• Job Description

  Req#: VN387
  Vacancy Name
  Sr GRC Analyst
  
  Vacancy No
  VN387
  
  Status
  Active
  
  Location
  Remote US
  
  Location Country
  United States
  
  Location Region
  
  Location City
  
  Description
  The Role
  
  Auction Technology Group operates a portfolio of online auction and marketplace platforms globally, processing payments and managing personal data across multiple jurisdictions. Our security team is growing, and this role is a key addition: a senior individual contributor who will own the full GRC function across governance, risk management, compliance, control ownership, and audit coordination.
  
  You will report into a structured security team and work closely with ATG's Internal Audit team, an Audit Committee, and a Data Protection Officer. The stakeholder network around this role is experienced and engaged, and what you will bring is the hands-on GRC ownership that connects those stakeholders to the day-to-day program work.
  
  The compliance surface area here is real, active, and consequential. PCI DSS, GDPR, UK GDPR, and CPRA/CCPA are all live obligations across ATG's platforms and employee population. You will have direct ownership of meaningful programs, close partnership with the Director of Information Security, and visibility into everything that matters. If you are looking for a role where you maintain someone else's framework, this is not it. If you want ownership, scope, and the satisfaction of seeing your work make a direct difference, keep reading.
  
  Key Responsibilities
  Key Responsibilities
  Governance
  You will set the strategic direction for ATG's GRC program and ensure its alignment with organizational goals across all multiple subsidiary marketplace platforms.
  • Own ATG's information security and data governance policy framework: drafting, version control, review cycles, and exception tracking.
  • Build and maintain the RACI for security controls across ATG's platforms, ensuring clear ownership at every layer.
  • Partner with the AppSec Engineer on the security awareness training program: supporting program management, tracking participation, and maintaining compliance evidence that demonstrates an active security culture.
  • Drive alignment to recognized frameworks including NIST CSF, and own external assessment readiness as the program matures.
  • Define the GRC program roadmap in partnership with the Director of Information Security, prioritizing compliance initiatives against business risk.
  
  Risk Management
  You will identify, assess, and manage risks across ATG's technology and data landscape, with a focus on third-party relationships, business continuity, and the intersection of regulatory requirements and operational reality.
  • Build and operate ATG's third-party vendor risk program: risk tiers, assessment templates, review cadences, and a maintained risk register covering ATG's SaaS vendor estate.
  • Own assessments for new and existing vendor relationships, with particular focus on vendors that process personal data or operate adjacent to payment flows.
  • Own ATG's business continuity planning program across all phases: asset inventory, business impact analysis, implementation, and periodic validation.
  • Partner with InfraSec Engineering on infrastructure-layer resilience inputs to the BCP, and with Legal on risk identification related to regulatory exposure.
  • Support ATG's work toward UK Corporate Governance Code Provision 29 compliance, contributing to the board's formal assessment and reporting on the effectiveness of the company's risk management and internal control frameworks.
  
  Compliance
  You will ensure ATG meets its legal and regulatory obligations across multiple active frameworks, and report on compliance status to leadership and the Audit Committee.
  • PCI DSS: Own ATG's PCI DSS compliance program across all marketplace platforms and merchant IDs: scope definition, evidence management, QSA coordination, finding remediation tracking, and the ongoing compliance calendar.
  • GDPR and UK GDPR: Own compliance across ATG's marketplace and employee data populations: lawful basis documentation, Record of Processing Activities, data subject rights fulfillment, and breach notification readiness. Build and test a 72-hour breach notification workflow in coordination with Legal, and support the Data Protection Officer function.
  • CPRA and CCPA: Maintain a current inventory of personal information categories collected, processed, and shared across ATG's platforms and workforce. Own consumer rights workflows, opt-out mechanisms, and privacy notices, and coordinate with Legal on annual compliance reviews and regulatory correspondence.
  • Monitor the regulatory landscape across all applicable frameworks and proactively identify compliance obligations as ATG's business evolves.
  
