Senior GRC Analyst

WHY NOW 2026 has been a breakout year for Doppler. We’ve helped over 78,000 startups and enterprises manage their secrets at scale, and landed our first million-dollar customer. We've shipped some of our most exciting features yet, expanded our customer base, and sharpened our focus like never before. With a strong foundation in community, we're scaling and monetizing with ambitious goals across product, growth, sales, and hiring. The momentum is real and we’re just getting started. About Doppler Doppler's mission is to make it easy and secure for software developers of every experience level and teams of any size to manage their app configuration and secrets. But hasn't this been done? Developers tend to be either struggling with the manual management of .env files https://www.doppler.com/blog/the-triumph-and-tragedy-of-env-files, or wrestling with an overly complex secrets manager https://www.doppler.com/blog/doppler-vs-hashicorp-vault that's not built for software development. The rise of AI tooling has fundamentally expanded who and what has access to your secrets. The stakes have never been higher, and getting it wrong has real consequences. Doppler is the solution to fix this. Simple to adopt, easy to scale, and built for developers, by developers. Our team is entrepreneurial, with a bias for action. We never back down from a spirited debate and believe we are all responsible for exploring the hard questions. We value self-awareness and meaningful impact. We are open to unconventional approaches and have learned not to judge a book by its cover. Your time is your most valuable resource, so you set your hours. We use Slack to communicate and default to zero meetings. We aim to document everything. We also recommend you invest your time in 10% compounding time https://medium.com/accelerated-intelligence/why-successful-people-spend-10-hours-a-week-on-compound-time-79d64d8132a8. WHO WE ARE Doppler is a developer-first secrets management platform that enables engineers and security teams to securely store their secrets across any cloud infrastructure or deployment environment at scale. THE ROLE At Doppler, security is core to what we ship, not an afterthought - it's woven into our product. Customers come to us to be the trusted custodian of their most sensitive credentials: API keys, database passwords, service tokens. That means our compliance posture is something prospects scrutinize during procurement and something customers depend on to justify their trust. This role owns all of it. As our Senior GRC Analyst, you'll be the owner of Doppler's security and compliance program; maintaining our SOC 2 Type II and ISO 27001 certifications, driving our next compliance initiatives, and acting as the internal expert and external face of security for enterprise customers. You'll work closely with engineering, product, sales, and customer success, and you'll bring an automation-first mindset to everything, building systems that reduce manual toil and move us toward continuous compliance rather than point-in-time audits. This is an individual contributor role with meaningful company-wide impact. The person who thrives here is equally comfortable diving into a pen test report with engineers and presenting risk posture to leadership. What you’ll do: Compliance program ownership - Maintain Doppler's SOC 2 Type II and ISO 27001 certifications end-to-end: evidence collection, control monitoring, audit coordination, and deficiency remediation - Lead the compliance work for our next certifications, including gap assessments, policy updates, and required documentation - Evaluate additional certifications and attestations on an ongoing basis as customer and market requirements evolve - Own day-to-day administration of our GRC platform (Vanta), including control mapping, evidence workflows, and audit readiness Risk and controls - Lead our security working group: facilitate regular risk identification sessions, policy updates, maintain the threat register, track remediation progress, and drive accountability across teams - Design and maintain security controls mapped to our chosen frameworks (SOC 2, ISO 27001, etc.), ensuring they're practical and consistently operating - Coordinate penetration testing cycles and work directly with engineering to track and close findings - Author and maintain security policies that are enforceable and grounded in regulatory requirements (GDPR, PCI, and others relevant to a secrets management provider) - Support business continuity and disaster recovery governance Customer and sales enablement - Respond to security questionnaires and RFPs promptly and accurately. Doppler's customers are technical and expect precision - Participate in customer security reviews and calls; represent our compliance posture credibly to security teams, procurement, and compliance officers - Maintain public-facing trust documentation that reflects our actual program - Partner with sales on security-sensitive enterprise deals, especially in regulated industries or where compliance is a gating factor Enablement and communication - Translate compliance status and risk posture into clear, non-jargon updates for leadership and cross-functional stakeholders - Lead security awareness and compliance training for internal teams - Influence engineering and product roadmaps where security controls intersect with product decisions What you’ll bring to the table: - 5+ years in security, compliance, or GRC, with direct ownership of SOC 2 Type II and ISO 27001 programs in a cloud product environment where you've run audit cycles, not just supported them - Hands-on experience with Vanta (or a comparable GRC platform) and a genuine interest in automating compliance workflows rather than relying on spreadsheets - Technical fluency: you can read a pen test report, understand cloud architecture decisions, and have substantive conversations with engineers about control design and risk tradeoffs - Strong understanding of how auditors think, ideally from having been on the auditor side, or from running enough cycles that you've internalized their perspective - Familiarity with PCI DSS and GDPR requirements; experience with self-attestation or certification work is a strong plus - Experience supporting enterprise sales cycles where security is a procurement requirement, including responding to complex security questionnaires - Excellent communication skills across audiences. You can brief the CEO on risk posture and turn around and explain the same issue to an engineer in implementation terms - Relevant certifications (CISA, CISSP, CISM, CRISC, or equivalent) preferred Preferred experience: - Startup or high-growth environment experience - Experience with developer tools or infrastructure security background - Experience with trust center management - Familiarity with secrets management, credential security, or PKI. BENEFITS - Equity at an early-stage, fast-growing startup - Premium health insurance (medical, dental, vision) - Guilt Free Unlimited PTO - 3-week minimum strongly encouraged! - Upward Mobility - Learning and Development Stipend - Wealth Advisor - 401k - Pregnancy & Family Leave - Fertility & Adoption Benefits - Equal Compensation (regardless of gender or race) For a full list of our benefits check our Perks Notion Page https://dopplerteam.notion.site/Perks-15eb027f917d4b3bac69d0186115d7de. CLOSING We've built a great product our customers love. Our churn is low, and active usage continues to rise. We just need to amplify our reach to educate the market that secrets management can be fast, secure, and affordable for teams and organizations of any size. And most importantly, we need to continue encouraging Developers to stop adhering to archaic insecure standards such as manually managing .env file formats. Are you passionate about developer-focused products and ready to join an amazing team? Then we want to hear from you! A final note - we highly encourage you to apply for this role, even if you don't feel entirely qualified, or entirely sure. You never know!