Staff GRC Engineer - Audits & Compliance

About Us Observe.AI is the AI Agents platform for customer experience, designed to help organizations deliver faster, smarter, and more efficient customer service at scale. The platform enables businesses to deploy specialized AI agents that autonomously execute work across the full CX lifecycle—from handling customer conversations to supporting frontline teams and optimizing operations. Each AI agent is purpose-built for a specific role, equipped to understand context, make decisions, take action, and continuously improve outcomes. This allows organizations to increase resolution speed, elevate service quality, and reduce operational costs while empowering your frontline team to focus on higher-value work. Built on a CX-native foundation,  Observe.AI helps leading brands like DoorDash, Affordable Care, Signify Health, and Verida improve customer satisfaction, boost agent productivity, and deliver consistent, scalable performance across every customer interaction. Why Join Us The Security team at Observe.AI is responsible for protecting our platform, customer data, and regulatory standing across 80 million community members. Observe.AI maintains industry-leading compliances and certifications — including SOC 2 Type II, PCI DSS Level 1, ISO 27001, HITRUST r2, HIPAA, GDPR/CCPA, and EU AI Act — and is seeking a seasoned GRC professional to own the external audit lifecycle and continuously strengthen our compliance posture.As a senior member of the GRC function, you will report to the Head of Information Security and have the opportunity to lead the compliance program from the ground up. You will work cross-functionally with Engineering, Legal, Security Operations, and Customer Success to ensure Observe.AI exceeds customer and regulatory expectations What you’ll be doing External Audit Management & Leadership Own the end-to-end lifecycle for all external audits — SOC 2 Type II, PCI DSS Level 1, ISO 27001, HITRUST r2, HIPAA, GDPR/CCPA — from scoping and evidence collection through report issuance and remediation tracking. Serve as the primary point of contact for external auditors, certification bodies, and assessors; manage audit schedules, evidence requests, and auditor communications. Coordinate internal stakeholders (Engineering, DevOps, Legal, HR, Finance) to gather timely and accurate audit evidence. Manage audit findings and observations; drive remediation plans to closure within agreed timelines. Maintain audit-ready posture year-round through continuous control monitoring and evidence automation. Track and report audit status, risks, and findings to the VP of Information Security and executive leadership. Compliance Program Strategy & Roadmap Develop and document Observe.AI's GRC strategy, compliance roadmap, and multi-framework control library aligned to SOC 2, PCI DSS, ISO 27001, HITRUST, HIPAA, GDPR, CCPA, and emerging regulations such as the EU AI Act Stay current on evolving regulatory and certification requirements relevant to AI-powered SaaS products operating in financial services, healthcare, and contact center industries Design and implement a GRC program that scales with Observe.AI's rapid growth, including automation of evidence collection via GRC tooling (e.g., Vanta, Drata, or equivalent) Develop and maintain policies, standards, and procedures that satisfy multiple compliance frameworks through a unified control set Risk Management & Control Assessment Lead enterprise risk assessments and maintain a risk register; prioritize controls based on risk impact and regulatory exposure. Conduct gap analyses against new frameworks and certification requirements; propose remediation roadmaps. Assess third-party and vendor risk; manage sub-processor inventory and data processing agreements (DPAs) Work with the Infrastructure Security team to validate technical controls — encryption, IAM, network segmentation, logging — against compliance requirements Perform control testing and walkthroughs in preparation for and between audit cycles Customer & Stakeholder Trust Respond to customer security questionnaires (RFPs, vendor assessments) and support Sales in compliance-related deal cycles. Act as the compliance point of contact for customer audits and penetration test reviews Manage and maintain Trust Center (trust.observe.ai) accurate, up-to-date providing assurance and self service to Enterprise Customers What you’ll bring to the role 9+ years of experience in GRC, information security compliance, or audit roles, with at least 3 years directly managing external audits. Hands-on experience leading SOC 2 Type II, PCI DSS, ISO 27001, and HITRUST audits as an auditee; HIPAA and GDPR/CCPA Deep knowledge of control frameworks (NIST CSF, CIS Controls, ISO 27001 Annex A, HITRUST CSF) and their mapping across multiple standards. Experience at a SaaS product company processing sensitive customer data; contact center, fintech, or healthc