engineering
Posted Apr 23GRC Engineer
at WorkOS Ashby
United StatesHybrid
Responsibilities
- Own security awareness, internal education, and the cross-functional work that makes compliance a shared responsibility across the company. - Lead our next certifications.
- Drive readiness and on-going compliance for future frameworks like ISO 27001, EU-US DPF, FedRAMP; scoping the controls, documentation, and collaborating across the organization to make it happen. - Partner directly with customers.
- Support audits, enable sales on compliance-gated deals, and build on the trust we've established with the companies that depend on us. - Own risk across WorkOS.
- Run our risk and third-party risk programs.
- Identify risks as they emerge, drive remediation, and surface signal to leadership. - Scale through automation.
- Design processes, tooling, and AI-assisted workflows so the compliance function scales without scaling headcount.
Requirements
- WorkOS powers enterprise features for many of the fastest-growing AI companies, including OpenAI, Cursor, and Perplexity, Vercel, and Plaid.
- As AI reshapes software, WorkOS is at the frontier of Human and Agent Authentication, Identity, and Access Control—helping companies answer a new critical question: who are your agents, and what are they allowed to do? Our fast-growing customer base includes hundreds of modern software companies building the next generation of enterprise-ready products.
- Security is fundamental to our products, and customer trust is the foundation of our success.
- WorkOS has foundational compliance in place; SOC 2, HIPAA, GDPR, PCI-DSS SAQ D, and a growing set of customer and regulatory obligations.
- experience to work through them, and how to future-proof against them.
- You act as the bridge between auditor asks and engineering work with the ability to translate between the two. - Framework-fluent. You have hands-on
- experience implementing and auditing SOC 2 and other major frameworks (ISO 27001, PCI DSS, NIST 800-53, FedRAMP), and you can reason about new frameworks from first principles. - A builder, not just an operator.
- You see manual, repetitive GRC work as tech debt and look for ways to design it away: through process, tooling, AI, or partnering with engineering to build what's needed.
- experience implementing or auditing SOC 2 plus one other major framework (ISO 27001, PCI DSS, NIST 800-53). -