Founding GRC Lead

You could be a GRC Lead anywhere, why us?

• Join a well-funded, high-growth startup on the path to IPO ($50M raised, 700% revenue growth in 2 years, targeting a $6T market)
• Work directly with our Head of Finance and CTO
• Help transform a massive industry and scale us toward a $10 B+ business

About the opportunity:

Pallet is hiring its first dedicated GRC leader to own how we earn and keep trust: with customers, auditors, and regulators. You'll run our SOC 1 and SOC 2 programs, build our GDPR and CCPA privacy operations, and work shoulder-to-shoulder with engineering, product, sales, and legal to make compliance something Pallet is good at, not something it survives. This role reports directly to leadership and is the foundation of a function you will one end to end, and eventually grow.

Why this role is different:

• You're the first. No inherited process, no legacy bureaucracy: you design the compliance operating model from a blank page, with the GRC tooling and executive support to do it right.
• Revenue-facing, not back-office. Enterprise deals at Pallet increasingly hinge on security posture. You'll sit in on customer conversations, own the trust narrative, and directly unblock sales.
• Full-spectrum scope. Most GRC roles silo you into audit or privacy or vendor risk. Here you own all of it, with the engineering proximity to actually change how things get built.
• Surround yourself with top-tier talent and fast-track your career: this is a foundational seat with a clear path to building and leading a team.

How you will make an impact:

• Run SOC 1 and SOC 2 Type II audit cycles end to end: control design, evidence automation, auditor relationships, and clean reports delivered on schedule, every cycle.
• Build Pallet's privacy program for GDPR and CCPA/CPRA:data inventory and mapping, DSAR handling, DPAs, and privacy reviews baked into product development.
• Primary point of contact for external auditors and assessors in collecting evidence, audit responses, timelines. Translate audit findings into actionable plans.
• Implement continuous-compliance infrastructure so audit readiness is a byproduct of how we operate, not an annual fire drill.
• Embed security and privacy controls into engineering and product workflows, earning adoption through partnership rather than mandate.
• Stand up vendor risk management: security reviews, DPA negotiation support, and an ongoing third-party risk register.
• Own the customer-facing trust motion (security questionnaires, trust center, customer audits) and measurably shorten enterprise sales cycles.

Preferred experience:

• 7–12 years across GRC, security compliance, or audit, including full ownership of at least two SOC 2 Type II cycles.
• Built or significantly matured SOC, ISO, GDPR, and privacy compliance programs in-house - you've operationalized privacy, not just advised on it.
• Technically credible with engineers: comfortable discussing access controls, encryption, logging, and cloud infrastructure (AWS/GCP) without needing translation.
• Deep hands-on experience with compliance automation platforms and evidence workflows.
• Startup-calibrated judgment: you know which risks matter, build lightweight process, and have certifications (CISA, CISSP, ISO 27001 LA) as a bonus rather than a substitute for experience.

Interview Process:

• Chat with Christy - Business Recruiter - 30 mins
• Chat with Austin Zheng - 30-45 mins
• Proficiency Assessment
• Final Interview - 3-4 hours
• Brief Background Check and Reference Check

We move fast, and we’ll keep you informed at every stage of the process.

Location: This role is an in-office role in our San Francisco office (5 mins walk from Montgomery BART Station)

Compensation:

The estimated salary range for this role is $175,000-$225,000, depending on experience and skill set. In addition to base salary, we offer competitive equity, benefits, and opportunities for growth. Final compensation will be determined based on a combination of factors, including experience, qualifications, and location.