Senior Governance, Risk, Compliance (GRC) Analyst

About The Position

Requirements

• 5+ years of experience in a GRC, compliance, or security risk role.
• Working knowledge of at least two of: HITRUST, SOC 2, PCI-DSS, or HIPAA.
• Experience using a GRC platform like Vanta, Drata, OneTrust, or similar to automate evidence collection or manage controls.
• Ability to communicate compliance requirements clearly to both technical and non-technical audiences.
• A tendency to build repeatable processes over one-off heroics.
• Excitement about using AI and modern tooling to scale compliance operations.

Nice To Haves

• Experience in healthcare or healthtech and an understanding of HIPAA in practice.

Responsibilities

• Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating with assessors, tracking control gaps and remediation timelines.
• Build and manage the vendor security assessment lifecycle — questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement across procurement and renewals.
• Stand up and run Headway's security awareness training program — onboarding modules, phishing simulations, annual compliance training, and completion tracking.
• Operate the centralized risk register — identifying, assessing, and tracking technical security risks through mitigation, and surfacing risk-informed priorities to engineering and security leadership.
• Partner cross-functionally with Privacy, Legal, IT, and Engineering to embed compliance into how Headway operates — not bolt it on after the fact.

Benefits

• Equity compensation
• Medical, Dental, and Vision coverage
• HSA / FSA
• 401K
• Work-from-Home Stipend
• Therapy Reimbursement
• 16-week parental leave for eligible employees
• Carrot Fertility annual reimbursement and membership
• 13 paid holidays each year as well as a Holiday Break during the week between December 25th and December 31st
• Flexible PTO
• Employee Assistance Program (EAP)
• Training and professional development