GRC Engineer

About The Position

Requirements

• 8+ years of experience in GRC or Information Security.
• Technical Fluency: Ability to communicate effectively with engineering, cloud (GCP/AWS), and security architecture teams. Understanding of how architectural decisions impact risk and compliance.
• Regulatory Breadth: Deep experience with SOC 2, ISO 27001, PCI, HIPPA, and Privacy laws.
• Collaborative Communication: Strong ability to explain risk and tradeoffs to technical, legal, and commercial stakeholders.
• Automation Mindset: Experience with GRC automation tools (e.g., Vanta, Drata) and a focus on reducing manual work.
• Pragmatism: Ability to distinguish between "checking a box" and reducing risk, focusing on outcomes over optics.
• Business Enablement: Understanding that the role supports enterprise sales safely and enables innovation through technical trust.
• Solutions-Oriented: Collaborative, low-ego approach, preferring to fix root causes and empower teams through automation over manual bureaucracy.
• Clarity: Ability to explain complex regulations in plain English for specific engineering teams.

Nice To Haves

• Familiarity with FedRAMP, ITAR, or AI regulation is a strong plus.

Responsibilities

• Act as a technical subject matter expert for the GRC team, driving quality, technical depth, and operational efficiency in security controls.
• Own the technical vision for Replit’s GRC program, transitioning from manual workflows to "Compliance-as-Code" and automated evidence collection.
• Champion a culture of security and privacy across the company, educating teams on the purpose of controls.
• Partner with Architects and Engineering Leads to integrate compliance requirements early in the design phase, translating technical implementations into narratives that satisfy frameworks without hindering development.
• Collaborate with Legal Counsel to interpret and implement requirements for Privacy (GDPR, CCPA) and emerging AI-specific regulations (e.g., EU AI Act).
• Manage the Customer Trust Center and handle complex security questionnaires to support the Sales team, acting as a subject matter expert in customer calls.
• Own and cultivate relationships with external auditors, serving as the liaison between auditors and internal teams.
• Operate the Cybersecurity Risk Register, identifying, quantifying, and tracking risks, distinguishing between theoretical compliance gaps and meaningful business risks.
• Manage and evolve compliance posture across SOC 2, ISO 27001, and prepare for future certifications in regulated markets (e.g., FedRAMP, ITAR, PCI, HIPAA).
• Apply judgment to prioritize issues representing real security or business risk over "compliance theater."
• Drive the shift from manual evidence collection to continuous monitoring, identifying opportunities to automate audit work.
• Architect a scalable framework for assessing third-party vendors and AI model providers to ensure supply chain security without creating administrative bottlenecks.

Benefits

• Competitive Salary & Equity
• 401(k) Program with a 4% match
• Health, Dental, Vision and Life Insurance
• Short Term and Long Term Disability
• Paid Parental, Medical, Caregiver Leave
• Commuter Benefits
• Monthly Wellness Stipend
• Autonomous Work Environment
• In Office Set-Up Reimbursement
• Flexible Time Off (FTO) + Holidays
• Quarterly Team Gatherings
• In Office Amenities