GRC Analyst

Zone & Company Software Consulting LLC (“Zone”) is the ERP-native AI platform for financial operations, purpose-built for organizations running on Oracle NetSuite. We are redefining how finance teams operate by delivering an AI-powered system that automates, connects, and scales financial workflows directly within the ERP.

As the AI operating system for finance teams in NetSuite, Zone enables more than 4,500 customers worldwide to run smarter, faster, and with greater accuracy. Our platform spans the full financial lifecycle, including Quote-to-Cash, Procure-to-Pay, Treasury, Payroll Management, and Record-to-Report, eliminating manual processes and unlocking real-time financial intelligence.

By embedding intelligence directly into NetSuite, Zone helps finance teams move beyond reactive work to proactive, strategic impact. Learn more at www.zoneandco.com or follow us on LinkedIn: linkedin.com/company/zoneandco.

The Role: We are seeking a meticulous and proactive Security and Privacy Compliance Analyst to help safeguard our organization and our customers' data. Reporting directly to the Director of IT, Security and Compliance, you will play a critical role in maturing our governance, risk, and compliance (GRC) programs. In this position, you will bridge the gap between technical security controls and regulatory requirements, ensuring that Zone & Co's rapidly expanding suite of financial software maintains the highest standards of data protection and privacy.

This role requires a strong foundational knowledge of major security frameworks and privacy regulations, a keen eye for detail in auditing internal processes, and the ability to clearly communicate compliance postures to both internal engineering teams and enterprise customers.

Essential Job Functions:

• Compliance Framework Governance: Lead the management and continuous scaling of Zone & Co’s core security compliance frameworks, specifically SOC 2 Type II and ISO 27001.
• Privacy Operations Leadership: Govern global data privacy operations to ensure strict, ongoing alignment with GDPR, CCPA/CPRA, and other emerging data protection laws.
• Customer Trust & Revenue Enablement: Serve as the primary security liaison for enterprise customers, directly supporting the sales cycle by demonstrating and communicating a robust, mature security posture.
• Risk & Audit Management: Manage the organization's internal audit program and oversee the third-party vendor risk lifecycle to proactively identify and mitigate vulnerabilities.

Responsibilities, Duties, and Tasks:

• Audit Coordination: Coordinate evidence collection, manage project timelines, and partner directly with external auditors during annual compliance assessments.
• Privacy Assessments: Conduct Data Privacy Impact Assessments (DPIAs) for new products and process Data Subject Access Requests (DSARs) within mandated SLAs.
• Questionnaires & Trust Center: Accurately and efficiently complete incoming vendor security questionnaires from prospects and maintain up-to-date documentation in our customer-facing Trust Center.
• Internal Control Testing: Design and execute internal audits to test whether technical and administrative controls are operating effectively. Track control gaps and drive engineering/IT remediation efforts.
• Vendor Risk Reviews: Evaluate the security and privacy postures of prospective and existing third-party vendors and sub-processors through comprehensive risk assessments.
• Policy & Training Development: Draft, update, and publish internal security policies, standard operating procedures (SOPs), and incident response plans. Develop and administer engaging company-wide security and privacy awareness training.

What You'll Bring (Qualifications and Experience):

• Experience: 3+ years of direct experience in IT Audit, Information Security, Privacy Operations, or GRC (Governance, Risk, and Compliance), preferably within a B2B SaaS, FinTech, or cloud technology environment.
• Deep Domain Expertise: Hands-on experience working with established compliance frameworks (SOC 2, ISO 27001) and navigating global privacy legislation (GDPR, CCPA).
• SaaS/Cloud Acumen: A solid understanding of cloud computing architectures (AWS, Azure, GCP) and enterprise software environments. Familiarity with ERP systems (like NetSuite) is a strong plus.
• Analytical & Problem-Solving Skills: Proven ability to translate complex regulatory requirements into actionable, practical controls for IT and engineering teams without stifling innovation.
• Exceptional Communication: Outstanding written and verbal communication skills. You must be able to write clear policies, translate technical risks for business leaders, and confidently answer complex customer security questions.
• Education & Certifications: Bachelor’s degree in Information Systems, Cybersecurity, Business, or a related field. Relevant industry certifications such as CISA, CISM, CIPP/E, CIPP/US, or Security+ are highly preferred.

Benefits

At Zone, we provide the platform; you provide the grit. We operate as a high-velocity, fully remote, global team where autonomy isn't just a perk, it’s the standard. We’re looking for self-driven professionals eager to navigate the complexities of a unique SaaS environment and take full command of their professional evolution.

We ditch micro-management for high-trust flexibility, ensuring you have the space to innovate and scale. Our benefits are built to fuel this lifestyle, supporting your life beyond the screen so you can focus on making a global impact. Explore our offerings at https://www.zoneandco.com/careers

Join Our Global Mission

Zone & Co is an Equal Opportunity Employer committed to building a diverse, equitable, and inclusive workplace. We thrive on unique perspectives and strongly encourage candidates of all backgrounds to apply. Here, your identity is valued, and your talent is the only limit to your growth. All qualified applicants will receive consideration regardless of race, color, religion, sex, orientation, age, disability, or any other protected factor.

Employment Terms

United States

Employment with Zone is “At-Will”, meaning either party may terminate the relationship at any time, with or without cause or notice, in accordance with applicable law. This job description does not constitute an employment contract or guarantee of continued employment. Duties and responsibilities may evolve as the company grows and may change at any time with or without notice.

Non-US Jurisdictions

This position is offered as a Fixed-Term or Permanent Contract based on your country of residence.  Employment is subject to a written contract which outlines specific notice periods, probationary terms, and statutory entitlements.

Privacy Statement

#LI-Remote