaces by providing convenient and innovative services.

Paidy continues to innovate to make shopping easier and more fun both online and offline. For more information, please visit http://www.paidy.com.

About the Position

Cybersecurity is everyone’s responsibility, but our security team leads the charge on solving some of the most challenging and consequential problems facing our organization and industry. As a fintech company operating within a larger corporate group, we navigate a dynamic regulatory landscape while integrating our security program with our parent company’s broader initiatives.

The AppSec & Mobile Cybersecurity Lead is responsible for designing, implementing, and scaling security across Paidy’s iOS and Android applications, mobile APIs, and backend services. This role hardens the systems that power our consumer and merchant experiences by embedding security into the software development lifecycle, building automation that scales with engineering velocity, and staying ahead of an evolving threat landscape that now includes AI-driven attacks and AI-generated fraud. The successful candidate will collaborate closely with mobile engineering, platform, and compliance teams, as well as external auditors and our parent company’s security teams.

Key Role & Responsibilities

Application & Mobile Security Architecture:

Define and enforce application and mobile security standards across iOS/Android apps, mobile APIs, backend services, and the SDLC
Lead AppSec and mobile security architecture, ensuring strong access controls, secure data handling, resilient client-server interactions, and appropriate platform-level protections
Partner with mobile and backend engineering teams to design secure-by-default services that balance usability, fraud and abuse resistance, and privacy requirements
Conduct threat modeling to proactively identify and mitigate risks across the mobile and application stack
Own the design and security of REST and GraphQL APIs, with a solid command of the OAuth2 protocol and mobile authentication flows

CI/CD Security & Automation:

Build and scale security testing within CI/CD pipelines: SAST, SCA, DAST, secrets scanning, container scanning, IaC checks, MAST, binary analysis, and SBOMs for mobile build infrastructure
Integrate security gates into CircleCI and GitHub workflows, ensuring security findings are surfaced early and tracked to resolution
Build custom security tooling to automate recurring security validation, coverage measurement, and control verification tasks
Own container image and runtime scanning across mobile and application build infrastructure

Vulnerability Management & Threat Landscape:

Own the vulnerability management lifecycle for applications and mobile: triage SLAs, risk ratings, remediation guidance, verification, and recurring root-cause fixes through secure coding patterns and hardened libraries
Monitor the mobile and application threat landscape (e.g. OWASP MASVS/MSTG, OWASP Top 10, API threats, and mobile fraud patterns) and translate intelligence into actionable engineering priorities
Track and respond to emerging AI-era threats including LLM and agent supply chain attacks, prompt injection, model abuse in integrated AI features, and AI-generated fraud patterns targeting mobile payment flows
Communicate vulnerability risk and remediation posture clearly to engineering teams and security leadership

Compliance Support:

Support audit and compliance programs including SOC 2 (Type 1 and Type 2), ISO 27001, the Japan Act on the Protection of Personal Information (APPI), and the Japan Installment Sales Act (割賦販売法)
Provide AppSec and mobile security evidence, control mapping, and remediation tracking in support of internal and external audits led by the GRC & Cybersecurity Lead
Develop and maintain secure coding standards and application security policies in collaboration with engineering and compliance stakeholders

Engineering Enablement & AI-Augmented Tooling:

Mentor engineering teams on secure design patterns, mobile hardening, and threat-aware development
Build and maintain security automation using scripting, workflow tools, and AI coding tools including Claude Code to scale security coverage, reduce manual burden, and track KPI and KRI metrics
Leverage AI-driven tooling to continuously validate security controls, detect regressions, and surface risk trends across the application and mobile estate
Deliver security awareness and enablement programs tailored to mobile and application engineers

Skills & Requirements

Required Qualifications & Experience:

5+ years of experience in application security, mobile security, or DevSecOps with demonstrated technical depth
Strong hands-on Android and iOS development and security hardening expertise
Experience with end-to-end vulnerability management including SAST, SCA, and DAST tooling
Proven experience building security controls into CI/CD pipelines on AWS
Experience with container scanning (image and runtime) and infrastructure as code security checks
Solid understanding of the OAuth2 protocol and experience designing and securing REST and GraphQL APIs at scale
Broad software development experience in one or more of: Rust, Scala, Python, Java, or equivalent modern languages
Extensive experience with AWS cloud security across common services (API Gateway, Lambda, ECS, RDS, and related)
Confidence with Docker and Terraform as development and infrastructure tools
Hands-on experience using AI coding tools (e.g., Claude Code) to build or automate security workflows
Effective communicator with a pragmatic approach to security — able to build strong relationships with engineering and business stakeholders
Business-level English required; Japanese language ability is helpful but not required
B.S. in Computer Science, Information Security, or a related field, or equivalent practical experience

Desired Qualifications & Experience:

