Shruthi Akkal

Skills: Node.js, Python, JavaScript, TypeScript, System architecture, Database schema design | CI/CD: GitHub Actions, CircleCI, Unit & Integration testing, Containerization - Docker | AWS - VPC design: public, private subnets, route tables, NAT, VPC endpoints, Load balancing: ALB, path-based routing, target groups | Compute: ECS, EC2, Lambda | Storage: S3, EBS | Databases: RDS/Postgres, caching (Redis), Mongo/DocumentDB | IAM: least privilege policies, role-based access| IaC: AWS CDK, CloudFormation | Observability: Log aggregation (CloudWatch / Wazuh) | Metrics & dashboards: CloudWatch metrics | Security & compliance: WAF, security groups, NACLs, TLS termination, KMS encryption, key policies, auto-rotation, AWS Config, Audit readiness: evidence collection, Secrets handling: SSM, Secrets Manager, KMS, HSM, Container security basics: image scanning

Domains:  Payments, Healthcare & Wearables

These are the services and languages that I have used either in payments or healthcare projects. Payments leaned towards key handling, data encryption, and security by following compliance. In Healthcare, I had to deal with PII, real-time data handling, data storage and query patterns. 

Projects - Payments 

1 . Secure Element Issuer – TSM (SEI-TSM) for Ring One (Tap-to-Pay)

1. What I built?

Built an in-house Secure Element Issuer - Trusted Service Manager (SEI-TSM) to provision and manage payment credentials on the ring’s Secure Element. The service orchestrates secure-channel setup and APDU script execution for applet lifecycle operations and key management, and integrates with tokenization partners for payment provisioning.

2. Why SEI-TSM?

For a wearable product, the "last mile" is the Secure Element: provisioning reliability, lifecycle control, and debugging matter as much as the tokenization integration. Owning the SEI-TSM meant we could:

• control applet lifecycle and Secure Element operations end-to-end,

• ship changes faster without waiting for a third-party TSM roadmap,

• and build better observability and recovery patterns for real-world device/network issues.

3.  How I got the project?

I was initially maintaining backend services for the health stack. In parallel, I researched the payments architecture and SE/TSM responsibilities, documented risks and system design options, and presented a plan to leadership. Based on that, I took ownership of leading the SEI-TSM build starting Dec 2024.

4.  Design & implementation (TypeScript / Node.js / Express)

   1. Real-time provisioning channel (WebSockets):  Provisioning is a long-lived, ordered command exchange: the backend sends APDU script steps, the companion app forwards them to the ring over Bluetooth/NFC, and returns APDU responses. We used WebSockets because it gives:

      1. A single persistent session per provisioning attempt (low overhead),

      2. True bidirectional messaging (server can push the next step immediately),

      3. And predictable ordering without polling or complex REST correlation.

      4. Session model: provisioning is connection-scoped. If the WebSocket disconnects, we end the session and restart provisioning from zero on the next attempt (no resume).

      5. Implemented lifecycle controls: heartbeats, server-side TTL, and cleanup on disconnect.

   2. GlobalPlatform secure channel (SCP02 + SCP03): Implemented GlobalPlatform Secure Channel support to securely manage Security Domains and applet lifecycle operations:

      1. Built the full INITIALIZE UPDATE / EXTERNAL AUTHENTICATE flow for mutual authentication and secure messaging.

      2. Supported both: SCP02 (3DES / Retail MAC) and SCP03 (AES-CMAC)

      3. Implemented secure messaging mechanics including keyset/version handling, security levels, APDU wrapping, chaining/ICV handling, and failure diagnostics (without logging secrets).

      4. Crypto/key custody: Integrated key operations with AWS KMS / CloudHSM for non-exportable key material and controlled access paths. Sensitive material is never written to logs or persisted in plaintext.

   3. AWS deployment and security

      1. Network isolation: Ran SEI-TSM on EC2 in private subnets (no public IPs), inbound access only through a load balancer with tightly scoped Security Groups, outbound internet access only via NAT Gateway for required external calls, used VPC Endpoints where possible (S3, SSM) to keep AWS service traffic private, environment separation (dev/stage/prod) to reduce cross-env risk.

      2. Application security & data handling: Express middleware for authN/authZ, schema validation, rate limiting, and strict error handling, TLS everywhere; mTLS for service-to-service where required, data minimization: we do not store cardholder data. Persisted only non-sensitive workflow identifiers and provisioning status, logging is structured: no keys, no sensitive payloads, added automated checks (“CHD detectors” + unit tests) to fail builds if sensitive fields appear in DB writes or logs.

      3. CI/CD + delivery: Built CI/CD with GitHub Actions to test, build, and package services into Docker images, published versioned images to Docker Hub (immutable tags such as commit SHA / release tags), deployed containerized services on AWS ECS, and maintained a separate deployment path for private-subnet EC2 services.

2 . PCI DSS v4.0 readiness for MDES (Mastercard Digital Enablement Service ) program testing (Muse Wearables)

1. Leading PCI DSS v4.0 readiness and security architecture work required to progress production testing with Mastercard MDES.

2. Partnered with an external cybersecurity firm and auditors to define PCI scope (CDE segmentation), validate control coverage, and prepare audit evidence.

3. Worked closely with the CTO to design and implement backend security architecture on AWS: network isolation (VPC/private subnets), encryption standards (KMS/CloudHSM where required), IAM least-privilege + access control matrix, key rotation procedures, and audit-ready centralized logging.

4. Coordinated creation of ~23 PCI security policies/standards aligned to backend operations (e.g., firewall/network security, access control, logging & monitoring, vulnerability management, incident response, change management, secure configuration, data retention).

5. Implemented AWS Config Conformance Packs and continuous compliance checks, centralized logs to S3, SSM Session Manager instead of SSH.

6. VAPT completed; policy set in finalization + evidence iteration with auditors.

7. Program management: drove prioritization and delivery under tight timelines (started mid-Dec 2025; first VAPT submission by Jan 15, 2026), and translated PCI requirements into actionable engineering tasks across infra + application code.

3 . Token Service Provider (TSP) Integrations: MDES (Mastercard) + NPCI (India) Tokenization

1. What I built?

Implemented backend integrations with Mastercard MDES and NPCI tokenization APIs to support card-to-token provisioning flows for a wearable product. Built API adapters, cryptographic request packaging, certificate/mTLS setup, and validation utilities to meet scheme/TSP security requirements.

2. Why did this matter?

Tokenization is the bridge between the product and the payment ecosystem. A correct integration isn’t just "call an API", it requires strict security controls (mTLS, key exchange, payload encryption, signature verification), careful data handling (no sensitive data leakage), and operational reliability (retries, idempotency, auditability).

3. Design & implementation (Node.js / TypeScript / Express)

   1. Integrated Mastercard MDES and NPCI tokenization APIs using Node.js/Express, implementing secure request/response handling.

   2. Implemented mutual TLS for outbound calls to TSP endpoints and certificate-chain validation (Root/Intermediate/Leaf). Used OpenSSL certificate verification.

   3. Applied scheme security controls: encrypted sensitive payload elements using TSP public keys before API calls; used RSA/AES/ECC as required, and implemented signature verification for integrity/authenticity checks.

   4. Enforced strict data minimization (no sensitive data in DB/logs) with structured logging, allowlists, and end-to-end traceability using correlation IDs.

   5. Improved production reliability using idempotency + retry-safe workflows, consistent error classification.

Achievements & Soft skills - payments work

• Global Fintech Fest 2025  – Tap & Pay Launch: Mumbai, October 2025: Led backend execution for a live wearable payment demo under a 4-week deadline, coordinating across internal teams and external partners; received recognition from payment network and Secure Element partners for technical execution and delivery rigor.

LinkedIn post by National Payments Corporation Of India (NPCI)  

• Leadership & ownership : 

  • Technical ownership of a high-stakes, cross-functional system (payments + wearable + security) 

  • Driving architecture decisions and balancing tradeoffs (security vs UX recovery, time-to-market)

  • Stakeholder management: aligning CEO/CTO, product, external auditors, and security vendors

  • Execution under constraints

• Communication:

  • Explaining complex security/payment concepts to non-specialists (leadership, cross-functional teams)

  • Writing clear technical documentation: design docs

• Collaboration: 

  • Working with external parties: TSP teams (Mastercard, NPCI), chip partners, auditors (PCI DSS), cybersecurity firms

  • Negotiation/clarification: getting precise requirements, resolving ambiguities in specs, and agreeing on acceptance criteria

Projects - Health

1 . Backend Systems for App, Orders, and Wearable Data

1.1) Indiegogo launch backend (Ring One, 2023)

1. Built backend services to support the Indiegogo Ring launch (Ring One : The most advanced Smart Ring for you) and handle backer onboarding and fulfillment operations.

2. Implemented order + backer data ingestion (who bought what, quantity, SKU/variants, region).

3. Built internal workflows to manage shipping details, statuses, and operational reporting.

4. Generated marketing/ops stats reports by querying purchase and region/SKU data from the database.

5. Added data validation and reconciliation checks to reduce missing/incorrect backer records.

Tech stack: Node.js Express, MongoDB, PostgreSQL, AWS (EC2, S3, DocumentDB, RDS, Redis, SSH/SSM login, IAM, Route 53, secret manager), CircleCI, Docker

Outcome: smooth backer onboarding + reliable order/shipping visibility for the launch period.

