Security and Compliance Manager

Givebutter is the most-loved nonprofit fundraising and CRM platform, empowering millions of changemakers to raise more, pay less, and give better. Nonprofits use Givebutter to replace multiple tools so they can launch fundraisers and events, use donation forms and donor management (CRM), send emails and text blasts—all in one place. Use of the Givebutter platform is completely free with a 100% transparent tip-or-fee model.

Givebutter has been certified as a Great Place to Work® every year since 2021, and is the #1 rated nonprofit software company on G2 across multiple categories.

Our mission is to empower the changemaker in all of us. We believe giving should be fun, so you’ll want to do it again, and we also believe that work should be fun, so that you’ll have the greatest impact. We are excited to hear from talented people who want to work with other talented people in making the world a butter place—and have fun along the way. 

Givebutter is hiring a Security & Compliance Manager to own Givebutter's security function. Your primary mandate is to further harden our critical systems, codify our security roadmap, and implement controls in close partnership with our Product, Design & Engineering (PDE) team. You will also own our certification program (SOC 2, and eventually ISO 27001) and assist with licensing and registration compliance across all US jurisdictions.

This is a hands-on, high-autonomy role for someone who has lived through the security challenges of a growth-stage fintech and knows what it takes to build real defenses, not just check boxes. You will report directly to the General Counsel and work cross-functionally with PDE, Trust & Safety, IT, and Finance.

• Have 7+ years of experience in information security, security engineering, GRC, or a related field, with at least 4 years in a fintech, payments, or financial services environment

• Have hands-on experience hardening production systems at a growth-stage company, not just writing policies about them

• Possess deep working knowledge of SOC 2, PCI DSS, and at least one additional framework (NIST CSF, CIS Controls, ISO 27001)

• Understand modern AI-era threat vectors and can articulate a defensive strategy against them

• Have technical fluency: you can read a cloud infrastructure diagram, understand why a GitHub permissions model matters, evaluate a pen test report, and translate all of it into actionable guidance for engineering teams

• Have managed GRC tools hands-on (Vanta, Drata, Secureframe, or similar) and driven remediation workflows to closure, not just monitored dashboards

• Have led external audits end-to-end: auditor relationships, evidence collection, findings remediation, and board-level reporting

• Can build programs, not just maintain them: you thrive in environments where the playbook doesn't exist yet and you need to write it

• Communicate complex security and regulatory topics in plain language to non-technical stakeholders

• Have strong judgment about when to escalate, when to act independently, and when to push back

Bonus Points

• CISSP, CISM, CISA, or CEH certification

• Familiarity with AI security frameworks: NIST AI RMF, MITRE ATLAS, OWASP AI Security and Privacy Guide

• Experience with BSA/AML program design, SAR filing, or OFAC sanctions screening

• Experience managing bank partner or sponsor bank compliance relationships

• Familiarity with Stripe's platform, APIs, and compliance tools

• Prior experience at a company operating in the charitable giving, nonprofit, or crowdfunding space

• Experience with state charitable fundraising platform/solicitation registration requirements

• Track record of building compliance or security programs at a Series A through Series D stage company

• CAMS or CRCM certification

• Codify and execute the security roadmap for the organization, prioritizing the further hardening of critical systems (payment infrastructure, donor data stores, authentication flows, API integrations) and ensuring compliance with applicable laws (e.g., data privacy and security).

• Partner directly with PDE leadership to embed security controls into the development lifecycle: threat modeling, secure code review, vulnerability management, and CI/CD pipeline security tooling (SAST, DAST, SCA)

• Own the security incident response plan end-to-end: detection, containment, investigation, notification, remediation, and post-incident review

• Work with IT to drive identity and access management improvements, including role-based access controls, MFA enforcement, endpoint security, and session management

• Develop a deep understanding of fraud vectors in the fundraising and payments space—stolen cards, synthetic identities, friendly fraud, campaign abuse—and help us build systems that adapt as threats evolve.

• Manage vendor security risk assessments for third-party tools, integrations, and sub-processors, with continuous monitoring rather than annual check-ins

• Own the penetration testing program: vendor relationships, testing cadence, findings translation into engineering tickets, and remediation tracking to closure

• Develop and deliver security awareness training for all employees, with targeted modules for PDE, CX, and leadership audiences

• Lead SOC 2 Type II certification end-to-end: gap analysis, control design, evidence collection, remediation tracking, auditor coordination, and ongoing maintenance

• Build the roadmap toward ISO 27001 certification as the security program matures

• Serve as primary owner of our GRC platform (Vanta): driving task completion, monitoring compliance gaps, triaging findings, and ensuring remediation owners are accountable

• Manage all external auditor and certification body relationships

• Build and maintain evidence repositories that support continuous (not just point-in-time) compliance

• Prepare board-ready compliance status reports and risk summaries quarterly

• With the General Counsel’s guidance, own all required licenses, registrations, and regulatory filings across US jurisdictions, including state charitable fundraising platform registrations and other licenses

• Manage the Trust Center: content accuracy, access approvals, and customer-facing compliance documentation

• 7+ years of experience in information security, security engineering, GRC, or a related field, including at least 4 years within a fintech, payments, or financial services environment

• Hands-on experience hardening production systems at a growth-stage company (Series A–D or equivalent), including areas such as IAM, application security, infrastructure security, vulnerability management, or secure SDLC practices

• Deep working knowledge of SOC 2 and PCI DSS, plus hands-on experience with at least one additional security framework such as NIST CSF, ISO 27001, or CIS Controls

• Experience leading external security audits end-to-end, including auditor management, evidence collection, remediation tracking, and executive or board-level reporting

• Hands-on experience administering GRC/compliance platforms such as Vanta, Drata, Secureframe, or similar, including driving remediation workflows to closure

Benefits

Below is a high-level outline of our standard interview process

1. →

   Recruiter Screen: A 30-minute conversation to learn more about your background, walk through the role, and ensure mutual alignment on expectations, values, and logistics.

2. →

   Hiring Manager Interview: A deeper dive into your relevant experience, skillset, and working style. This is your first opportunity to connect directly with the person who may be your future manager.

3. →

   Assessment (technical or non-technical): This stage will vary based on the role. It could involve a live coding session, case study, or take-home project. Some roles may include two parts to this stage to evaluate both practical skills and problem-solving approaches

4. →

   Values Interview: A conversation with team members focused on how you align with our core values and leadership principles.

5. →

   References: We connect with a few folks you’ve worked closely with to get a better picture of your working style and impact.

6. →

   Offer: If all goes well, we’ll move to the offer stage!

Please note, we will have an AI note-taking tool join most of our interviews.

Hi potential new butterslice! A recent study from LinkedIn showed that most women apply to jobs only when they meet 100% of the requirements, whereas men will hit the apply button if they hit 60%. Givebutter is committed to building a diverse and inclusive team. So to the women and nonbinary folks out there feeling unsure if you're a perfect fit, we strongly encourage you to apply!