Director of Governance, Risk, Compliance & Trust

About The Position

Requirements

• You are a pragmatic, execution-oriented GRCT leader with deep experience operating regulated SaaS environments. You bring 10+ years of experience in Information Security, Risk, or Compliance, including senior ownership of FedRAMP Moderate/High programs from authorization through steady-state operations.
• You have a builder mindset, with hands-on experience implementing modern GRC automation platforms and driving a shift from manual compliance processes toward Continuous Control Monitoring.
• You exercise strong risk judgment, evaluating control gaps, exception requests, and architectural trade-offs pragmatically—translating security and compliance requirements into practical, scalable engineering controls.
• You are a trusted partner to Engineering, with the technical literacy to lead Security Impact Analyses (SIA) and embed compliance into DevOps and CI/CD workflows rather than bolting it on after the fact.
• You bring a commercial lens to trust, with experience supporting customer assurance and GTM efforts—from complex security questionnaires to executive-level conversations with enterprise and public sector customers.
• You are an operational and people leader, skilled at establishing operating rhythms, defining meaningful program metrics, driving predictable execution, and coaching high-ownership teams.
• You are a clear and credible communicator, able to distill complex technical and regulatory topics into concise, actionable guidance for technical teams and senior leadership.
• You have a Bachelor’s degree in Information Security, Computer Science, Engineering, Information Systems, or a related field (or equivalent practical experience) and possess relevant security certifications such as CISM, CISSP, or CISA.

Responsibilities

• Public Sector Compliance Ownership: Own Everlaw’s public sector compliance posture, including FedRAMP and GovRAMP authorization and ongoing maintenance.
• Regulatory & Contractual Requirements: Ensure compliance with specialized regulatory and contractual requirements (e.g., CJIS, FTI), partnering with HR, Security, and Legal to support personnel, access, and operational controls.
• Global & Industry Certifications: Accountable for global and industry certifications, including SOC 2, ISO 27001/27017/27018, UK CE+, GDPR, and HIPAA, enabling effective IC-led execution.
• Audit Readiness & Execution: Ensure sustained audit readiness through clear control ownership, effective evidence management, and scalable compliance processes.
• Strategic Certifications & Market Access: Own the go/no-go framework for pursuing new certifications or regulatory authorizations (e.g., ISO 42001), balancing customer demand, regulatory risk, and business priorities.
• Regulatory Awareness: Continuously monitor emerging regulatory and industry requirements and advise leadership on impact, readiness, and timing.
• Security Risk Identification & Management: Oversee the identification, assessment, and tracking of information security risks; partner with risk owners to remediate risks in a timely manner.
• Security Impact Analysis (SIA): Partner with Security Engineering to lead the SIA process for major system, infrastructure, and product changes, where SecEng conducts technical SIA and GRCT evaluates risk, notification, and escalation requirements.
• Third-Party Security Risk: Oversee the vendor security risk lifecycle, from onboarding through ongoing monitoring and renewal, ensuring risks are assessed and managed in proportion to data sensitivity and business criticality while supporting efficient procurement.
• Pragmatic Governance & Decision Support: Maintain security policies, standards, and exception processes aligned with how Engineering, Security and IT teams operate, and act as a trusted advisor to facilitate risk-based decisions on architectural trade-offs and control exceptions.
• Emerging Technology & Risk Visibility: Govern security risks related to emerging technologies, including AI/ML, and provide clear, audit-ready risk reporting to leadership that integrates with compliance and evidence pipelines.
• Customer Trust Ownership: Own Everlaw’s customer-facing trust posture, ensuring external representations of security, privacy, and compliance accurately reflect internal controls and risk decisions.
• Trust Center & Artifacts: Set direction and provide oversight for Everlaw’s Trust Center and related trust artifacts, ensuring content is accurate, current, and aligned with internal governance, while enabling first-line execution by the Customer Trust function.
• Customer Assurance Model: Partner with Sales, Customer Success, and Legal to support customer security questions, reviews, and audits, acting as the escalation point for complex, high-risk, or non-standard requests to maintain sales velocity and deal integrity
• Strategic Engagement: Act as a subject matter expert in executive-level customer conversations on trust and security compliance topics as needed, particularly for enterprise and public sector customers.
• Feedback Loop: Ensure customer trust insights and recurring assurance themes inform risk governance and compliance priorities.
• Program Operations & Scalability: Drive operational excellence across GRCT programs by improving core processes, reducing manual effort, and ensuring programs scale efficiently as Everlaw grows by integrating GRC workflows directly into Engineering and Product lifecycles.. Identify and eliminate friction in high-velocity workflows such as the security questionnaire response, SIA, and vendor reviews.
• Systems, Automation & Tooling: Own the evolution of the GRCT tech stack (e.g., real-time compliance platforms), increasing automation and data quality to move the organization toward automated Continuous Control Monitoring (CCM) and “audit once, satisfy many” outcomes.
• Metrics & Execution Rigor: Establish clear program metrics and operating rhythms to track effectiveness, surface bottlenecks, and drive predictable execution across compliance, risk, and trust activities.
• People & Team Leadership: Lead, coach, and develop GRCT team members, providing clear expectations, performance feedback, and growth opportunities while fostering a high-ownership, execution-focused culture.
• Continuous Improvement & Resourcing: Champion continuous improvement by incorporating lessons learned from audits and customer feedback into program enhancements. Manage the GRCT roadmap and resource planning to ensure the function is equipped to support Everlaw’s expanding certification requirements.

Benefits

• The expected salary range for this role is between $230,000 and $312,000. The final offered salary will be dependent upon many factors including the candidate’s experience and skills. The base pay range is subject to change in the future.
• Equity program
• 401(k) retirement plan with company matching
• Health, dental, and vision
• Flexible Spending Accounts for health and dependent care expenses
• Paid parental leave and approximately 10 days (80 hours) per year of sick leave
• Seventeen paid vacation days plus 11 federal holidays
• Membership to Modern Health to help employees prioritize mental health and wellness
• Annual allocation for Learning & Development opportunities and applicable professional membership dues
• Company-sponsored life and disability insurance
• Work in Uptown Oakland, just steps from the BART line and dozens of restaurants and walking distance to Lake Merritt
• Flexible work-from-home days on Tuesdays and Fridays
• Monthly home internet reimbursement
• Select your preference of hardware (Mac or PC) and customize your desk setup
• Enjoy a wide variety of snacks and beverages in the office
• Bond over company-wide out-of-the-box events and fun activities with your team
• Time off for company-sponsored volunteer events and 4 paid hours per quarter to volunteer at a charitable organization of your choice
• Take advantage of learning and career development opportunities