1.2) In-app mini commerce (for existing Ring backers)

1. Shipped a lightweight in-app commerce flow so Ring backers could purchase additional Muse products after onboarding.

2. Built backend APIs for product catalog, pricing, cart/checkout, and order history used by the Muse mobile app.

3. Integrated Stripe Checkout / Payments for payment processing and implemented Stripe webhooks to reliably sync payment state (e.g., checkout completed, payment succeeded/failed, refunds) into our order system.

4. Implemented eligibility checks so only onboarded backers could access the store and purchase add-on products.

5. Added discount & coupon calculation rules based on backer tier (Premium vs Lite) and ensured pricing was validated server-side (not trusted from the client).

6. Improved support workflows by using consistent order IDs, clear status transitions, and traceable event logs for payment --> fulfillment tracking.

1.3) Health & ML Algorithms 

1. Worked with the team on creating and deploying a Respiration rate detection algorithm in Python from PPG using signal processing techniques. The algorithm achieved an accuracy of +-1.5 breath per minute (bpm) in the normal range. Range of prediction: 10 - 40 breaths per minute. The algorithm has been successfully used in Muse Cue wristbands by almost 5000 users. The versions of this algorith is still used in the latest Ring product.

2. Sleep staging model from PPG data: XGBoost, ~73% accuracy; optimized footprint (~15 MB) for mobile-edge deployment. Deployed in the Ring product

2 . COVID-period Health Monitoring System

Worked on a backend platform that helped hospitals monitor patient vitals in near real time (HR, SpO₂, respiratory rate). My work was mostly on building and improving the data + alerting pieces so clinicians could catch deterioration early.

1. Implemented an almost real-time alert pipeline using MongoDB and Firebase, and helped tune it so alerts were actionable (ended up generating 500+ critical alerts).

2. Wrote Python services to calculate individual baselines and detect meaningful changes rather than relying on one-size-fits-all thresholds, using PostgreSQL/MongoDB as sources.

3. Worked closely with clinicians to validate accuracy using de-identified data, and adjusted the logic based on clinical feedback.

4. Tech: Python (Flask), Node.js, PostgreSQL, MongoDB, Twilio, Firebase | Team: Project manager, follow developers, Senior engineer, and clinicians

5. Tech skills that I developed: 

   1. IoT data ingestion basics: handling device telemetry from a gateway (Raspberry Pi) into a backend (HTTP/MQTT/WebSockets).

   2. Real-time systems: pushing almost live updates to a dashboard using Firebase listeners or WebSockets/SSE.

   3. Backend API development: building ingestion + alert endpoints in Python (Flask) / Node.js with clean request validation.

   4. Alerting logic: thresholds, persistence windows, cooldown/debounce, and avoiding alert spam.

   5. Data modeling,  Databases in practice, Data quality handling, Async/retry patterns, Observability (logs)

6. Soft skills:

   1. Working with cross-functional stakeholders: translating clinician needs into clear engineering requirements.

   2. Iterating based on feedback: tuning thresholds/logic from real-world validation results.

   3. Debugging under pressure.

   4. Communication: writing simple documentation for setup, alert rules, and on-call troubleshooting.

   5. Prioritization: focusing on reliability and correctness over "nice-to-haves" in a healthcare setting.

   6. Ownership mindset (at junior level).

   7. Data responsibility: learning to handle sensitive contexts carefully.

Earlier Experience 

Software

1. Implemented a numerical model in Python for predicting changes in weight over time taking into consideration multiple factors like calorie intake,

activity levels, body measurements, and lifestyle behaviors.

2. Responsible for creating an internal mailing system that is used to view user engagement systems, such as the number of daily active watch and tracker users and their activities.

3. Built and launched a software module (Muse assessments) for assessing user habits and lifestyle behaviors.

4. Created a COVID-19 assessment feature in March 2020 in the health app.

5. Created user journey for a wearable product that checks body vital measurements (heart rate, SpO2, body temperature, HRV, and respiratory rate).

Reasearch

1. Implemented multivariate ecological analysis in Python: computed Bray–Curtis distance matrices and ran PCoA to quantify and visualize beta diversity across multiple environmental sampling locations. Validated community differences by combining ordination with group-level comparisons (e.g., clustering patterns by site type) and produced reproducible analysis scripts for research reporting.

Paper: On distinguishing the natural and human-induced sources of airborne pathogenic viable bioaerosols: characteristic assessment using advanced molecular analysis

2. Data curation and Image processing: The research involved Minimal Residual Disease Estimation in Multiple Myeloma using Image processing. Supervised the Multiple Myeloma data curation. Advisor: Dr. Ritu Gupta, Laboratory Oncology Unit. Dataset sample: Microscopic Images of Multiple Myeloma