GRC (Governance, Risk, and Compliance) Analyst

The Security team is seeking a GRC Analyst to strengthen and evolve our security, compliance, and risk management program with a strong emphasis on SOC 2 readiness, security compliance with laws and regulations, vendor risk management, and security questionnaires. This role is hands-on and focused on ensuring that our security controls are implemented effectively, mapped to recognized frameworks, and continuously improved.

You will support the execution of our SOC 2 program, manage evidence collection and control testing, conduct vendor security reviews, and own the process for responding to client security questionnaires. The GRC Analyst will collaborate closely with internal teams, auditors, and external partners to ensure that our systems maintain a resilient, compliant, and transparent security posture.

This position reports to the Director of Information Security and provides a unique opportunity to shape the compliance and risk function at a high-growth company.

This is a remote-friendly opportunity that can sit in NYC (where our headquarters is located), one of our office hubs (Austin, Miami, or Mountain View), or anywhere else in the US. However, depending on where the remote work is performed, income could be subject to New York State tax withholding.

As Our GRC Analyst, You Will:

• Ensure that DOJ/CISA compliance requirements are properly tracked, and serve as the coordination point for external audits/assessments.
• Collaborate with the Security Program Manager to manage the day-to-day execution of compliance requirements and our SOC 2 program. This includes evidence collection, control testing, and remediation tracking.
• Partner with auditors to coordinate readiness assessments, walkthroughs, and ongoing audits.
• Maintain and update our security policies, procedures, and documentation.
• Own the third-party risk management process, including vendor due diligence, risk assessments, and contract security reviews.
• Ensure that vendors meet Yipit’s security requirements and document remediation plans for identified gaps.
• Collaborate with Sales on the response process for customer and prospect security questionnaires.
• Maintain a library of standard responses and security artifacts (SOC 2 report, policies, security architecture diagrams, etc.) to streamline response efforts.
• Support risk assessments across teams and projects, documenting risks and remediation plans.
• Manage compliance evidence repositories and ensure all required documentation is audit-ready.
• Collaborate with IT, Engineering, and Operations to embed GRC practices into daily workflows.

You Are Likely To Succeed If You:

• Have 2–4 years of experience in GRC, security compliance, or audit roles.
• Have direct experience with SOC 2 programs, vendor risk management, or security questionnaires.
• Understand how to map controls to frameworks like NIST CSF, SOC 2, ISO 27001, or NIST 800-53.
• Are detail-oriented and thrive at organizing evidence, documentation, and workflows.
• Can manage multiple projects while meeting deadlines.
• Communicate complex security and compliance topics clearly to both technical and non-technical partners.
• Hold or are working toward relevant certifications (e.g., CISA, CISSP, CISM, CCSK, ISO 27001 Lead Implementer) – highly valued but not required.
• Have a Bachelor’s degree in Information Security, Information Systems, Computer Science, or a related field (or equivalent work experience).

What We Offer:

Our compensation package includes comprehensive benefits, perks, and a competitive salary:

• Flexible work hours, flexible vacation, and a generous 401K match
• Parental leave, team events, wellness budget, and learning reimbursement
• Growth based on impact, not tenure or politics
• A culture built on ownership, respect, collaboration, and trust

The annual on-target earnings for this position are anticipated to be $87K–$100K. Final offers may be determined by factors including experience, skills, and internal benchmarks.