Key skills
Security Governance RiskCompliance (GRC)ISO 27001SOC 2 Type IIAudit Cycle ManagementControl Frameworks Mapping NIST CSFControl Frameworks Mapping NIST 800-53Control Frameworks Mapping CISGRC Platforms VantaGRC Platforms DrataGRC Platforms SecureframeGRC Platforms HyperproofGRC Platforms ServiceNow GRCGRC Platforms OneTrustCustomer Security QuestionnairesReviewsPrivacy Regulation PIPEDAPrivacy Regulation US State Privacy LawsCross-border Data TransferThird-party Risk ManagementSecurityPrivacy Contract ReviewPythonSQLISO 27001 Lead AuditorISO 27001 Lead ImplementerCISACISMCIPPCRISCAutomation-first MindsetAWSVersion ControlServiceNowSaaSRisk ManagementCommunicationSales
About this role
UniUni is a late-stage last-mile logistics company moving millions of parcels across the United States and Canada for some of the largest e-commerce platforms in North America. The Senior Security Compliance Engineer will manage the governance, risk, and compliance function, ensuring the health of ISO 27001 certification and SOC 2 Type II attestation while automating processes and maintaining compliance with regulatory obligations.
Responsibilities:
- Run the ISO 27001 program operations, including surveillance audit prep, internal audits, the annual risk assessment, management reviews, and corrective action tracking
- Run the SOC 2 Type II program operations, including continuous control monitoring, evidence collection, auditor coordination, and remediation tracking
- Operate the information security policy lifecycle: drafting, stakeholder review, approval workflows, annual reviews, version control, and employee attestations
- Maintain the risk register, drive risk treatment plans through to closure, and prepare risk reporting for the ISO and the executive team
- Build and maintain compliance automation, including evidence collection workflows, control testing, and dashboarding. Treat the GRC platform as a system you actively engineer, not a passive system of record
- Plan and run security awareness training and phishing simulation cycles, and report on outcomes
- Operate UniUni's privacy program in partnership with legal, including data inventories, data flow mapping, retention schedules, and privacy impact assessments
- Execute on regulatory obligations relevant to our business, including the DOJ Data Security Program, Canadian PIPEDA, and applicable US state privacy laws
- Coordinate the response to data subject access requests (DSARs) and privacy inquiries within statutory timelines
- Track regulatory developments across the jurisdictions in which UniUni operates and translate them into concrete control changes, evidence requirements, and policy updates
- Support data residency and data minimization commitments, working with engineering and the data security team to verify they hold in practice
- Lead the response to customer security questionnaires, RFP security sections, and prospect security reviews, in partnership with sales, legal, and the ISO
- Review and negotiate the security and privacy clauses in customer and vendor contracts, escalating material issues to the ISO and legal
- Run UniUni's third-party risk management program: vendor inventory, tiering by risk, due diligence, security review of new vendors, periodic reassessment of existing vendors, and remediation tracking
- Operate the trust center and the security artifact library (SOC 2 reports, ISO certificates, pen test summaries, security overviews) and keep customer-facing materials current and accurate
- Be a credible representative of UniUni's security posture in front of customers, auditors, and regulators
- Write clearly and precisely. The work product of this role lands in front of customers, auditors, regulators, and executives, and it has to hold up
- Partner with engineering, IT, legal, HR, and finance to make compliance a normal part of how the business runs, not an interrupt
Requirements:
- 5 to 8 years in security GRC, audit, or a closely related discipline, with hands-on ownership of ISO 27001 and SOC 2 program operations in a cloud-native organization
- Direct experience driving SOC 2 Type II audit cycles end to end, including auditor coordination, evidence collection, and remediation
- Working knowledge of common control frameworks beyond ISO and SOC (NIST CSF, NIST 800-53, CIS) and the ability to map between them
- Experience operating a GRC platform (e.g., Vanta, Drata, Secureframe, Hyperproof, ServiceNow GRC, OneTrust) as a power user, including building automated evidence pipelines and control tests
- Experience leading customer security questionnaires and security reviews for enterprise customers, including reviewing security and privacy clauses in contracts
- Familiarity with privacy regulation in North America, including PIPEDA and US state privacy laws, and a working understanding of cross-border data transfer requirements
- Experience operating a third-party risk management program at meaningful vendor volume
- Strong written communication. You can produce auditor-ready documentation, customer-ready security narratives, and executive-ready risk summaries, and you know which is which
- A pragmatic, automation-first mindset. You are bothered by manual evidence collection and you do something about it
- Experience in logistics, supply chain, marketplaces, or other high-volume operational businesses
- Familiarity with the DOJ Data Security Program and bulk data transfer rules
- Light scripting ability (Python, SQL) for automating evidence collection or building control queries against AWS, identity providers, and SaaS platforms
- Relevant certifications such as ISO 27001 Lead Auditor or Lead Implementer, CISA, CISM, CIPP, or CRISC
- Prior experience supporting a company through a customer-driven security maturation, an investor due diligence cycle, or IPO readiness