Head of GRC

HockeyStack•San Francisco, CA

4d•$175,000 - $225,000•Hybrid

About The Position

HockeyStack is building the agent infrastructure for enterprise revenue. We spent five years building the only data architecture that preserves causality across the full revenue stack — every interaction, every signal, in sequence. On top of that foundation, we built Nex-lm, a purpose-built AI engine that compiles natural language into deterministic agent workflows. The result is a platform that can extract the revenue blueprint from a company's data, encode it into repeatable automations, and execute it across sales, marketing, and customer success — consistently, at scale. We are not building a dashboard tool with an AI feature. We are building the operating layer that replaces the human bottleneck in enterprise revenue organizations. This is a category being defined right now, and we intend to own it. We have raised $50M+ from Bessemer Venture Partners, General Catalyst, Y Combinator, and others. We operate fully in-person in San Francisco . We move fast and we hire people who want to win. Since launching late 2023, we have grown to 8-figures in ARR , process over 60 TB of revenue data monthly , and we are working with some of the largest B2B companies in the world like Microsoft, Harvey, New Relic, Collibra , etc. 🚀 Your Mission HockeyStack is maturing. Our customers trust us with their most sensitive revenue data, and as we move upmarket and scale, we need a dedicated owner for compliance to ensure we are best positioned to deliver value to our customers. This is the first dedicated GRC hire at HockeyStack. You'll serve as the single point of accountability for our entire compliance program, risk management framework, and security posture, . You'll report directly to the key departmental leads and work closely with the engineering and operations teams. The role is structured as fractional / part-time (~20 hours/week, open to W-2 or 1099), with the flexibility to surge during audits, incidents, or major customer reviews. San Francisco is preferred, but we'll consider remote for the right candidate. You'll own everything from SOC 2 audit readiness and incident response to enterprise questionnaires and vendor risk. If you want to build a compliance function from the ground up at one of the fastest-growing companies in B2B software, this is the role.

Requirements

8+ years of experience in GRC, compliance, and information security , with at least 3 years in a leadership or head-of-function capacity.
Experience at a high-growth B2B SaaS company is strongly preferred, ideally at the Series A–C stage where you had to build from scratch.
Deep experience with SOC 2 Type II audits and compliance programs. You've built or significantly improved a compliance program, not just maintained one.
Familiarity with GDPR, CCPA, NIST, and ISO 27001 is expected.
Strong technical foundation. You understand cloud infrastructure (AWS, GCP, or Azure) and modern SaaS architecture well enough to partner with engineers and assess risk in architecture decisions.
Hands-on and strategic. You're comfortable writing a policy doc in the morning and reviewing a security questionnaire in the afternoon. No task is beneath you.
Excellent communication skills. You can explain a complex risk to a non-technical founder in two sentences, and you can hold your own in a technical review with engineers.

Nice To Haves

CISSP, CISM, or equivalent certification is a plus.
Experience with AI/ML-specific security considerations or supporting enterprise sales cycles from a compliance/security perspective is also a plus.

Responsibilities

Own the compliance program end-to-end.
Build, maintain, and continuously improve HockeyStack's compliance policies, procedures, and controls. You will be the single owner of this function.
Run GRC and compliance operations. Manage our SOC 2 compliance program, drive audit readiness, maintain evidence collection, and ensure alignment with relevant frameworks and regulations (GDPR, CCPA, and customer-specific requirements). Stay ahead of evolving requirements as we move upmarket.
Own customer trust and vendor risk. Manage inbound compliance reviews, questionnaires, and due diligence requests from enterprise customers and prospects. Evaluate and monitor the risk posture of third-party vendors and integrations across our stack. Both directly impact revenue, so speed and quality matter.
Build compliance awareness and report to leadership. Develop and run compliance trainings for the team. Provide regular updates to the founders on risk landscape and compliance status, as well as recommended investments.

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume