Senior GRC Manager

Pontera is a fintech company on a mission to help people retire better. Our software platform enables retirement savers to get the help they need managing their 401(k) and other retirement plan accounts as part of a personalized strategy by their trusted financial advisor.

Pontera is used by financial advisors across the nation– from SMB to Fortune 500 RIA firms, independent broker-dealers, plan custodians, and plan advisors.

Backed by leading venture capital firms including ICONIQ Growth and Lightspeed Venture Partners, Pontera is built by talented individuals who share a dedication to helping people retire with greater security.

Our team is fast-growing and driven to become one of the largest fintech companies in the world. Our culture is built on a people-first principle: in a complex and numbers-driven industry, we never lose sight of the people we serve and work alongside. That's where you come in.

We are hiring a
Senior GRC Manager
to sustain, scale, and continuously enhance our Governance, Risk, and Compliance (GRC) program. Reporting directly to the
CISO
, this is a high-impact role focused on maintaining Pontera's robust compliance posture (including
SOC 2 Type II
,
ISO 27001
,
27017
, and
27018
), driving cloud assurance initiatives, and strengthening trust with customers and partners.

The ideal candidate is comfortable working cross-functionally, automating compliance workflows, and serving as a key liaison for external diligence and internal controls.

Responsibilities

• Maintain and mature the GRC program: Own core processes, documentation, and internal controls to support Pontera's security and privacy obligations.
• Align GRC activities with key frameworks, including NIST CSF, CIS Controls, and ISO 27001/27018, to ensure comprehensive control coverage and internal alignment.
• Support certification continuity: Ensure ongoing adherence and audit readiness for SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018 through continuous monitoring, control validation, and stakeholder coordination.
• Support evolving privacy governance efforts, including ISO 27701 adoption, privacy impact assessments (PIAs), and alignment with standards such as ISO 29134 or NIST Privacy Framework.
• Contribute to vendor and third-party risk management: Support onboarding, reviews, and oversight of vendors handling sensitive data or infrastructure.
• Manage Pontera's customer trust program, including responding to security questionnaires, maintaining compliance artifacts, and owning our public Trust Center (e.g., SafeBase).
• Administer and optimize GRC platforms: Manage tools such as VISO Trust, or Vanta to streamline evidence collection, risk tracking, and control testing. Lead process improvements and automation where possible.
• Maintain the risk management program: Update the enterprise risk register, facilitate periodic risk assessments, and drive mitigation planning across business functions.
• Partner cross-functionally with Legal, IT, Engineering, and Product to embed compliance requirements and align security initiatives with business goals.

Requirements

• 5+ years of experience in GRC, security compliance, or audit within a cloud-native or SaaS environment.
• Proven track record supporting and maintaining certifications such as SOC 2 Type II, ISO 27001, 27017, and 27018.
• Strong understanding of the NIST Cybersecurity Framework and CIS Critical Security Controls as applied in modern SaaS/cloud environments.
• Familiarity with privacy management standards such as ISO 27701, ISO 29134, or equivalent frameworks (e.g., NIST Privacy Framework, GDPR Art. 35 PIAs)
• Hands-on experience with GRC automation tools (e.g., Drata, Vanta, Tugboat Logic, OneTrust).
• Excellent communication skills, particularly for external audit and customer diligence engagements.
• Strong organizational and project management capabilities, with an ability to coordinate across functions and meet deadlines.

Preferred Qualifications

• Experience managing a Trust Center (e.g., SafeBase).
• Certifications such as CISM, CRISC, CCSK, or ISO 27001 Lead Implementer.
• Previous experience in regulated or trust-sensitive industries such as fintech, B2B SaaS, or healthtech industries.

What We Offer

• Opportunity: Have a major impact at a fast-growing startup that is revolutionizing the FinTech industry
• Team Culture: A collegial, collaborative, fun work environment with frequent team events
• Equity: All new hires are eligible for equity grant participation
• Professional Development: Sponsored learning & development program
• Work Flexibility: A hybrid office work model (In-Office Mon/Tues/Weds and WFH Sun//Thurs)