# Platform Architect & Backend Lead **Company:** [Flatgigs](http://jobs.workable.com/companies/bh7RV78XZ4FSh2oNPXBBYa.md) **Location:** Remote **Workplace:** remote **Employment type:** Full-time [Apply for this job](http://jobs.workable.com/view/972cefe0-8e3c-4bad-bd17-77fd7ce0b8bb) ## Description **About the Role** We are building a multi-tenant, hardware-agnostic IoT platform from the ground up. We need a senior engineer who can design the system architecture in the morning and write production backend code in the afternoon. This is not an architecture-only role and not a coding-only role — it is both, simultaneously, in a fast-moving early-stage environment. You will also own cloud infrastructure as interim DevOps until we scale. **The Ideal Candidate** You have built IoT backend platforms before — not just used them. You understand the hard problems: device auth at scale, MQTT broker design, time-series ingestion performance, multi-tenant data isolation, and real-time delivery to web clients. You are comfortable making architectural decisions autonomously, documenting them clearly, and standing by them. You work remotely with discipline — you flag risks before they become problems. **Key Responsibilities** **Platform Architecture** 1. Design the full end-to-end IoT platform architecture: device connectivity layer → MQTT/protocol ingestion → stream processing → time-series storage → REST/GraphQL API layer → real-time WebSocket delivery 2. Define the multi-tenant data model: strict data isolation between customers, tenant-scoped API tokens, row-level security 3. Design the device lifecycle system: provisioning, X.509/JWT authentication, device registry, status tracking, decommissioning 4. Architect the protocol abstraction layer so MQTT, Modbus, OPC-UA, CoAP, and HTTP devices all normalise to the same internal data model 5. Design a configurable rule engine: event-condition-action rules for alerts, automations, and integrations — no code required from customers 6. Plan OTA firmware update management: secure delivery, versioning, rollback, fleet orchestration 7. Write Architecture Decision Records (ADRs) for every major technical choice — nothing undocumented 8. Design the scaling path from 100 devices (pilot) to 500,000+ (production) without structural rework **Backend Development** 1. Build core platform services from scratch: device management, telemetry ingestion, rule engine, notification/alerting, OTA update, multi-tenant API gateway 2. Develop REST and GraphQL APIs with full OpenAPI specification — version-controlled from Day 1 3. Implement WebSocket and SSE endpoints for real-time telemetry delivery to web and mobile clients 4. Build device command-and-control with acknowledgement, retry logic, and timeout handling 5. Implement device shadow service: last-known state of every device accessible even when offline 6. Write unit, integration, and load tests — no service reaches staging without test coverage 7. Own service reliability: SLO definitions, alerting runbooks, on-call incident response **Cloud Infrastructure (Interim)** 1. Provision and manage all AWS environments (dev, staging, production) using Terraform — no click-ops 2. Configure AWS IoT Core: MQTT endpoint, topic namespace, rules engine, certificate management 3. Set up CI/CD pipelines via GitHub Actions for all backend services 4. Configure CloudWatch monitoring, log aggregation, and automated health alerts 5. Manage IAM for all team members — least-privilege access, no shared credentials 6. Hand off infrastructure fully documented when a DevOps engineer joins in Phase 2 ## Requirements 1. 7–12 years software or systems engineering; minimum 4 years specifically building IoT platform backends or connected product infrastructure 2. Expert-level, hands-on experience with AWS IoT Core or Azure IoT Hub — production deployments, not tutorials ⚑ NON-NEGOTIABLE 3. Expert MQTT knowledge: v3.1 and v5.0, topic hierarchy design, QoS levels, retained messages, Last Will & Testament, broker sizing and clustering ⚑ NON-NEGOTIABLE 4. Proficiency in Python and Node.js/TypeScript for production backend services — Go is a strong advantage 5. Hands-on experience with a time-series database: InfluxDB, TimescaleDB, or AWS Timestream 6. Terraform or AWS CloudFormation — you provision cloud infrastructure programmatically, not through the console 7. Multi-tenant SaaS backend architecture: data isolation patterns, tenant-scoped access control, shared infrastructure design 8. Security fundamentals applied in practice: TLS/mTLS, X.509 certificates, OAuth 2.0, JWT, secrets management (Vault or AWS Secrets Manager) 9. Message broker or streaming experience: Kafka, RabbitMQ, AWS Kinesis, or AWS IoT Rules Engine 10. Proven ability to work autonomously at a senior level — makes decisions, documents rationale, flags risks without needing to be prompted ⚑ REMOTE DISCIPLINE **Nice to Have** 1. Industrial protocol knowledge: Modbus TCP/RTU, OPC-UA, BACnet — even as a consumer or integrator 2. EMQX, HiveMQ, or VerneMQ broker deployment and production operation 3. Edge computing runtimes: AWS Greengrass v2, Azure IoT Edge, or Balena 4. Digital twin frameworks: AWS IoT TwinMaker, Azure Digital Twins 5. Container orchestration: Kubernetes, ECS, or equivalent for future Phase 2 migration 6. Open-source IoT contributions or published technical writing on platform architecture **Skills at a Glance** **Architecture:** IoT platform end-to-end design · Multi-tenant SaaS patterns · Device lifecycle management · Protocol abstraction · Rule engine design · Horizontal scaling strategy **Backend:** Python / Node.js / TypeScript / Go · REST + GraphQL API design · WebSocket / SSE real-time delivery · MQTT broker configuration · Time-series DB (InfluxDB / Timestream) · PostgreSQL or equivalent RDBMS **Cloud & DevOps:** AWS IoT Core / Azure IoT Hub · Terraform / CloudFormation · GitHub Actions CI/CD · Docker containers · CloudWatch monitoring · IAM and security policy management **Security:** TLS / mTLS configuration · X.509 certificate management · OAuth 2.0 / JWT implementation · Secrets management · Device authentication at scale