Senior GRC Analyst

At Drata, members of the GRC team have a rare opportunity to be Customer Zero—we actively use the same GRC platform that our customers rely on. This means your work as a Senior GRC Analyst will contribute directly to both the strength of Drata’s internal GRC program and the continuous evolution of our product. You'll provide hands-on feedback to our product and engineering teams based on real-world use, helping to refine user experience and functionality for thousands of customers. This isn’t just a GRC role – it’s a chance to help shape a category-defining solution while strengthening trust and security from the inside out.

Drata’s Senior GRC Analyst will support the execution of governance, risk, compliance, and trust-related initiatives to help ensure Drata remains aligned with key security frameworks, laws, and industry best practices. In this role, you’ll assist with internal control testing, evidence collection, audit readiness, and documentation across compliance programs such as SOC 1/2/3, ISO 27001/17/18, ISO 42001, HIPAA, and FedRAMP, among others. You’ll work closely with internal stakeholders and external assessors to support continuous improvement of controls and risk mitigation efforts. A strong understanding of security compliance programs and familiarity with frameworks such as GDPR, data privacy laws, and data security regulations is essential.

What you'll do:

• Respond to customer due diligence requests (e.g., Trust Center inquiries, questionnaires, assessments, contract and addendum reviews) within defined SLAs.
• Manage and respond to customer privacy-related inquiries, including Data Subject Access Requests (DSARs), ensuring timely resolution in line with regulatory timelines .
• Conduct enterprise risk assessments, identify and track risks in Drata’s Risk Register, and ensure mitigation plans are developed, assigned, and progressed.
• Review and assess new vendors for risk and compliance alignment; conduct periodic reviews of critical and high-impact vendors.
• Act as an internal “Customer Zero” of the Drata and SafeBase platforms—testing, evaluating, and providing structured feedback to product and engineering teams.
• Maintain ongoing compliance with Drata’s attestations and certifications, including SOC 1/2/3, HIPAA, ISO 27001/27017/27018, and applicable privacy laws such as GDPR and CCPA.
• Support readiness and adoption of new or evolving frameworks, including FedRAMP, and ensure timely compliance with contractual and regulatory requirements.
• Draft, maintain, and disseminate security and compliance policies, standards, and procedures aligned with frameworks, regulations, and business needs.
• Provide training and awareness to staff on compliance responsibilities and enforce adherence through assessments and periodic reviews.
• Monitor and resolve control testing alerts and findings from internal and external assessors in a timely manner.
• Participate in roadmap planning and strategic product discussions to help shape compliance automation capabilities.
• Collaborate with security and engineering teams to validate ongoing adherence to internal controls and external standards.
• Assist with audit preparation and coordination, including evidence gathering and auditor communication.
• Communicate the “why” behind compliance and security processes to cross-functional teams to drive shared understanding and alignment.
• Develop clear, accessible documentation for configurations, policies, controls, and compliance processes to support both internal operations and external audits.
• Stay current on security, compliance, and privacy trends; explore new tools and techniques to improve program effectiveness and automation.

By weaving together automation, innovation, and clear communication, you’ll play a pivotal role in shaping Drata’s future and redefining what it means to be secure and compliant in a modern, fast-paced world. Let’s revolutionize the industry—together!

What you’ll you bring:

• You have 5-7 years of experience
• You have a passion for developing solutions at the intersection of Compliance, Privacy and Security
• You have a solid understanding of how things operate in a SaaS environment
• You have a solid understanding of Risk Management and Vendor Management to lead discussions and manage risks and vendors.
• You are knowledgeable in SOC 2 , ISO 27001, HIPAA, and an awareness of FedRAMP, NIST CSF, and others, and know how to audit internally, and facilitate external auditor assessments against these.
• You like taking the road less traveled when it makes sense, you analyze problems and find better ways to meet the business need.
• Black Hat, White Hat or Wizard Hat, we don’t care, we just want you to be passionate about security and helping our industry mature.
• We live in the cloud so we need you to have AWS, GCP, or Azure experience.
• Watson is that you? We need you to be able to do in-depth troubleshooting to problem solve to help us continually improve all facets of the program.
• We are people who are curious and love to learn new things, we want you to have that desire as well.
• Be Awesome! You are going to need to work well with your peers because they are often coming to you with problems while frustrated, be kind and clearly communicate to them to make things all better.
• Certifications (CISA, CISM, CISSP, ISC, IAPP) or equivalent experience.

Benefits:

• Healthcare: 90-100% paid premiums for medical, dental, and vision plans for employee and dependents + on demand health care concierge
• HSA, FSA, & DCFSA: Pre-tax savings plans for healthcare and dependent care, with up to a $600 annual employer contribution to the HSA plan (if enrolled in HSA medical plan)
• 100% paid short and long term disability plus life + AD&D benefits
• Learning & Development: $500 annually towards professional development opportunities + $250 annually towards personal development opportunities
• Flexible Time Off: Flexible vacation policy for strong, fully charged batteries
• 16 Weeks Paid Parental Leave: An inclusive policy to ensure you have time with your newborn, newly adopted, or foster child
• Work Remotely: Flexible hours and work from home + $1,000 annually to cover necessary business related items for your home office
• 401K: Reach your financial goals while reducing your taxes

This role will receive a competitive base salary, benefits, and stock, typically in the form of Restricted Stock Units (RSUs). The applicable salary range for each US-based role is based on where the employee works and is aligned to one of 3 tiers based on the cost of labor for that geographic area. The expected salary ranges for this role are below, subject to change.

Tier 1: $136,595- $168,700

Tier 2: $122,900 - $151,800

Tier 3: $109,300 - $135,000

You can view which tier applies to where you plan to work here. A variety of factors are considered when determining someone’s leveling and compensation–including a candidate’s professional background and experience. These ranges may be modified in the future and final offer amounts may vary from the amounts listed above.

Drata is on a mission to serve as the trust layer between great companies.

Drata is a trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses develop a more secure, proactive, and risk-aware organization to continuously maintain trust with customers.

We all recognize the importance of earning and keeping the trust of our customers when it comes to protecting their data. We know how burdensome achieving and maintaining a strong GRC posture can be with the rise in compliance regulations. It’s a manual, redundant, error-prone, and unscalable process - and it only grows more complex and expensive over time.

Our team of SaaS, security, compliance, and audit experts have built a better way - with automation

Employment at Drata is based solely upon individual merit and qualifications directly related to professional competence. We strictly prohibit unlawful discrimination or harassment on the basis of race, color, religion, veteran status, national origin, ancestry, pregnancy status, sex, gender identity or expression, age, marital status, mental or physical disability, medical condition, sexual orientation, or any other characteristics protected by law. We also make reasonable accommodations to meet our obligations under laws protecting the rights of the disabled.

Originally posted on Himalayas