Senior GRC Analyst

About The Position

Requirements

• 5+ years in security, compliance, or GRC, with direct ownership of SOC 2 Type II and ISO 27001 programs in a cloud product environment where you've run audit cycles, not just supported them
• Hands-on experience with Vanta (or a comparable GRC platform) and a genuine interest in automating compliance workflows rather than relying on spreadsheets
• Technical fluency: you can read a pen test report, understand cloud architecture decisions, and have substantive conversations with engineers about control design and risk tradeoffs
• Strong understanding of how auditors think, ideally from having been on the auditor side, or from running enough cycles that you've internalized their perspective
• Familiarity with PCI DSS and GDPR requirements; experience with self-attestation or certification work is a strong plus
• Experience supporting enterprise sales cycles where security is a procurement requirement, including responding to complex security questionnaires
• Excellent communication skills across audiences. You can brief the CEO on risk posture and turn around and explain the same issue to an engineer in implementation terms

Nice To Haves

• Startup or high-growth environment experience
• Experience with developer tools or infrastructure security background
• Experience with trust center management
• Familiarity with secrets management, credential security, or PKI.
• Relevant certifications (CISA, CISSP, CISM, CRISC, or equivalent) preferred

Responsibilities

• Maintain Doppler's SOC 2 Type II and ISO 27001 certifications end-to-end: evidence collection, control monitoring, audit coordination, and deficiency remediation
• Lead the compliance work for our next certifications, including gap assessments, policy updates, and required documentation
• Evaluate additional certifications and attestations on an ongoing basis as customer and market requirements evolve
• Own day-to-day administration of our GRC platform (Vanta), including control mapping, evidence workflows, and audit readiness
• Lead our security working group: facilitate regular risk identification sessions, policy updates, maintain the threat register, track remediation progress, and drive accountability across teams
• Design and maintain security controls mapped to our chosen frameworks (SOC 2, ISO 27001, etc.), ensuring they're practical and consistently operating
• Coordinate penetration testing cycles and work directly with engineering to track and close findings
• Author and maintain security policies that are enforceable and grounded in regulatory requirements (GDPR, PCI, and others relevant to a secrets management provider)
• Support business continuity and disaster recovery governance
• Respond to security questionnaires and RFPs promptly and accurately. Doppler's customers are technical and expect precision
• Participate in customer security reviews and calls; represent our compliance posture credibly to security teams, procurement, and compliance officers
• Maintain public-facing trust documentation that reflects our actual program
• Partner with sales on security-sensitive enterprise deals, especially in regulated industries or where compliance is a gating factor
• Translate compliance status and risk posture into clear, non-jargon updates for leadership and cross-functional stakeholders
• Lead security awareness and compliance training for internal teams
• Influence engineering and product roadmaps where security controls intersect with product decisions

Benefits

• Equity at an early-stage, fast-growing startup
• Premium health insurance (medical, dental, vision)
• Guilt Free Unlimited PTO - 3-week minimum strongly encouraged!
• Upward Mobility
• Learning and Development Stipend
• Wealth Advisor
• 401k
• Pregnancy & Family Leave
• Fertility & Adoption Benefits
• Equal Compensation (regardless of gender or race)