IoT Platform Architect & Backend Lead

About the Role

We are building a multi-tenant, hardware-agnostic IoT platform from the ground up. We need a senior engineer who can design the system architecture in the morning and write production backend code in the afternoon. This is not an architecture-only role and not a coding-only role — it is both, simultaneously, in a fast-moving early-stage environment. You will also own cloud infrastructure as interim DevOps until we scale.

The Ideal Candidate

You have built IoT backend platforms before — not just used them. You understand the hard problems: device auth at scale, MQTT broker design, time-series ingestion performance, multi-tenant data isolation, and real-time delivery to web clients. You are comfortable making architectural decisions autonomously, documenting them clearly, and standing by them. You work remotely with discipline — you flag risks before they become problems.

Key Responsibilities

Platform Architecture

1. Design the full end-to-end IoT platform architecture: device connectivity layer → MQTT/protocol ingestion → stream processing → time-series storage → REST/GraphQL API layer → real-time WebSocket delivery
2. Define the multi-tenant data model: strict data isolation between customers, tenant-scoped API tokens, row-level security
3. Design the device lifecycle system: provisioning, X.509/JWT authentication, device registry, status tracking, decommissioning
4. Architect the protocol abstraction layer so MQTT, Modbus, OPC-UA, CoAP, and HTTP devices all normalise to the same internal data model
5. Design a configurable rule engine: event-condition-action rules for alerts, automations, and integrations — no code required from customers
6. Plan OTA firmware update management: secure delivery, versioning, rollback, fleet orchestration
7. Write Architecture Decision Records (ADRs) for every major technical choice — nothing undocumented
8. Design the scaling path from 100 devices (pilot) to 500,000+ (production) without structural rework

Backend Development

1. Build core platform services from scratch: device management, telemetry ingestion, rule engine, notification/alerting, OTA update, multi-tenant API gateway
2. Develop REST and GraphQL APIs with full OpenAPI specification — version-controlled from Day 1
3. Implement WebSocket and SSE endpoints for real-time telemetry delivery to web and mobile clients
4. Build device command-and-control with acknowledgement, retry logic, and timeout handling
5. Implement device shadow service: last-known state of every device accessible even when offline
6. Write unit, integration, and load tests — no service reaches staging without test coverage
7. Own service reliability: SLO definitions, alerting runbooks, on-call incident response

Cloud Infrastructure (Interim)

1. Provision and manage all AWS environments (dev, staging, production) using Terraform — no click-ops
2. Configure AWS IoT Core: MQTT endpoint, topic namespace, rules engine, certificate management
3. Set up CI/CD pipelines via GitHub Actions for all backend services
4. Configure CloudWatch monitoring, log aggregation, and automated health alerts
5. Manage IAM for all team members — least-privilege access, no shared credentials
6. Hand off infrastructure fully documented when a DevOps engineer joins in Phase 2

Requirements

1. 7–12 years software or systems engineering; minimum 4 years specifically building IoT platform backends or connected product infrastructure
2. Expert-level, hands-on experience with AWS IoT Core or Azure IoT Hub — production deployments, not tutorials ⚑ NON-NEGOTIABLE
3. Expert MQTT knowledge: v3.1 and v5.0, topic hierarchy design, QoS levels, retained messages, Last Will & Testament, broker sizing and clustering ⚑ NON-NEGOTIABLE
4. Proficiency in Python and Node.js/TypeScript for production backend services — Go is a strong advantage
5. Hands-on experience with a time-series database: InfluxDB, TimescaleDB, or AWS Timestream
6. Terraform or AWS CloudFormation — you provision cloud infrastructure programmatically, not through the console
7. Multi-tenant SaaS backend architecture: data isolation patterns, tenant-scoped access control, shared infrastructure design
8. Security fundamentals applied in practice: TLS/mTLS, X.509 certificates, OAuth 2.0, JWT, secrets management (Vault or AWS Secrets Manager)
9. Message broker or streaming experience: Kafka, RabbitMQ, AWS Kinesis, or AWS IoT Rules Engine
10. Proven ability to work autonomously at a senior level — makes decisions, documents rationale, flags risks without needing to be prompted ⚑ REMOTE DISCIPLINE

Nice to Have

1. Industrial protocol knowledge: Modbus TCP/RTU, OPC-UA, BACnet — even as a consumer or integrator
2. EMQX, HiveMQ, or VerneMQ broker deployment and production operation
3. Edge computing runtimes: AWS Greengrass v2, Azure IoT Edge, or Balena
4. Digital twin frameworks: AWS IoT TwinMaker, Azure Digital Twins
5. Container orchestration: Kubernetes, ECS, or equivalent for future Phase 2 migration
6. Open-source IoT contributions or published technical writing on platform architecture

Skills at a Glance

Architecture: IoT platform end-to-end design · Multi-tenant SaaS patterns · Device lifecycle management · Protocol abstraction · Rule engine design · Horizontal scaling strategy

Backend: Python / Node.js / TypeScript / Go · REST + GraphQL API design · WebSocket / SSE real-time delivery · MQTT broker configuration · Time-series DB (InfluxDB / Timestream) · PostgreSQL or equivalent RDBMS

Cloud & DevOps: AWS IoT Core / Azure IoT Hub · Terraform / CloudFormation · GitHub Actions CI/CD · Docker containers · CloudWatch monitoring · IAM and security policy management

Security: TLS / mTLS configuration · X.509 certificate management · OAuth 2.0 / JWT implementation · Secrets management · Device authentication at scale