Job Description:
• Own SOC 2 and HIPAA programs end-to-end
• Manage auditor relationships and streamline evidence collection
• Maintain continuous audit readiness via Drata
• Improve audit efficiency
• Own vendor compliance intake (BAAs, DPAs, security reviews)
• Build and maintain a centralized vendor registry with PHI exposure mapping
• Establish fast, repeatable onboarding processes
• Partner with Engineering on vendor security assessments
• Audit and remediate ~30 existing policies with outdated ownership structures
• Replace “phantom roles” (e.g., Security Officer) with real owners
• Establish a meaningful policy review cadence
• Draft new policies (data retention, vendor management, access controls)
• Own and operate Drata (controls, evidence, personnel tasks)
• Manage Trust Center accuracy and external posture
• Handle customer security questionnaires
• Support Sales with compliance documentation for enterprise deals
• Document PHI data flows and system boundaries
• Support incident response from a compliance perspective
• Stay current on HIPAA and regulatory developments
Requirements:
• 5+ years in GRC, security compliance, or related roles (startup experience strongly preferred)
• Deep experience with SOC 2 and HIPAA (hands-on ownership, not advisory)
• Strong familiarity with vendor risk management, BAAs, DPAs, and audits
• Experience with tools like Drata or similar compliance platforms
• Ability to operate independently in a fractional, high-ownership role
• Strong judgment - able to make pragmatic tradeoffs, not over-engineer
Benefits:
• Competitive salary and equity in a high-growth company
• Opportunity to make an immediate impact
• Medical, dental, and vision coverage
• Unlimited paid time off
• Company-sponsored annual retreats
• 401(k) plan to support your long-term financial goals
• Commuter stipend for San Francisco-based employees