GRC Analyst

Zone & Co is on a mission to empower finance professionals to drive strategic growth through seamless, intelligent operations. We build cloud-native software solutions on Oracle NetSuite, automating complex financial processes like billing, accounts payable, reporting, and reconciliation. Our vision is to unlock the full strategic potential of finance by infusing the ERP with the intelligence and automation needed for truly transformative operations. Join our rapidly growing team as we redefine financial efficiency for scaling businesses worldwide.

• Compliance Framework Governance: Lead the management and continuous scaling of Zone & Co’s core security compliance frameworks, specifically SOC 2 Type II and ISO 27001.
• Privacy Operations Leadership: Govern global data privacy operations to ensure strict, ongoing alignment with GDPR, CCPA/CPRA, and other emerging data protection laws.
• Customer Trust & Revenue Enablement: Serve as the primary security liaison for enterprise customers, directly supporting the sales cycle by demonstrating and communicating a robust, mature security posture.
• Risk & Audit Management: Manage the organization's internal audit program and oversee the third-party vendor risk lifecycle to proactively identify and mitigate vulnerabilities.

• →Audit Coordination: Coordinate evidence collection, manage project timelines, and partner directly with external auditors during annual compliance assessments.
• →Privacy Assessments: Conduct Data Privacy Impact Assessments (DPIAs) for new products and process Data Subject Access Requests (DSARs) within mandated SLAs.
• →Questionnaires & Trust Center: Accurately and efficiently complete incoming vendor security questionnaires from prospects and maintain up-to-date documentation in our customer-facing Trust Center.
• →Internal Control Testing: Design and execute internal audits to test whether technical and administrative controls are operating effectively. Track control gaps and drive engineering/IT remediation efforts.
• →Vendor Risk Reviews: Evaluate the security and privacy postures of prospective and existing third-party vendors and sub-processors through comprehensive risk assessments.
• →Policy & Training Development: Draft, update, and publish internal security policies, standard operating procedures (SOPs), and incident response plans. Develop and administer engaging company-wide security and privacy awareness training.

• Experience: 3+ years of direct experience in IT Audit, Information Security, Privacy Operations, or GRC (Governance, Risk, and Compliance), preferably within a B2B SaaS, FinTech, or cloud technology environment.
• Deep Domain Expertise: Hands-on experience working with established compliance frameworks (SOC 2, ISO 27001) and navigating global privacy legislation (GDPR, CCPA).
• SaaS/Cloud Acumen: A solid understanding of cloud computing architectures (AWS, Azure, GCP) and enterprise software environments. Familiarity with ERP systems (like NetSuite) is a strong plus.
• Analytical & Problem-Solving Skills: Proven ability to translate complex regulatory requirements into actionable, practical controls for IT and engineering teams without stifling innovation.
• Exceptional Communication: Outstanding written and verbal communication skills. You must be able to write clear policies, translate technical risks for business leaders, and confidently answer complex customer security questions.
• Education & Certifications: Bachelor’s degree in Information Systems, Cybersecurity, Business, or a related field. Relevant industry certifications such as CISA, CISM, CIPP/E, CIPP/US, or Security+ are highly preferred.