Jobs · himalayas

U

Senior Security Compliance Engineer

Solstice Analytics · Canada · Posted 18d ago

remotesenior5-8 yrs🇨🇦 Canada
Apply on himalayas

About the role

Manage governance, risk, and compliance operations for ISO 27001 and SOC 2 certifications.

About UniUni UniUniis a late-stage last-milelogisticscompany moving millions of parcels across the United States and Canada for some of the largest e-commerce platforms in North America. Our technology is cloud-native on AWS. We hold an active ISO 27001 certification and SOC 2 Type II attestation, and security and compliance are central to how weoperateand how our customers trust us. This role reports to the Information Security Officer and is based in North America (remote with periodic travel toUniUnihubs). About the role We are hiring a Senior Security Compliance Engineer to be the operational backbone of UniUni's governance, risk, and compliance function. You will run the day-to-day machinery that keeps our ISO 27001 certification and SOC 2 Type II attestation healthy, our policies current, our customers confident, and our regulatory obligations met. This is a hands-on senior IC role. The Information Security Officer designs the program; you make it work. You will run audit cycles, manage evidence, drive policy lifecycles, lead customer security reviews, operate the third-party risk program, and support privacy and regulatory work. We are looking for someone who automates what should be automated, writes clearly, and treats compliance as a real engineering problem. What you'll do Core GRC Run the ISO 27001 program operations, including surveillance audit prep, internal audits, the annual risk assessment, management reviews, and corrective action tracking. Run the SOC 2 Type II program operations, including continuous control monitoring, evidence collection, auditor coordination, and remediation tracking. Operate the information security policy lifecycle: drafting, stakeholder review,approvalworkflows, annual reviews, version control, and employee attestations. Maintain the risk register, drive risk treatment plans through to closure, and prepare risk reporting for the ISO and the executive team. Build andmaintaincompliance automation, including evidencecollectionworkflows, control testing, and dashboarding. Treat the GRC platform as a system you actively engineer, not a passive system of record. Plan and run security awareness training and phishing simulation cycles, and report on outcomes. Privacy and Regulatory OperateUniUni'sprivacy program in partnership with legal, including data inventories, data flow mapping, retention schedules, and privacy impact assessments. Execute on regulatory obligations relevant to our business, including the DOJ Data Security Program, Canadian PIPEDA, and applicable US state privacy laws. Coordinate the response to data subject access requests (DSARs) and privacy inquiries within statutory timelines. Track regulatory developments across thejurisdictionsin whichUniUnioperates and translate them into concrete control changes, evidence requirements, and policy updates. Support data residency and data minimization commitments, working with engineering and the data security team to verify they hold in practice. Customer Reviews and Third-Party Risk Lead the response to customer security questionnaires, RFP security sections, and prospect security reviews, in partnership with sales, legal, and the ISO. Review and negotiate the security and privacy clauses in customer and vendor contracts, escalating material issues to the ISO and legal. RunUniUni'sthird-party risk management program: vendor inventory,tiering byrisk, due diligence, security review of new vendors, periodic reassessment of existing vendors, and remediation tracking. Operate the trust center and the security artifact library (SOC 2 reports, ISO certificates, pen test summaries, security overviews) and keep customer-facing materials current andaccurate. Across All of It Be a credible representative ofUniUni'ssecurity posture in front of customers, auditors, and regulators. Write clearly and precisely.The work product of this role lands in front of customers, auditors, regulators, and executives, and it has to hold up. Partner with engineering, IT, legal, HR, and finance to make compliance a normal part of how the business runs, notan interrupt. Qualifications 5 to 8 years in security GRC, audit, or a closely related discipline, with hands-on ownership of ISO 27001 and SOC 2 program operations in a cloud-native organization. Direct experience driving SOC 2 Type II audit cycles end to end, including auditor coordination, evidence collection, and remediation. Working knowledge of common control frameworks beyond ISO and SOC (NIST CSF, NIST 1000-53 CIS) and the ability to map between them. Experienceoperatinga GRC platform (e.g., Vanta,Drata,Secureframe,Hyperproof, ServiceNow GRC,OneTrust) as a power user, including building automated evidence pipelines and control tests. Experience leading customer security questionnaires and security reviews for enterprise customers, including reviewing security and privacy clauses in contracts. Familiarity with privacy regulation in North America, including PIPEDA and US state priva

Read the full posting on himalayas

FAQ

Is the Senior Security Compliance Engineer role at Solstice Analytics remote?+

This Senior Security Compliance Engineer position is listed as remote (Canada).

What seniority level is this Senior Security Compliance Engineer role?+

This is a senior level position.

How do I apply for the Senior Security Compliance Engineer role at Solstice Analytics?+

Use the "Apply on himalayas" button to open the original posting on himalayas, where you can submit your application directly to Solstice Analytics.