Key skills
SaaSLeadershipCommunicationCustomer SuccessSales
About this role
Role Overview
- Own Middesk’s trust and compliance platform (currently Vanta), including continuous monitoring, evidence collection, and control maintenance.
- Manage and maintain compliance with frameworks and assessments such as SOC 2, ISO 27001, and external penetration tests.
- Coordinate with internal teams and external auditors to support audits and assessments end-to-end.
- Maintain a current and accurate inventory of subprocessors and vendors, with particular focus on access to customer data and PII.
- Partner with Legal, Ops, and Engineering to assess vendor risk and ensure appropriate controls and contractual safeguards are in place.
- Own and respond to due diligence questionnaires (DDQs), security reviews, and trust-related inquiries from customers and partners.
- Develop reusable artifacts and processes to streamline security and compliance reviews as Middesk scales.
- Chair Middesk’s internal oversight or security committee, including agenda setting, documentation, and follow-ups.
- Own the lifecycle of security and compliance policies: drafting, review, approval, rollout, and periodic refresh.
- Ensure policies are aligned with actual practices and system behavior—not just “paper compliance.”
- Develop and maintain a strong understanding of Middesk’s data flows, systems, and architecture at a conceptual level.
- Act as a translator between technical teams (Engineering, Security, Data) and non-technical teams (Legal, Sales, Customer Success, Operations).
- Identify gaps between how the business operates and how it is represented in compliance artifacts, and drive remediation.
- Be the internal point of contact for our external IT vendor (or be the person that makes the case that this needs to be brought in-house).
Requirements
- Experience owning or materially contributing to SOC 2 and/or ISO 27001 programs at a SaaS or data-driven company.
- Hands-on experience with compliance automation tools such as Vanta, Drata, Delve, or similar.
- Strong understanding of data protection concepts, vendor risk, and security controls, even if not an engineer by background.
- Ability to manage multiple stakeholders, deadlines, and ambiguous requirements with good judgment.
- Clear written and verbal communication skills, particularly with auditors, customers, and internal leadership.
- Familiarity with privacy frameworks (e.g., GDPR, CCPA) as they intersect with security and vendor management.
Benefits
- Offers Equity