Security and Compliance Manager

Security and Compliance Manager

About Us

Canopy is a fast-growing SaaS company in South Jordan, Utah building simple, efficient software for accounting firms. We are looking to revolutionize the accounting space with modern, user-friendly software for a neglected industry. Our goal is to help our clients unlock the firm they’ve always wanted with our Practice Management Suite. We place strong emphasis on delighting our customers, spotting and solving problems, and being good people along the way.  Click here to see why our clients love Canopy. Interested in learning more about Canopy & the industry? Check out our blog here where you can find great information on our product features, industry news, practice management, and more!

The Opportunity

Canopy is expanding our security and compliance program, and we're looking for a Security Compliance Manager to own and elevate our compliance initiatives as we scale. This is a high-impact role where you'll take ownership of our SOC 2 program and its expansion, build and maintain our Trust Center, and establish the policies and frameworks that enable secure, compliant growth.

You'll be our first dedicated compliance hire, working closely with our Security and DevOps teams to transition compliance ownership from an ad-hoc, team-distributed model to a structured, scalable program. This role is perfect for someone who loves building systems from the ground up, can balance strategic thinking with hands-on execution, and thrives in a collaborative, fast-moving environment.

This can be a hybrid position in South Jordan, Utah (M, W, F in-office) or fully remote based from Utah.

What You’ll Do

Compliance Program Ownership (30%)

• Lead the expansion of our SOC 2 audit scope to include all Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, and Privacy)
• Own and manage our compliance roadmap, ensuring we're continuously audit-ready
• Coordinate and manage SOC 2 audits, including evidence gathering, auditor communication, and remediation tracking
• Implement and maintain our Trust Center, making our security posture transparent and accessible to customers
• Serve as the primary point of contact for customer security questionnaires and assessments

Policy & Documentation Management (25%)

• Create, refine, and maintain comprehensive security and compliance policies, such as:
• Acceptable Use Policy
• Software Approval Policy
• AI Use Policy
• Incident Response Plan
• Data Retention, Access, and Classification policies
• Email Communication Policy
• Business Continuity Plans
• Ensure policies are practical, enforceable, and aligned with industry frameworks and regulatory requirements
• Develop clear, accessible documentation that empowers teams to understand and follow security best practices
• Partner with Legal, HR, and other departments to ensure policies are comprehensive and cross-functional

Risk & Vendor Management (20%)

• Own and maintain our risk register, conducting regular risk assessments and tracking mitigation efforts
• Lead third-party vendor security reviews and risk assessments
• Maintain detailed knowledge of what data exists in every third-party tool and who has access
• Track and manage vendor compliance documentation (SOC 2 reports, security attestations, etc.)
• Work with Procurement and Engineering to ensure vendors meet our security standards

Technical Control Implementation (15%)

• Implement security controls across our infrastructure and applications in collaboration with Security Engineers
• Work with the team to automate evidence collection and compliance monitoring using tools like Drata and Datadog
• Conduct internal reviews of audit controls to ensure they remain effective and up-to-date
• Identify gaps in our security posture and design solutions to address them
• Evaluate and implement new compliance and security tooling as needed

Cross-Functional Collaboration (10%)

• Partner with Engineering, Product, HR, Legal, and Sales to ensure compliance requirements are understood and met
• Ensure control owners across the organization complete their compliance tasks on schedule
• Provide training and guidance to teams on security and compliance best practices
• Serve as a trusted advisor to leadership on compliance strategy and risk posture

What We're Looking For

Required Qualifications

• 6+ years of experience in security compliance, with at least 2 years owning or leading SOC 2 audits
• Deep understanding of SOC 2 Trust Services Criteria and how to implement effective controls
• Proven experience building or scaling compliance programs at a SaaS or technology company
• Excellent policy writing skills with the ability to translate complex requirements into clear, actionable documentation
• Strong technical foundation with the ability to implement security controls and work effectively with engineering teams
• Experience managing GRC platforms (Drata, Vanta, or similar)
• Outstanding project management skills and ability to coordinate across multiple stakeholders
• Self-starter mentality with the ability to own initiatives from strategy through execution
• Strong ability to translate technical concepts for non-technical audiences

Preferred Qualifications

• Experience expanding SOC 2 scope beyond Security (Availability, Confidentiality, Processing Integrity, Privacy)
• Familiarity with additional compliance frameworks (ISO 27001, PCI-DSS, GDPR, CCPA, HIPAA)
• Experience implementing and managing Trust Centers
• Knowledge of AWS/cloud security best practices (we use EKS, RDS, and AWS services)
• Technical skills in scripting or automation (Python, Bash, etc.) for evidence collection and control monitoring
• Experience with SIEM tools (Datadog), CI/CD platforms (GitHub), and infrastructure monitoring
• Relevant certifications (CISSP, CISM, CISA, or similar)
• Experience in a high-growth startup or scale-up environment
• Background working cross-functionally with Legal, HR, or Sales on compliance initiatives

We know many women do not apply for a job if they don't perfectly fit the description. We want you to apply anyway.

Why You Want to Work Here:

🌴 Flexible Paid Time Off - you’re actually encouraged to use it, plus 10 company holidays! 

❤️‍🩹 Health Benefits - including Medical, Dental, and Vision and an HSA Match. 

💰 401(k) - we match 100% up to 3% of your contribution. Eligibility is immediate with 100% vesting.

🧠 Mental Health -  all employees have access to Impact Suite & to our Employee Assistance Program (EAP).

👶 Paid New Parent Leave & Birthing Parent Leave - so you’re able to care for your little ones.

➕ Supplemental Benefits - including 100% company paid Basic Life & AD&D insurance and long & short-term disability coverage.

🌟 Nectar - our peer-to-peer recognition program to help our employees recognize the amazing work being done by other Canopians!

🥳 Company Events - including monthly company-wide meetings, summer parties, and more.

💡 ERG Committees - to plan initiatives around continuing education, community outreach, recruiting, onboarding, and more.

☕ Fully-stocked kitchen - Keto? Vegan? Flexitarian? Mandalorian? We’ve got you covered. 

Our Values:

We approach our work every day with a few things in mind:

🔑 Own - we own this place! We focus on outcomes, holding ourselves & each other accountable.

🏆 Win - we win by delighting our customers with the very best products and services.

👍 Do Good - we work hard to be good people!

💡 Embrace Curiosity & Candor - we approach everything with curiosity & we understand that candor is kindness and give the gift of feedback.

To learn more about us & our values, click here.

Interviewing @ Canopy:

Application processes can be a little stressful. Here are the stages of a typical interview process at Canopy:

• Once your application is received, we will review it and get back to you if we feel like it’s a mutual fit! 
• 20-minute phone call with the People Team.
• 45-60-minute video or in-person interview with the Hiring Manager.
• 1-3 rounds of interviews, depending on the role.
• Final Interview.

Interview processes can vary depending on the role. The People Team will give you a role-specific overview of the process during your first phone call. 

Remember: This is your interview too! We know candidates are evaluating us just as much as we are them. We encourage you to bring questions to each of your interviews—our hiring teams will always make sure to save time for questions at the end! 

Canopy is an equal-opportunity employer. Canopy provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, gender, national origin, sexual orientation, gender identity or expression, age, disability, genetic information, marital status, or veteran status.