GRC Lead

BrainCo Inc.

Job Overview

Location

San Francisco Bay Area

Job Type

Full-time

Full Job Description

📋 Description

• Own the end-to-end Governance, Risk, and Compliance (GRC) program for an AI startup serving governments, healthcare systems, and critical industries, starting from a SOC 2 Type II and HIPAA baseline and expanding to ISO 27001, NIST 800-171, FedRAMP/GovRAMP, GLBA, and MENA-specific data residency regimes.
• Build the data handling backbone by defining how customer data is classified, stored, accessed, and proven across Azure, on-prem MENA deployments, and bespoke government/hospital environments.
• Run audits as a hands-on builder: own evidence collection, control remediation, audit response, and automate the evidence pipeline to eliminate manual workpapers across compliance cycles.
• Establish a third-party risk program including vendor reviews, data flow inventories, contractual security obligations, and a reassessment cadence aligned with the company’s SaaS footprint.
• Create and manage customer-trust assets such as security questionnaires, trust portals, Data Processing Agreements (DPAs), Business Associate Agreements (BAAs), and other customer-facing compliance documentation.
• Partner directly with engineering to embed compliance into product development: implement control inheritance from Azure, policy-as-code, automated access reviews, audit-ready logging, and zero-touch evidence collection.
• Establish a unified risk operating cadence across HR, Finance, Legal, IT, and Engineering to ensure consistent ownership of data handling, vendor approvals, and audit requests.
• Translate between technical implementation and regulatory expectations: interpret controls for engineers and explain system design to auditors, customers, and executive leadership.
• Define GRC principles from first principles — writing policies, drafting white papers, and shipping automation — rather than relying on templates or external advisors.
• Operate in high ambiguity with a 0→1 mindset: the SOC 2 Type II and HIPAA programs are live; all other frameworks (ISO 27001, FedRAMP, GLBA, MENA compliance) are yours to design and implement.
• Think in data flows, not policy templates: prioritize pragmatism over bureaucracy, identifying which controls are essential, which are noise, and which can be automated out of existence.
• Serve as the primary liaison between technical teams and enterprise customers, ensuring compliance is a competitive advantage, not a barrier to sales or deployment.
• Maintain deep familiarity with compliance tooling (e.g., Vanta, Drata, Secureframe) and the willingness to replace or augment tools when they fail to meet the company’s unique needs.
• Read and verify technical controls directly — including Terraform, IAM policies, and audit logs — to validate auditor claims and ensure accuracy in compliance evidence.
• Operate across multi-jurisdictional regulatory environments, including US and MENA data residency requirements, with awareness of on-prem deployment constraints.
• Be the trusted translator for the boardroom and engineering teams, fluent in both regulatory language and technical implementation details.
• Drive compliance as a strategic enabler for enterprise deals, ensuring customers understand data handling practices before they ask — accelerating deal velocity and trust.
• Grow the GRC function as the company scales, starting as an individual contributor with full ownership and evolving into a leadership function.

🎯 Requirements

• 8+ years building and running GRC programs in regulated environments including healthcare, financial services, government, or enterprise SaaS with real stakes and non-theatrical audits
• Hands-on experience taking a company through SOC 2 Type II from a cold start and living through HIPAA, GLBA, FedRAMP, or equivalent compliance programs
• Proven ability to design and implement compliance programs from first principles, writing policies and shipping automation personally
• Experience operating across US and MENA regulatory environments with on-prem and data residency requirements
• Fluency in translating technical controls (Terraform, IAM, audit logs) to auditors and regulatory bodies, and regulatory expectations to engineers
• Bias toward pragmatism over bureaucracy; ability to distinguish essential controls from noise and automate where possible

🏖️ Benefits

• Competitive salary plus equity
• Daily lunches
• Commuter benefits
• 401(k)
• Medical, Dental, and Vision
• Unlimited PTO

Skills & Technologies

Azure

Terraform

REST

Senior

Onsite

Ready to Apply?

Apply Externally

You will be redirected to an external site to apply.

AI Job Fit Analysis

Pro

See exactly how your profile matches this role — strengths, skill gaps, and what to do about them.

BrainCo Inc.

Visit Website

About BrainCo Inc.

BrainCo Inc. is a company focused on the development and commercialization of advanced brain-computer interface (BCI) technology. Their core product, the "MindLink" system, aims to enable seamless communication and control between the human brain and external devices. This technology has potential applications in various fields, including neurorehabilitation for patients with motor impairments, assistive technologies for individuals with disabilities, and potentially in advanced gaming and virtual reality experiences. BrainCo is dedicated to pushing the boundaries of neuroscience and engineering to unlock new possibilities for human-computer interaction and enhance quality of life through innovative BCI solutions.

View Company Profile

Get more remote jobs like this

Subscribe to the weekly newsletter for similar remote roles and curated hiring updates.

Weekly remote jobs and featured talent.

No spam. Only curated remote roles and product updates. You can unsubscribe anytime.