Japanese language proficiency (JLPT 2 or above)
Experience securing mobile payments or fintech applications in regulated environments
Demonstrated history of building custom internal security tools, not only consuming commercial products
Familiarity with the Japanese regulatory environment including APPI and the Installment Sales Act (割賦販売法)
Prior experience defending mobile platforms at scale against fraud, abuse, and automated attacks

The Paidy team will ask about your user experiences with the Paidy App during the interview. Please download the Paidy App and try it out!

iOS: https://apps.apple.com/jp/app/paidy/id1220373112
Android: https://play.google.com/store/apps/details?id=com.paidy.paidy&hl=en&gl=US

For those who are not able to download the Paidy App, due to the regional restrictions, please be advised that you download the similar App, such as Klarna, Afterpay, Affirm and so forth, and come up with your opinions on these applications and services.

Please note that you must be eligible to work in Japan.

What We Offer You

Diversified team with 230+ colleagues from 35+ countries
Exciting work opportunities in a rapid-growing organization
Cross-functional collaboration
Hybrid remote work model - minimum 2 times in office per week (subject to change at company discretion)
Competitive salary and benefits

Paidy Values

Be a winner / 勝ちにこだわる

Always seek to beat expectations. / 期待値を超える為に常に努力する。
Display surprising speed and resourcefulness. / 人をスピードと機知で驚かす。
Overcome weaknesses by leveraging the strength and help of others to win. / 仲間の強みを活かしたり協力を得ることで、自身の弱みや足りない点を克服する。

Own it and deliver, together / 共に結果を出す

Fully support the final decision even if at times you may disagree. / たとえ意見が対立することがあったとしても、最終決定を全面的に受け入れ支持する。
Acknowledge and gather the power of others, by communicating and collaborating with them. / 仲間の力を認めて活用し、積極的にコミュニケーションをとり、協力する。
Show a will to own actions and go the extra mile without being asked. / 行動について強いオーナーシップを持ち、言われずとも業務を遂行しきる覚悟を持つ。

Be a valuable team member / 価値を認められるメンバーになる

Strive to play an integral role. / 替えの効かない役割を果たす。
Embrace and bridge differences in perspective, language, and culture. / 異なる意見・考え方、言語と文化の架け橋になる。
Don’t compromise - raise the bar for yourself and others. / スタンダードを上げ続けることに妥協しない。

Create a Job Alert

Interested in building your career at Paidy Inc/Paidy合同会社? Get future opportunities sent straight to your email.

First Name

Last Name

Country

Phone

Location (City)

Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

School

Select...

Degree

Select...

Discipline

Select...

Start date month

Select...

Start date year

End date month

Select...

End date year

Current Base Salary in JPY (Yearly)

Enter number in the following format: xx,xxx,xxx

Current Bonus in JPY (Yearly)

Enter number in the following format: xx,xxx,xxx

Other incentive such as RSUs, housing, allowances, etc. in JPY (Yearly)

Enter number in the following format: xx,xxx,xxx

Total Desired Salary in JPY (Yearly)

The answer can be refined in later interview stages. Please input a ballpark figure in the following format: xx,xxx,xxx

Expected offer date

Please describe when you need to get an offer by?

Please let us know about your other ongoing interview processes (list of companies, interview stage and date, name of company or industry).

i.e.

1st interview on yyyy/mm/dd with xxx company for xxx position

2nd interview on yyyy/mm/dd with xxx company for xxx position

Final interview on yyyy/mm/dd with xxx company for xxx position

Have you been referred from someone at Paidy,Inc?

Have you applied to Paidy, Inc. in the past? If yes, please indicate the details.

Let us know the date(s), agencies used if any, and positions you've applied to.

i.e.

1st application on yyyy/mm/dd through xxx agency for xxx position

2nd application on yyyy/mm/dd through Paidy's website for xxx position

3rd application on yyyy/mm/dd through Linkedin for xxx position

LinkedIn Profile

In which country are you currently located?

This and the following questions help us understand working rights and visa processes that the HR side may have to prepare for.

If you are based in Japan, what is your visa status? (visa type and date of expiration)

採用応募者に対する個人情報の取扱いに関する同意/Letter of Consent for the Handling of Personal Information from Recruitment Applicants

Select...

