Head of GRC (Governance, Risk, & Compliance)

BlitzyCambridge, MA
$220,000 - $260,000Onsite

About The Position

Security and compliance at Blitzy currently run on a patchwork: a Security Delegate managing our frameworks with help from an external compliance vendor, backend engineers pulled off their real jobs to answer security questions, and audit evidence assembled after the fact instead of built in from the start. We're hiring one person to fix that. As Head of GRC, you'll own a compliance program that's audit-ready by design, not by scramble. This role is not a paperwork-only compliance role with no rigor, a job where you escalate every auditor question to engineering or to the Security Delegate, or a way to move our current reactive compliance model in-house unchanged — the point is to make it proactive.

Requirements

  • Personal, hands-on ownership of at least one full SOC 2 Type II or ISO 27001:2022 audit cycle — not just adjacent to one.
  • Direct experience running a GRC/compliance platform (Vanta or equivalent) as the system-of-record owner.
  • A track record of managing vendor and auditor relationships independently, without hand-holding.
  • The seniority and judgment to reduce engineering interrupt load, not add to it — engineers should be comfortable handing things off to you, not double-checking your work.

Nice To Haves

  • FedRAMP exposure, even at Moderate — we're targeting FedRAMP High.
  • A track record of building a compliance process from scratch, not just running an existing playbook.
  • Experience managing multiple frameworks concurrently — SOC 2, ISO 27001, and GDPR at the same time.
  • Familiarity with Google Workspace as an identity provider.
  • GDPR/data privacy program experience — cookie consent, Article 27 representative coordination, DPA review.

Responsibilities

  • Own Vanta (or equivalent) as the system of record — configuring tests and keeping evidence current, not just checking a dashboard.
  • Run SOC 2 Type II and ISO 27001:2022 compliance building continuously toward what auditors actually sample, rather than scrambling before the audit window opens.
  • Manage auditor and partner relationships directly, including firms like Insight Assurance and FedRAMP platform partners such as Second Front Systems/Game Warden — without routing every conversation through the Security Delegate.
  • Build the compliance processes that don't exist yet, starting with a formal sub-processor change communication process, which is already coming up as a contractual requirement in enterprise deals.
  • Evaluate evidence critically rather than take it at face value, confirming, for example, that SSO is enforced via admin panel configuration — not just available in a settings screen.
  • Reduce engineering interrupt load by taking security scope questions and screenshot requests off their plate.

Benefits

  • Bonus and equity
  • Great sleep, movement, and restorative activities for optimal mental performance.
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service