Governance Risk Compliance (GRC) Manager
About the role
We are looking for our first dedicated GRC hire. This is an ownership, hands-on role. You will build and run our compliance program end-to-end — not as a support function, but as a core part of how we earn and keep customer trust.
Responsibilities
Own our SOC 2 audit end-to-end, including the transition from point-in-time to a rolling 12-month window
Serve as the primary liaison with our external auditors
Maintain the evidence repository and ensure controls are documented, tested, and current
Own and maintain Vanta as the system of record for our compliance program
Maintain and continuously improve our policy library — keeping policies accurate, readable, and actually followed
Run the GRC calendar: tabletop exercises, prepare security committee meetings, security awareness training, and annual reviews
Identify control gaps and drive remediation across Engineering, IT, HR, and Operations
Own and manage the trust center
Manage the inbound security questionnaire queue for enterprise sales — turn these around quickly and accurately with a sales-forward mindset to accelerate deals
Support vendor security reviews on both sides: evaluating vendors we onboard and participating in customer-side reviews of us
Maintain the risk register and lead regular risk review cadences
Identify, document, and escalate risks across people, vendors, and infrastructure
Support Engineering and Infra lead these, but you keep them on-track and ensure findings are tracked and remediated
Lay groundwork for future frameworks as the business requires: e.g., ISO 27001, GDPR, FedRAMPS
Support Legal and commercial contracting on security-related clauses and DPAs
Support HR policy development in partnership with the Head of HR, including security-related employee policies, acceptable use, and onboarding/offboarding procedures
Requirements
Required: 3–5 years of GRC, compliance, or IT audit experience, ideally in a SaaS or highly technical environment
Hands-on experience with multiple SOC 2 audits — not advisory, not adjacent, but in the room with the auditors and owning the evidence
Strong written communication (including customer-facing communications) and comfortable writing policy, not just reviewing it
Ability to learn quickly in a fast-paced, high-growth environment
Relevant certifications: CISA, CISSP, CISM, CCSK, or similar
Familiarity with ISO 27001, GDPR, or FedRAMP frameworks
Experience supporting Legal on DPAs or commercial security schedules
Experience owning or heavily using a GRC tool (Vanta preferred)
Compensation Range
$140K - $170K