株式会社Paidy

1.取得および利用目的 (English will follow)

株式会社Paidy(以下「弊社」という)は、弊社への採用をご希望される皆様の氏名、住所、電話番号、メールアドレス等の個人を識別できる情報を取得します。取得の目的は、採用活動(書類審査、面接、評価、応募者への連絡等)のためとし、それ以外の目的での利用はいたしません。

2.個人情報の第三者への提供

弊社は、法令で定める場合を除き、応募者の個人情報について、当該個人の同意を得ずに、業務を委託する場合を除き第三者に提供することはありません。

2.業務の委託

弊社は、ご提供いただいた個人情報を外部の業者に委託し、採用活動等を行なう場合があります。この場合、委託する業者と契約を締結し、個人情報を適正に管理できるようにいたします。

4.安全管理

弊社は、個人情報へのアクセスまたは個人情報の紛失、破壊、改ざん、漏えい等の危険に対して、必要な安全対策を継続的に講じるよう努めます。

5.応募書類の返却・廃棄

採用に至らなかった場合、お預かりした履歴書をはじめとする選考に使用したその他応募書類は、一定期間保管後、弊社で責任を持って廃棄いたします。返却はいたしませんので予めご承知おきください。

6.個人情報提供の任意性

応募者の個人情報の弊社への提供は、応募者の同意に基づく任意ですが、弊社の採用選考に必要な情報が提供されない場合、採用の選考を辞退されたものとみなす場合もありうることを予めご承知おきください。

7.個人情報の開示等の請求に応じる手続き

ご提供いただいた個人情報については、利用目的の通知、開示、内容の訂正、追加又は削除、利用の停止、消去、第三者への提供の停止の請求を弊社問合せ窓口に申し出ることができます。その際、弊社は、ご本人であることを確認したうえで、合理的な期間、法令等に定められた範囲内で対応します。また、一部のご請求については有料となります。手続の詳細は、弊社HP上の「個人情報保護に関する基本方針」(https://terms.paidy.com/privacy) をご確認いただくか、下記あてにお問い合わせください。

8.個人情報管理責任者およびお問い合わせ先

弊社では、個人情報を適切に保護するための管理者を下記の者が担当いたしております。また、個人情報管理に関する問い合わせや開示、訂正または削除のご依頼は下記までご連絡ください。

<個人情報保護管理者>

株式会社Paidy セキュリティ部　情報セキュリティマネジャー

privacy@paidy.com

<個人情報に関するお問い合わせ窓口>

個人情報相談窓口

〒107-6212 東京都港区赤坂9-7-1 ミッドタウン・タワー12階

privacy@paidy.com

--------------------------English--------------------------

Paidy Inc.

Acquisition and Purpose of Use

Paidy Inc. (hereinafter the “Company”) acquires from those who desire to apply for employment opportunities of the Company the information capable of identifying the particular individual, such as name, address, telephone number, and e-mail address. Such acquisition is for the purpose of use in recruitment activities (such as pre-interview screening process, interviews, assessment, and communication with the applicant), and the Company will not use such information for any other purpose.

Third-Party Provision of Personal Information

Unless otherwise authorized under the applicable law, the Company will not provide any personal information from any applicant to any third party other than the suppliers engaged by the Company for services without the consent of the applicant.

Engagement of Suppliers

The Company may engage third-party suppliers for the provision of services for recruitment activities or whatsoever and provide such suppliers with the acquired personal information. In such event, the Company will enter into a contract with the engaged suppliers and secure the proper management of the personal information.

Security Control

The Company will continuously endeavor to implement the security measures as are necessary to protect the personal information from the risks of unauthorized access, loss, destruction, alteration, leakage, and the like.

Return and Disposal of Application Documents

In connection with any applicant whose submission of an application has not resulted in employment by the Company, the Company will store the submitted resume and all other application documents in use for the screening for the time being and will later responsibly dispose of the same. It is hereby acknowledged and agreed in advance that none of such application documents will be returned to the applicants.

Voluntary Submission of Personal Information

The submission of any personal information to the Company by any applicant shall be made on a voluntary basis with the consent of the applicant. However, it is hereby acknowledged and agreed in advance that if any applicant fails to submit the information necessary for the recruitment screening of the Company, such applicant may be deemed as having withdrawn from the recruitment screening process.

Procedures for Responding to Requests for Disclosure of Personal Information

In connection with any submitted personal information, the applicant may make a request to the point of contact at the Company for a notice of the use purpose, disclosure, correction, addition or deletion of the content, termination of use, deletion, or suspension of any third-party provision. At the time of such request, the Company will confirm the identity of the requester and respond to such request within a reasonable term to the scope stipulated under the applicable law or other regulations. Some of the requests require the payment of fees. For the details of such procedures, please check the “Basic Policy for Personal Information Protection” on the Company’s website (https://terms.paidy.com/privacy), or inquire at the following point of contact.

Personal Information Control Manager and Point of Contact

On behalf of the Company, the following personnel serve as the manager for properly managing the personal information. Please address any inquiry for personal information management or any request for disclosure, correction, or deletion to the following.

Information Security Manager, Security Department, Paidy Inc.

privacy@paidy.com

Point of Contact for Personal Information

12th Floor, Midtown Tower, 9-7-1 Akasaka, Minato-ku, Tokyo 107-6212

privacy@paidy.com

AppSec & Mobile Cybersecurity Lead

Apply for this job