Compliance Analyst (contract)

Position Overview

• Location Type: Remote
• Job Type: Full-Time (Temporary, 4 months)
• Reports to: Director of Security and IT

Forma is revolutionizing the employee benefits market by offering flexible benefits software that allows companies to provide competitive packages while reducing costs. The platform enables employees to choose how they spend their benefit allowances through The Forma Store, The Forma Visa Card, or reimbursement. Forma serves hundreds of renowned companies, including Stripe, Zoom, Lululemon, and Affirm, with a high customer retention rate and strong satisfaction scores.

About the Role

Forma is seeking a Compliance Analyst to maintain, scale, and operationalize its compliance programs across SOC 2, HIPAA, PCI DSS, and privacy frameworks like GDPR and CCPA. This role is crucial for supporting the sales process by completing customer RFPs and security questionnaires, demonstrating Forma's commitment to security and privacy. The Compliance Analyst will collaborate with InfoSec, Legal, Sales, and Product teams to build customer trust and ensure the platform adheres to the highest security, compliance, and transparency standards.

Responsibilities

• Own and manage ongoing compliance efforts for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and CCPA.
• Maintain and update security and privacy policies, documentation, and evidence for audits and regulatory requirements.
• Lead coordination and responses for third-party audits, risk assessments, and compliance reviews.
• Support security incident response planning, tracking of corrective actions, and remediation activities.
• Partner with Legal and Product teams to assess the regulatory impact of new features, vendors, and jurisdictions.
• Collaborate with Sales and Customer Success teams to respond to security RFPs, due diligence questionnaires, and client assessments.
• Own and update a knowledge base of standardized security responses and documentation for efficient RFP and questionnaire handling.
• Conduct vendor security and privacy assessments, ensuring appropriate controls and agreements are in place.
• Educate internal stakeholders on security and data protection best practices through training and documentation.
• Stay current on evolving security standards, privacy laws, and industry trends.

Preferred Skills

• 5-8 years of experience in security compliance, GRC, data privacy, or legal/compliance roles at a SaaS or fintech company.
• Hands-on experience with SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and CCPA frameworks.
• Familiarity with compliance tools such as Vanta, Drata, OneTrust, TrustArc, or equivalents.
• Demonstrated success in completing RFPs, security questionnaires, and supporting enterprise client audits.
• Strong written communication skills, with the ability to explain complex security concepts to non-technical audiences.
• Excellent attention to detail, organization, and ability to manage multiple priorities concurrently.
• Bachelor's degree in Information Security, Legal Studies, Business, or a related field.