Senior Governance, Risk, Compliance (GRC) Analyst

Headway handles sensitive health data for millions of patients — and that responsibility demands a security and compliance program that scales with the business. We're building out our dedicated GRC team to improve and mature our program!

You'll join the Security team and work across four pillars: security certifications (HITRUST, SOC 2, PCI-DSS, HIPAA), third-party risk management, security awareness training, and technical risk management. You won't be maintaining a stale compliance program — you'll be building a modern, AI-enabled one at a company that's transforming how mental healthcare is delivered in the United States.

This role reports to Blake Atkinson, Director of Security, and partners closely with Privacy and Engineering teams.

• Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating with assessors, tracking control gaps and remediation timelines.
• Build and manage the vendor security assessment lifecycle — questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement across procurement and renewals.
• Stand up and run Headway's security awareness training program — onboarding modules, phishing simulations, annual compliance training, and completion tracking.
• Operate the centralized risk register — identifying, assessing, and tracking technical security risks through mitigation, and surfacing risk-informed priorities to engineering and security leadership.
• Partner cross-functionally with Privacy, Legal, IT, and Engineering to embed compliance into how Headway operates — not bolt it on after the fact.

• You have 5+ years of experience in a GRC, compliance, or security risk role.
• You have working knowledge of at least two of: HITRUST, SOC 2, PCI-DSS, or HIPAA.
• You've used a GRC platform like Vanta, Drata, OneTrust, or similar to automate evidence collection or manage controls.
• You communicate compliance requirements clearly to both technical and non-technical audiences.
• You default to building repeatable processes over one-off heroics.
• You're excited about using AI and modern tooling to scale compliance operations.
• Bonus: you've worked in healthcare or healthtech and understand what HIPAA means in practice, not just in theory.

• Mission that matters — your work directly protects millions of patients accessing mental healthcare.
• Real risk mitigation — this isn't checkbox compliance; the data you're protecting and the programs you're building have direct, tangible impact.
• Forward-thinking healthtech — Headway is investing in AI-enabled security workflows and modern GRC tooling, not spreadsheet-driven compliance.
• Build from scratch — you're standing up Headway's GRC function, not inheriting legacy processes.