Security & Compliance Engineer

Arist is the go-to agent-first enablement platform for the Fortune 500. Every deal ships with a security questionnaire, a Trust Center deep-dive, and a customer who wants to see SOC 2 + ISO 27001 + ISO 42001 evidence before signing. Today this work is split across people who have other day jobs. We need one owner.

This is the person who keeps deals from stalling at security review, keeps our audits clean, and keeps our policies real instead of decorative.

What you'll own

Procurement (deal velocity)

• Respond to security and infosec questionnaires from prospects and customers — owning SLAs that match deal timelines.
• Build and maintain a centralized answer library so the same question never gets answered three different ways.
• Stand up infosec questionnaire automation + AI augmentation so we move from artisanal to assembly-line.
• Triage net-new questions to the right SME — Eng for architecture, Security for controls, Legal for data handling, HR for personnel.
• Keep the Trust Center current and useful.
• Run vendor onboarding (classification + risk review), annual re-reviews, and offboarding.

Compliance (SOC 2, ISO 27001, ISO 42001)

• Run continuous compliance — monthly/quarterly control checks
• Own the GRC platform (Vanta or Drata) and keep evidence current.
• HR controls: background checks, security awareness training, AUP acknowledgments, onboarding/offboarding ticket trails, access reviews tied to terminations.
• Ops controls: vendor risk assessments, BCP/DR documentation and tabletop exercises, change management evidence, board oversight artifacts.
• Technical controls: access provisioning + quarterly access reviews, MFA/SSO enforcement, encryption at rest and in transit, logging and monitoring evidence, vuln scans + remediation SLAs, pen test reports, secure SDLC evidence, and identifying + driving fixes for vulnerabilities in our software supply chain.
• Requests: Handle “right to be forgotten” GDPR and CCPA requests
• Auditor coordination: scoping, kickoff, walkthroughs, evidence, follow-ups, exceptions, remediation, clean report delivery to the Trust Center.

Risk (policies and incident response)

• Maintain the policy library: infosec, AUP, access control, incident response, data classification, BYOD, encryption, change management, vendor management, BCP/DR.
• Run the annual policy review cycle — updates, exec approval, employee re-acknowledgment.
• Monitor adherence: MDM enrollment, endpoint protection coverage, SSO/MFA enforcement, privileged access reviews, exception tracking.
• Run incident response when something happens — detection, containment, internal + customer comms, post-mortem, regulatory and contractual notifications.

What you'll have done before

Ideally, you have DevOps chops. We'd love someone who's lived on the engineering side too — comfortable in CI/CD, cloud infra (AWS/GCP), IaC (Terraform), and shipping fixes themselves rather than only filing tickets. The strongest candidates won't just audit our technical controls; they'll harden them. If you've worn both the GRC hat and the DevOps hat, tell us.

• Owned SOC 2 Type II at a SaaS company end-to-end. ISO 27001 a strong plus. ISO 42001 a bonus — happy to grow into it.
• Run a GRC platform (Vanta, Drata, or similar) as the primary admin.
• Read a SaaS application architecture and held your own with engineers about the security implications. You don't need to be a developer, but you can talk to ours.
• Led at least one real incident response, not just a a tabletop.

How we'll know you're great

• Questionnaire turnaround drops from weeks to days, with consistent answers.
• Trust Center is the first thing prospects see and the last thing they ask about.
• Audits are non-events. No 11th-hour evidence scrambles.
• Policies are followed because they're current and clear, not ignored because they're stale.
• When something goes wrong, the response is calm, fast, and well-communicated.

How we work

Small team. High trust. Speed-to-deploy and close deals is our edge, so your job is to make compliance and procurement match that pace, not slow it down. We default to simplicity, not 20-page specs. We expect crisp written communication and a low tolerance for ceremony that slows.

Apply

Send a note to maxine @ arist dot co with 1) why you're interested in Arist and 2) what makes you exceptional for this role that spans security, compliance, and DevOps in a fast-growing startup environment.