Senior Compliance Officer (US EST/EMEA - Remote)

About The Position

Requirements

• Significant hands-on experience running compliance programs in a SaaS or technology company - you've been through multiple audit cycles and know what great looks like.
• Deep working knowledge of SOC 2 and PCI DSS frameworks. You understand controls at a practical level, not just a theoretical one.
• Experience with GRC platforms, ideally Vanta. You should be comfortable configuring tests, managing integrations, and using the platform as a source of truth rather than a reporting afterthought.
• Familiarity with GDPR and data protection requirements.
• The ability to work cross-functionally with engineering teams - you can read an architecture diagram, understand what a Kubernetes cluster is, and translate compliance requirements into language engineers actually want to act on.
• Avid user of AI to improve and automate your workflows, knowing when to reach for it and when to step in.
• Strong written communication. We're remote-first and async-heavy. Most of your influence will come through clear documentation, well-written tickets, and persuasive Slack messages rather than meetings.
• Self-motivated and able to operate with high autonomy. You won't have a compliance team around you (yet). You need to be comfortable owning the function solo and knowing when to pull others in.
• Experience working with external auditors and QSAs. You know how to prepare for and manage an audit without it becoming a fire drill.

Nice To Haves

• Formal DPO experience is a plus but not required.

Responsibilities

• Own and operate our SOC 2 Type II compliance program end-to-end - managing the annual audit cycle, maintaining controls in Vanta, coordinating evidence gathering across teams, and remediating gaps before they become findings.
• Design and lead the rollout of PCI DSS Service Provider Level 1 compliance, working with a QSA and internal engineering teams to scope the assessment, implement required controls, and prepare for audit.
• Build out our GDPR compliance posture - formalising data processing records, ensuring DSAR processes are robust, and working across departments to close gaps in our data protection practices.
• Manage our GRC tooling (Vanta) day-to-day - configuring tests, maintaining integrations, triaging failing checks, and keeping evidence fresh and audit-ready.
• Respond to customer and partner security questionnaires, due diligence requests, and trust-related inquiries. You'll be the face of Hospitable's security posture externally.
• Partner with engineering and infrastructure to translate compliance requirements into actionable technical work - writing clear tickets, not vague mandates.
• Identify where compliance automation can reduce manual effort and implement it.
• Evaluate and recommend additional frameworks or certifications that strengthen our market position as we scale.

Benefits

• Options into the company equity through (RSU's)
• healthcare (including EPO, PPO and HSA)
• 401(k)
• 35 days off per year, encouraged (including self-serve public holidays)
• parental leave
• Complimentary mental health and emotional support with therapists on call through Slack by Spill.
• Earn virtual coins through our peer recognition platform and redeem them through gift cards, donations, or monetary rewards.