Lead Compliance Engineer

Razorpay is one of India’s leading full-stack financial technology companies, powering the way businesses move, manage, and grow money. Founded in 2014 by Harshil Mathur and Shashank Kumar with a simple vision — to simplify payments for Indian businesses — we’ve since grown into a fintech powerhouse driving India’s digital payment revolution.

Razorpay powers millions of businesses with a smarter, scalable stack that goes beyond transactions to help them truly build and grow.

From seamless checkouts to payroll automation, across India, Singapore, and Malaysia, we’ve been engineering a fintech ecosystem that’s redefining how money moves across Asia — and we’re just getting started.

Today, that ecosystem supports everyone from early-stage startups to some of India’s largest enterprises, enabling them to accept, process, and disburse payments at scale while expanding into new ways of managing money more efficiently.

Our scale speaks volumes: Razorpay processes $180+ billion in annualized transactions, powering leading businesses like Airbnb, Facebook, WhatsApp, Airtel, CRED, BookmyShow, Zomato, Swiggy, Lenskart, Mirae Asset Capital markets, Indian Oil, National Pension Scheme — and over 100 of India’s unicorns. With strong roots in India and growing operations in Southeast Asia, we are shaping the next chapter of financial technology across the region.

We are backed by global investors including GIC, Peak XV Partners (formerly Sequoia Capital India & SEA), Tiger Global, Ribbit Capital, Matrix Partners, MasterCard, and Salesforce Ventures, having raised over $740 million to date. Strategic acquisitions — including Ezetap (POS and offline payments), Curlec (Malaysia expansion), BillMe (digital invoicing), and POP (rewards-first UPI) — along with earlier moves in fraud prevention, payroll, and lending, have further strengthened our platform and widened our footprint across Asia.

But what truly sets Razorpay apart is our culture. At Razorpay, ownership is our oxygen — you own what you build, with no micromanagement or red tape, just the runway to make your ideas fly. Learning is a lifestyle — if you’re curious, you’ll feel at home here. People > Pedigree — we hire for attitude, hustle, and hunger more than degrees. Transparency thrives over titles — this is where interns question CXOs and CXOs say “thank you.” Guided by our values of Customer First, Autonomy & Ownership, Agility with Integrity, Transparency, Challenging the status quo and a strong belief that Razorpay grows with Razors,  you’ll be part of a 3000+ strong team building not just products, but the financial infrastructure of the future.

While we deeply value legal and policy expertise, this specific position is designed for a hands-on privacy practitioner who can review a cloud architecture diagram, assess an AI agent's data flows, run a vulnerability lens across a SaaS tool, and come back with privacy findings/solutions. Regulatory knowledge (DPDP, GDPR) is necessary but not sufficient. The ability to translate that knowledge into technical controls, system assessments, and automation-first operations is what differentiates the right candidate.

Role Summary

Razorpay is seeking a Lead Compliance Engineer — Privacy who sits at the intersection of regulatory compliance, hands-on security assessment, and AI-era data governance. This is a practitioner role: you will assess systems, cloud infrastructure, and AI tools directly — not through questionnaires alone. You will bring working knowledge of India's Digital Personal Data Protection (DPDP) Act 2023 and GDPR, applied through a technical lens. As Razorpay increasingly deploys AI agents and LLM-powered workflows across operations, this role is responsible for ensuring those systems are privacy-safe, accessible, and governed by a clear framework.

What Makes This Role Different at Razorpay

• Understanding Systems: You can look at technical diagrams and understand how data moves through a system 
• Cloud Familiarity: You are comfortable working with modern cloud software and have experience assessing privacy risks in tech-focused companies.
• Practical Application: You know the privacy laws (DPDP/GDPR), but your real strength is applying them to actual software products and AI tools, not just writing legal documents.

Key Responsibilities

1. Privacy Compliance & Regulatory Operations

• Implement and operationalize DPDP Act 2023 and GDPR requirements across Razorpay systems, products, and third-party integrations
• Maintain and update the Record of Processing Activities (RoPA), consent frameworks, data classification registers, and data subject rights workflows
• Execute Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA)
• Assist in driving  cross-border data transfer compliance — SCCs, adequacy decisions, DPDP cross-border rules
• Support regulatory audits, RBI/SEBI-related data privacy reviews, and internal compliance reviews
• Monitor and enforce consent, purpose limitation, data minimisation, and retention controls in production systems Privacy Posture Assessment 

2. Infrastructure Privacy Reviews:

• Conduct assessments of technical environments (cloud and on-premise) to evaluate data protection measures, including access controls, encryption standards, and data handling practices.
• Vendor & Tool Evaluation: Go beyond standard questionnaires to actively assess third-party tools and SaaS vendors, focusing on actual data flows, integration risks, and technical configurations.
• Control Effectiveness: Review existing security controls to ensure they meet privacy obligations, identifying any gaps and collaborating with technical teams to define necessary improvements.
• Monitoring & Incident Readiness: Evaluate logging and monitoring systems to ensure they capture the right information to detect privacy incidents and support compliance audits.

