GRC Lead

About The Position

Requirements

• Have 8+ years building and running GRC programs in regulated environments including healthcare, financial services, government, or enterprise SaaS where the stakes were real and the audits weren’t theatre.
• Have taken a company through SOC 2 Type II from a cold start, and lived HIPAA, GLBA, FedRAMP, or equivalent work hands-on, not just signed off on policies someone else wrote.
• View compliance as a competitive advantage and a forcing function for good engineering, not a checklist and not a bureaucracy to defend.
• Are a deep executor: you write the policies, draft the white papers, and ship the automation yourself, and can zoom out to design the program around them.
• Are a high-trust cross-functional partner - you can sit with an engineer reasoning about IAM controls in the morning, walk GTM through a DPA at noon, and brief a customer’s CISO in the afternoon.
• Translate technical risk for the boardroom and regulatory risk for the engineers fluently in both directions.
• Are at home in ambiguity and energized by a 0→1 program. We have a SOC 2 Type II baseline; the rest is yours to define.
• Have a strong opinion about data: how it’s classified, where it lives, who can see it, and how you prove it. You think in data flows, not policy templates.
• Bias toward pragmatism over bureaucracy. You know which controls matter, which ones are noise, and which ones you can automate out of existence.

Nice To Haves

• Direct experience operating across US and MENA (or other multi-jurisdictional) regulatory environments, including on-prem and data residency requirements.
• FedRAMP/GovRAMP, IL4/IL5, or equivalent government-customer compliance experience.
• Standing up GRC programs at AI or ML-heavy companies, including the novel evidence and disclosure questions that come with model training data, agent actions, and customer data flowing through AI systems.
• Hands-on with compliance automation tooling (Vanta, Drata, Secureframe, etc.) and a willingness to replace it when it’s the wrong tool.
• Comfort reading the technical controls themselves (Terraform, IAM policies, audit logs) well enough to verify what an auditor is being told.

Responsibilities

• Own the end-to-end GRC program: SOC 2 Type II and HIPAA today, and the path through ISO 27001, NIST 800-171, FedRAMP/GovRAMP, GLBA, and MENA-specific regimes that don’t map cleanly to a US playbook.
• Build the data handling backbone: how customer data is classified, where it lives, who can touch it, and how we prove it - across Azure, on-prem MENA deployments, and the bespoke deployments we run for governments and hospitals.
• Run audits as a builder, not a project manager: Own evidence, controls, gap remediation, and audit response, and automate the evidence pipeline so we’re not rebuilding workpapers every cycle.
• Stand up third-party risk as a real program: vendor reviews, data flow inventory, contractual security obligations, and a reassessment cadence that keeps pace with our SaaS footprint.
• Be the function that unblocks enterprise deals: Build the customer-trust surface — security questionnaires, trust portal, DPAs, BAAs, customer-facing docs — so customers understand how we handle their data before they have to ask.
• Partner with engineering: Bake compliance into the product: control inheritance from Azure, policy-as-code, automated access reviews, audit-ready logging, and evidence collection that runs without a human in the loop.
• Run a single risk operating cadence across HR, Finance, Legal, IT, and Engineering: so data handling, vendor approvals, and audit requests always have a clear owner.
• Be the translator between technical reality and regulatory expectations: the person engineers trust to interpret a control, and the person customers and auditors trust to explain the system behind it.

Benefits

• Competitive salary plus equity
• Daily lunches
• Commuter benefits
• 401(k)
• Medical, Dental, and Vision
• Unlimited PTO