Senior Governance Risk and Compliance (GRC) Analyst

Job Description

Salary: Not Specified Location Type: Not Specified Employment Type: Not Specified

Position Overview

Headway is on a mission to build a new mental health care system that everyone can access. We have developed software-enabled technology that connects people with therapists who accept insurance, addressing the significant barrier of high costs associated with mental healthcare. Our goal is to make therapy affordable and accessible by simplifying the process for therapists to accept insurance and grow their practices.

Founded in 2019, Headway has rapidly grown into a national network of over 45,000 mental healthcare providers across all 50 states. Our platform has served over 1 million patients. We are a Series D company with substantial funding from leading investors including a16z, Accel, GV, Spark Capital, Thrive Capital, Forerunner Ventures, and Health Care Service Corporation. We are looking for individuals who want to make their time at Headway the most meaningful experience of their careers and contribute to improving mental healthcare.

About Trust at Headway

The Trust team at Headway is dedicated to ensuring the security and privacy of all our users, including therapists, patients, and payers. As an early member of this team, you will have the unique opportunity to build and lead our in-house security engineering efforts.

In this role, you will be responsible for developing, extending, and integrating Headway's risk and compliance processes to scale with our business growth. You will collaborate closely with members of the Security, IT, and Headway Engineering teams to prioritize risks and ensure we exceed compliance expectations.

Responsibilities

• Building and maintaining a Common Controls Framework: Align and continuously monitor shared compliance and risk controls across various certifications and customer requirements.
• Coordinating security or privacy certification audits: Manage audits (e.g., SOC2, HiTrust, GDPR/CCPA) in collaboration with external firms and internal Engineering and Security teams.
• Partnering with Trust and Engineering teams to identify risk signals: Recognize and flag potential risk signals throughout the lifecycle of Headway events.
• Assisting in ongoing security operations: Contribute to the security and privacy team's efforts in incident response, vulnerability management, penetration testing, security reviews, and other operational tasks to maintain world-class security program standards.

Tools We Use

• Languages: Python 3, TypeScript
• Libraries: FastAPI, SQLAlchemy, React/Remix, Celery
• Datastores: PostgreSQL, Snowflake
• Infrastructure: AWS (ECS, S3, RDS), Cloudflare, Kafka
• Infrastructure Security: Wiz
• Monitoring: Datadog, PagerDuty
• Version Control: Github
• Vulnerability Management: Semgrep

Qualifications

You’ll be a great fit for this role if you have:

• 0 → 1 GRC experience: 5+ years of experience in security and/or software engineering roles within startup or growth-stage teams, with a proven track record of achieving governance, risk, and compliance goals.
• Strong cross-functional experience: A passion for collaborating with other teams to help achieve shared objectives.
• Strong technical depth and breadth: Technical experience with secure product platforms, with a desire to understand security systems and improve process efficiency.
• Thrive in ambiguity: The ability to tackle ambiguous problems in a fast-paced environment with an optimistic and energizing attitude.
• Innovation at Scale: A drive to lead the industry in implementing the latest security and privacy technologies.
• Results driven: A strong focus on creating impact and driving tangible results for Headway's business.
• Mission driven: Motivation stemming from Headway’s mission.