3. AI Systems Privacy Assessment (LLM-Focused)

• Review AI Workflows: Lead privacy checks on new AI tools, chatbots, and internal AI systems, focusing on how data is entered, stored, and managed.
• Ensure Legal Compliance: Make sure our AI tools follow privacy laws (like DPDP and GDPR) by ensuring we only use necessary data, have proper consent, and handle data safely when sharing it with external AI providers.
• Create Onboarding Checklists: Build and maintain clear privacy and security checklists for evaluating and approving new AI tools before they are adopted by the team.
• Identify AI Risks: Spot and document privacy risks specific to AI, such as accidental data leaks, keeping personal information in AI responses, or understanding how third-party AI companies might use our data.
• Partner with Product & Tech: Work closely with the engineering and product teams to ensure privacy is built into all new AI features right from the beginning (Privacy-by-Design).

4. AI-Powered Privacy Operations (Automation-First)

• Streamline Privacy Operations: Design and implement efficient workflows that reduce manual effort—such as automating routine assessments (DPIAs) and simplifying evidence collection.
• Leverage AI for Compliance: Utilize AI-assisted tools to accelerate tasks like policy analysis, control testing, and drafting compliance reports, ensuring faster turnaround times.
• Create Scalable Resources: Build standardized playbooks, templates, and checklists that allow different teams to conduct consistent privacy reviews without needing constant oversight.
• Monitor Automation Quality: Review and validate the output of automated tools and AI assistants to ensure accuracy and regulatory alignment before accepting them as formal compliance evidence.
• Maintain Compliance Visibility: Manage dashboards and reporting mechanisms that integrate data from various systems to provide a clear, real-time view of the organization's privacy health.
• Incident, Documentation & Stakeholder Management
• Support Incident Operations: Assist in classifying privacy incidents and tracking response timelines to ensure the team meets regulatory reporting deadlines (DPDP & GDPR).
• Manage Privacy Records: Keep privacy documentation up-to-date and organized, including policies, DPIAs, audit logs, vendor assessments, and the central risk register.
• Stakeholder Collaboration: Act as a bridge between teams, clearly explaining privacy requirements and risks to engineering, product, and legal peers to ensure everyone is aligned.

Must Have Skills & Knowledge : 

1. Regulatory Knowledge

• Deep working knowledge of India's DPDP Act 2023 — including Data Principal rights, Data Fiduciary obligations, Consent Manager framework, Significant Data Fiduciary requirements, and cross-border transfer rules
• Hands-on GDPR compliance experience — Article 30 RoPA, Articles 32–36 security and DPIA obligations, cross-border transfer mechanisms (SCCs, BCRs), and DPA interaction experience
• Familiarity with RBI data localisation guidelines, SEBI cybersecurity frameworks, and PCI-DSS data security standards as applicable to a payments company
• Ability to translate regulatory text into technical control requirements — not just policy documents

2. AI & LLM System Privacy Assessment

• Evaluating AI Tools: Experience reviewing AI platforms for data privacy, with a clear understanding of how user inputs, system settings, and external connections impact the handling of personal data.
• Assessing AI Integrations: Ability to review how AI systems connect to other software and databases to ensure these automated workflows don't accidentally expose sensitive information.
• Understanding AI Risks: Strong grasp of privacy risks unique to AI, such as accidental data leaks in AI responses, how long an AI remembers information, and how third-party AI companies use the data shared with them.
• Vendor Privacy Policies: Familiarity with the privacy terms and data-retention policies of major AI providers (e.g., OpenAI, Anthropic) and how to ensure those policies align with laws like DPDP and GDPR.
• Responsible AI Practices: Knowledge of how to set up and evaluate safe AI usage—this includes ensuring AI systems only use necessary data, are protected against malicious user inputs, and keep clear logs of their activity.

3. Privacy Engineering & Automation

• Automate Privacy Workflows: Use AI platforms or simple scripts to automate repetitive tasks—like triggering assessments when a new vendor is added or auto-generating compliance tickets from monitoring alerts.
• Leverage AI Tools: Utilize AI assistants (like Claude) to speed up technical reviews—using them to quickly parse large logs, summarize technical documentation, or draft test cases for compliance controls.
• Technical Data Mapping: validate data flow diagrams by reviewing system configurations and integrations, ensuring that the documentation matches the reality of how data moves between tools.

4. Technical Literacy (Baseline Requirements)

• Technical Fluency: Can interpret system diagrams (Cloud/API/Event-driven) to spot data leaks.
• Infrastructure Privacy: Understands data governance within containers (K8s/Docker).
• SDLC Automation: Can implement "Privacy by Design" within the software release lifecycle.
• Authentication Logic: capable of assessing privacy risks in SSO and SaaS integrations.

5. Soft Skills & Ways of Working

• Assessment-first mindset — you look for evidence, not just assurances
• Strong analytical and structured risk reasoning — ability to prioritise findings by regulatory exposure and business impact
• Clear, concise documentation for both technical and executive audiences
• Collaborative across engineering, product, legal, and vendor teams — you enable, not block
• Comfortable with ambiguity in fast-moving environments — Razorpay moves fast and regulatory landscapes are evolving
• Proactive in identifying gaps before auditors or regulators do

6. Experience:

• 4-5+ years in a privacy, compliance, or security role with at least 1–2 years in a hands-on technical capacity
• Background in FinTech, Payments, Banking, or Insurance — familiarity with regulated financial data environments
• Experience in a high-growth technology company where infrastructure and products change rapidly
• Prior work with Indian data protection regulatory bodies or experience supporting DPDP readiness programmes