GRC Engineer

About The Position

Requirements

• A builder, not just an operator. You write code, build systems, and automate. You are looking for a role where you want to build systems that generate evidence automatically.
• Framework-fluent. You have hands-on experience implementing or auditing SOC 2 and other major framework (ISO 27001, PCI DSS, NIST 800-53, FedRAMP), and you can reason about new frameworks from first principles.
• A strong partner to engineering. You build trust by understanding engineers' priorities and making the compliant path the easiest path. You translate auditor expectations into engineering work, not the other way around.
• An excellent cross-functional communicator. You work fluidly with customers, engineering, legal, sales, and auditors. You can explain a control, defend a design decision, and push back on a misfitting contract clause; clearly, and concisely.
• Pragmatic and analytical about risk. You reason systematically about what matters, prioritize based on real-world impact, and know the difference between a control that reduces risk and a control that satisfies a checkbox.
• 5+ years in a GRC, or compliance role, with demonstrated program ownership at a cloud-native company.
• Hands-on experience implementing or auditing SOC 2 plus one other major framework (ISO 27001, PCI DSS, NIST 800-53).
• Proficiency in at least one programming or scripting language (Python, TypeScript, Go, or similar). You can read code, write automation, and leverage AI effectively.
• Experience with GRC automation platforms (Vanta, Drata, or similar); migrating into, configuring, and building in them.
• Strong written communication, particularly in customer-facing and cross-functional contexts.

Nice To Haves

• Privacy regulations (GDPR, CCPA, HIPAA) and PII classification; we have employees and customers across multiple jurisdictions.
• FedRAMP experience as implementer or auditor.
• GRC-as-code / compliance-as-code practices; version-controlled policies, automated control testing, or CI-integrated evidence collection.
• Familiarity with authentication and identity (SAML, OIDC, SCIM); highly relevant given our product.
• Prior experience building a GRC function at a high-growth company.

Responsibilities

• Own our compliance function. Frameworks, policies, controls, and audits are yours. Make compliance part of how we ship software, not a separate track.
• Lead our next certifications. Drive initiatives for FedRAMP and other frameworks; scoping the controls, documentation, and collaborating with others across the organization to make it happen.
• Partner directly with customers. Be the voice of our compliance program to our customers. Support audits, enable sales on compliance-gated deals, and build on the trust we've established with the companies that depend on us.
• Own risk across WorkOS. Run our risk and third-party risk programs. Identify risks as they emerge, drive remediation, and surface signal to leadership.
• Build GRC-as-code. Write code and tooling to automate the parts of GRC that don't need a human, and leverage AI where it fits.

Benefits

• Competitive pay
• Substantial equity grants
• Healthcare insurance (Medical, Dental and Vision) for you and your family
• 401k matching
• Wellness and fitness monthly allowances
• PTO + paid holidays + unlimited sick leave
• Autonomy and flexibility with remote work