GRC Engineer

Replit is the agentic software creation platform that enables anyone to build applications using natural language. With millions of users worldwide, Replit is democratizing software development by removing traditional barriers to application creation. ABOUT THE ROLE Replit is the agentic software creation platform that enables anyone to build applications using natural language.

As we scale to support millions of developers and enterprise organizations, maintaining a robust, transparent, and technically sound Governance, Risk, and Compliance (GRC) program is critical. We are looking for a GRC Engineer to serve as a key technical contributor for our compliance and risk management ecosystem. You will architect the systems and processes that automate trust, partnering deeply across the organization.

We need a pragmatic operator who understands that GRC exists to enable the business—balancing rigorous standards with the velocity of a high-growth startup. WHAT YOU'LL DO Technical Excellence & Architecture - Technical Depth: Act as a technical subject matter expert for the GRC team. You will drive quality, technical depth, and operational efficiency in our security controls.

• Program Architecture: Own the technical vision for Replit’s GRC program, moving the team from manual workflows toward "Compliance-as-Code" and automated evidence collection. - Thought Leadership: Champion a culture of security and privacy across the company, educating teams on why controls exist rather than just enforcing them. Cross-Functional Collaboration - Engineering & Architecture: Partner with Architects and Engineering Leads to "bake in" compliance requirements early in the design phase.

You will translate complex technical implementations into narratives that satisfy frameworks without slowing down development. - Legal & Privacy: Work closely with Legal Counsel to interpret and implement requirements for Privacy (GDPR, CCPA) and emerging AI-specific regulations (e.g., EU AI Act). - Sales & GTM: Enable the Sales team by managing the Customer Trust Center and handling complex security questionnaires.

You will serve as a subject matter expert in customer calls to build confidence with enterprise prospects. - Auditor Relationships: Own and cultivate the primary relationship with external auditors. You will serve as the bridge between auditors and internal teams, ensuring requests are reasonable, clear, and relevant to our tech stack.

Risk Management & Strategic Compliance - Risk Register Operator: You will operate the Cybersecurity Risk Register. You will be responsible for identifying, quantifying, and tracking risks, distinguishing between theoretical compliance gaps and meaningful business risks. - Framework Evolution: Manage and evolve our compliance posture across SOC 2, ISO 27001, and prepare the organization for future certifications in regulated markets (e.g., FedRAMP, ITAR, PCI, HIPAA).

• Pragmatic Governance: Apply judgment to operate in "gray areas" when appropriate. You will prioritize issues that represent real security or business risk over "compliance theater." Automation & Efficiency - Control Automation: Drive the shift from manual evidence collection to continuous monitoring. You will identify opportunities to automate audit work, ensuring GRC scales with the business.
• Third-Party Risk: Architect a scalable framework for assessing third-party vendors and AI model providers, ensuring our supply chain remains secure without creating administrative bottlenecks. REQUIRED SKILLS & EXPERIENCE - 8+ years of experience in GRC or Information Security - Technical Fluency: Ability to speak the language of engineering, cloud (GCP/AWS), and security architecture. You can anticipate how architectural decisions impact risk and compliance.
• Regulatory Breadth: Deep experience with SOC 2, ISO 27001, PCI, HIPPA, and Privacy laws. - Collaborative Communication: Strong ability to explain risk and tradeoffs to technical (Engineers), legal, and commercial (Sales/Execs) stakeholders. - Automation Mindset: Experience with GRC automation tools (e.g., Vanta, Drata) and a bias toward reducing manual toil.

BONUS QUALIFICATIONS - Familiarity with FedRAMP, ITAR, or AI regulation is a strong plus. WHAT WE VALUE - Pragmatism: You distinguish between "checking a box" and reducing risk. You focus on outcomes over optics.

• Business Enablement: You understand that your role is to help Replit sell to the enterprise safely, supporting innovation through technical trust. - Solutions-Oriented: You are collaborative and low-ego. You prefer fixing root causes and empowering teams through automation over manual bureaucracy.
• Clarity: You can take a complex regulation and explain exactly what it means for a specific engineering team in plain English. This is a full-time role that can be held from our Foster City, CA office. The role has an in-office requirement of Monday, Wednesday, and Friday.

Full-Time Employee Benefits Include: 💰 Competitive Salary & Equity 💹 401(k) Program with a 4% match ⚕️ Health, Dental, Vision and Life Insurance 🩼 Short Term and Long Term Disability 🚼 Paid Parental, Medical, Caregiver Leave 🚗 Commuter Benefits 📱 Monthly Wellness Stipend 🧑‍💻 Autonomous Work Environment 🖥 In Office Set-Up Reimbursement 🏝 Flexible Time Off (FTO) + Holidays 🚀 Quarterly Team Gatherings ☕ In Office Amenities Want to learn more about what we are up to? - Meet the Replit Agent https://www.youtube.com/watch?v=IYiVPrxY8-Y - Replit: Make an app for that https://www.youtube.com/watch?v=4zd9hzngFwY - Replit Blog https://blog.replit.com/ - Amjad TED Talk https://youtu.be/kCudFI4tcpg?si=l4ViCejV_f2RZkDi Interviewing + Culture at Replit - Operating Principles https://blog.replit.com/operating-principles - Reasons not to work at Replit https://blog.replit.com/reasons-not-to-join-replit To achieve our mission of making programming more accessible around the world, we need our team to be representative of the world. We welcome your unique perspective and experiences in shaping this product.

We encourage people from all kinds of backgrounds to apply, including and especially candidates from underrepresented and non-traditional backgrounds.