[Remote] Senior Security Compliance Engineer

Note: The job is a remote job and is open to candidates in USA. UniUni is a late-stage last-mile logistics company moving millions of parcels across the United States and Canada for major e-commerce platforms. They are seeking a Senior Security Compliance Engineer to manage their governance, risk, and compliance functions, ensuring the health of their ISO 27001 certification and SOC 2 Type II attestation while automating compliance processes and supporting regulatory obligations.

Responsibilities

• Run the ISO 27001 program operations, including surveillance audit prep, internal audits, the annual risk assessment, management reviews, and corrective action tracking
• Run the SOC 2 Type II program operations, including continuous control monitoring, evidence collection, auditor coordination, and remediation tracking
• Operate the information security policy lifecycle: drafting, stakeholder review, approval workflows, annual reviews, version control, and employee attestations
• Maintain the risk register, drive risk treatment plans through to closure, and prepare risk reporting for the ISO and the executive team
• Build and maintain compliance automation, including evidence collection workflows, control testing, and dashboarding. Treat the GRC platform as a system you actively engineer, not a passive system of record
• Plan and run security awareness training and phishing simulation cycles, and report on outcomes
• Operate UniUni's privacy program in partnership with legal, including data inventories, data flow mapping, retention schedules, and privacy impact assessments
• Execute on regulatory obligations relevant to our business, including the DOJ Data Security Program, Canadian PIPEDA, and applicable US state privacy laws
• Coordinate the response to data subject access requests (DSARs) and privacy inquiries within statutory timelines
• Track regulatory developments across the jurisdictions in which UniUni operates and translate them into concrete control changes, evidence requirements, and policy updates
• Support data residency and data minimization commitments, working with engineering and the data security team to verify they hold in practice
• Lead the response to customer security questionnaires, RFP security sections, and prospect security reviews, in partnership with sales, legal, and the ISO
• Review and negotiate the security and privacy clauses in customer and vendor contracts, escalating material issues to the ISO and legal
• Run UniUni's third-party risk management program: vendor inventory, tiering by risk, due diligence, security review of new vendors, periodic reassessment of existing vendors, and remediation tracking
• Operate the trust center and the security artifact library (SOC 2 reports, ISO certificates, pen test summaries, security overviews) and keep customer-facing materials current and accurate
• Be a credible representative of UniUni's security posture in front of customers, auditors, and regulators
• Write clearly and precisely. The work product of this role lands in front of customers, auditors, regulators, and executives, and it has to hold up
• Partner with engineering, IT, legal, HR, and finance to make compliance a normal part of how the business runs, not an interrupt

Skills

• 5 to 8 years in security GRC, audit, or a closely related discipline, with hands-on ownership of ISO 27001 and SOC 2 program operations in a cloud-native organization
• Direct experience driving SOC 2 Type II audit cycles end to end, including auditor coordination, evidence collection, and remediation
• Working knowledge of common control frameworks beyond ISO and SOC (NIST CSF, NIST 800-53, CIS) and the ability to map between them
• Experience operating a GRC platform (e.g., Vanta, Drata, Secureframe, Hyperproof, ServiceNow GRC, OneTrust) as a power user, including building automated evidence pipelines and control tests
• Experience leading customer security questionnaires and security reviews for enterprise customers, including reviewing security and privacy clauses in contracts
• Familiarity with privacy regulation in North America, including PIPEDA and US state privacy laws, and a working understanding of cross-border data transfer requirements
• Experience operating a third-party risk management program at meaningful vendor volume
• Strong written communication. You can produce auditor-ready documentation, customer-ready security narratives, and executive-ready risk summaries, and you know which is which
• A pragmatic, automation-first mindset. You are bothered by manual evidence collection and you do something about it
• Experience in logistics, supply chain, marketplaces, or other high-volume operational businesses
• Familiarity with the DOJ Data Security Program and bulk data transfer rules
• Light scripting ability (Python, SQL) for automating evidence collection or building control queries against AWS, identity providers, and SaaS platforms
• Relevant certifications such as ISO 27001 Lead Auditor or Lead Implementer, CISA, CISM, CIPP, or CRISC
• Prior experience supporting a company through a customer-driven security maturation, an investor due diligence cycle, or IPO readiness

Company Overview

Company H1B Sponsorship