Back to jobs
Aircall is hiring a Senior GRC Engineer to build and operate the engineering backbone of our Governance, Risk & Compliance program. You'll join the Security Engineering team, reporting to the Security Engineering Manager, and partner closely with IT, Privacy, Legal, Product, and Engineering to make compliance a continuously-verified property of how we build and run Aircall — not a once-a-year audit scramble.
This is a hands-on engineering role. You'll automate controls, integrate our GRC platform with the systems that produce evidence, and turn policies into code where possible. You'll be the technical owner of SOC 2 and ISO 27001 readiness from an engineering perspective, and a key contributor to how we mature risk management, vendor security, and audit operations as Aircall scales.
This role will sit within the CTO organization, alongside Security & Infrastructure Engineering building the security foundation of a future Governance, Risk & Compliance (GRC) function.
Design, implement, and operate technical controls that satisfy SOC 2, ISO 27001, NIST, and GDPR requirements across our cloud (AWS), SaaS, and corporate environments.
Build and maintain integrations between our GRC platform (Drata) and source systems — IdP, cloud providers, ticketing, code repositories, HRIS, endpoint management — to automate evidence collection and continuous control monitoring.
Engineer "compliance-as-code" workflows: codify policies and controls, automate drift detection, and surface failing controls back to owning teams via Jira, Slack, or dashboards.
Support and progressively automate audit readiness: SOC 2 Type II, ISO 27001 (and any future certifications such as HIPAA, FedRAMP, PCI as the strategy evolves), preparing evidence, walking auditors through controls, and remediating findings.
Operate the enterprise risk register day-to-day: run risk assessments, track mitigations, and produce reporting that helps leadership make decisions.
Build and run the technical side of the vendor security program — questionnaire automation, tiering, evidence review, and ongoing monitoring of critical vendors.
Partner with IT, Product, and Engineering to embed security and compliance requirements into the SDLC, change management, access reviews, and infrastructure provisioning.
Contribute to incident response from the GRC side: maintain runbooks and policies, ensure regulatory and contractual notification timelines are met, and capture evidence and lessons learned.
Partner with Legal/Privacy on GDPR obligations, data residency, DPAs, and customer security commitments.
Help mature security awareness and training — measuring effectiveness, not just running it.
5+ years in security, with at least 2–3 years in a GRC engineering, security engineering, or compliance automation role at a SaaS or cloud-native company.
Strong working knowledge of SOC 2, ISO 27001, NIST CSF / 800-53, and GDPR, and what it takes to actually operate (not just pass) them.
Hands-on experience with a modern GRC platform (Ideally Drata) — including building or extending its integrations, not just clicking through the UI.
Comfortable using AI tools to accelerate delivery and scale impact.
Comfortable writing code (Python, Go, or similar) and working with cloud APIs (AWS), Terraform/IaC, and CI/CD pipelines.
Solid understanding of cloud security, identity and access management, and how engineering teams ship software.
Experience supporting external audits as a technical lead and remediating findings.
Working knowledge of risk management frameworks and vendor security assessment.
Strong written communication — you can turn a control requirement into a clear ticket, runbook, or policy that gets adopted.
Bonus: relevant certifications (CISA, CISSP, ISO 27001 LI/LA, AWS/GCP security), experience with privacy engineering, or prior work building a GRC function from early stage to audit-ready.