GRC Analyst

About the role

This role sits at the heart of governance, risk, and compliance operations within a fast‑scaling, payments‑focused environment. You will own day‑to‑day GRC execution, ensuring continuous compliance across multiple regulatory frameworks while collaborating with engineering, security, legal, and leadership teams.

Key responsibilities

• Own and manage audit readiness activities, maintain continuous evidence collection, control monitoring, and coordinate external auditors for SOC 2, PCI DSS, and ISO 27001.
• Handle external security and compliance requests, including vendor assessments, security questionnaires, and RFP responses.
• Support and coordinate enterprise risk and compliance programs aligned with GDPR, DORA, NIS2, and the EU AI Act.
• Maintain and govern the policy lifecycle, covering updates, exception handling, violation tracking, and remediation follow‑ups.
• Contribute to certification efforts and expand into new compliance frameworks as business needs evolve.
• Collaborate with engineering and security teams to operationalize controls, strengthen vulnerability management, and support security awareness initiatives.
• Ensure ongoing compliance visibility by maintaining structured documentation and promoting a continuous compliance approach.

Required profile

• 3–5 years of experience in GRC, compliance, information‑security governance, or a related field.
• Hands‑on experience supporting external audits such as SOC 2, PCI DSS, ISO 27001.
• Familiarity with regulatory requirements including GDPR, DORA, NIS2, and emerging EU compliance standards.
• Experience managing vendor risk assessments, third‑party due diligence, and external security reviews.
• Strong understanding of continuous control monitoring and evidence‑management practices.
• Excellent organizational and communication skills, with the ability to work across technical, legal, and business stakeholders.

Required skills

• GRC platforms such as Vanta, Drata, OneTrust or similar tools.
• Audit frameworks: SOC 2, PCI DSS, ISO 27001.
• Regulatory knowledge: GDPR, DORA, NIS2, EU AI Act.