  Control Ownership
  You will manage specific controls within ATG's GRC framework, ensuring they are effective, well-documented, and aligned with the organization's risk management strategy.
  • Own the evidence library aligned to PCI DSS, GDPR, CPRA, and IT general controls requirements, ensuring audit cycles are systematic rather than reactive.
  • Partner with engineering to ensure technical remediation efforts are correctly prioritized, tracked, and documented to audit standard.
  • Engage with vulnerability management findings from pen testing and other assessment activities, ensuring findings are risk-rated, assigned, tracked to remediation, and reflected in the risk register.
  • Review and maintain data processing agreements with ATG's third-party processors and sub-processors, ensuring controls around data flows are current and enforceable.
  • Conduct and coordinate Data Protection Impact Assessments (DPIAs) for new and changed processing activities, working in partnership with the DPO who provides independent review and sign-off.
  • Align with the IT and Security teams on the implementation and ongoing effectiveness of technical controls, bridging the gap between policy requirements and operational reality.
  
  Audit Coordination
  You will coordinate audit activity across the GRC program, working closely with ATG's Internal Audit team, Audit Committee, and external auditors to ensure effective and efficient audit cycles.
  • Own IT general controls coordination for the annual external financial audit: evidence gathering, control validation, and finding response across the IT and security estate.
  • Serve as the primary GRC liaison to the Internal Audit team and Audit Committee, providing regular compliance status reporting and supporting board-level visibility into the security program.
  • Manage audit findings through to resolution: track remediation, validate closure, and maintain audit trail documentation.
  • Support the GRC program's internal audit cadence, identifying control gaps and driving continuous improvement.
  
  Key Requirements
  Technical Skills and Experience
  Essential
  • 5 to 8 years of hands-on GRC experience in a technology company or SaaS environment where the compliance frameworks were live and the stakes were real.
  • Demonstrated PCI DSS experience at meaningful scale: you have been through a Level 1 or Level 2 merchant audit, you understand scope definition and QSA coordination, and you have a track record to point to.
  • Working practitioner knowledge of GDPR and UK GDPR: you know what a ROPA is, you have written DPAs, and you understand the 72-hour breach notification clock.
  • Familiarity with CPRA/CCPA obligations across consumer and employee data populations.
  • Experience coordinating IT general controls for external financial audits.
  • Proven ability to build and maintain risk registers, policy frameworks, evidence libraries, and audit trails.
  • Experience with cardholder data environment scoping and descoping in complex multi-platform payment environments: understanding what is in scope, what can be descoped, and how architectural decisions affect compliance posture.
  • Experience working across multiple GRC function areas: governance, risk management, compliance, control ownership, and audit coordination.
  
  Highly Desirable
  • CISA, CIPP/US, CIPP/E, CRISC, or equivalent professional certification.
  • Experience building or significantly expanding a GRC program in a fast-moving technology environment.
  • Background in a marketplace, payments, or e-commerce environment where PCI scope complexity was real.
  • Experience evaluating and implementing GRC or privacy platforms to automate compliance workflows, evidence collection, and risk tracking - comfort with assessing options and building a program around the right tooling for the environment.
  • Familiarity with UK Corporate Governance Code requirements, particularly Provision 29 and its implications for internal controls attestation in UK-listed companies.
  
  How You Work
  The technical bar matters. ATG is a lean team and you will work directly alongside engineers, Legal, Finance, and senior leadership every day. You will also work closely with the Internal Audit team, the Audit Committee, and the DPO on a regular basis.
  • You own your programs. You do not wait to be told what needs to happen next.
  • You can translate compliance requirements and risk findings into language that engineers, executives, and board-level stakeholders all find useful. You are not a policy document dispenser.
  • You are comfortable with complexity and with building. Maintaining someone else's existing framework is a different skill set, and this role calls for both.
  • You communicate proactively. If something is blocked, at risk, or needs a decision, you say so clearly and early.
  
  Auction Technology Group is committed to fair and equitable compensation practices.
  
  The pay range for this role is $135,000 to $150,000. Actual compensation packages are based on several factors that are unique to each candidate, including but not limited to skill set, depth of experience, certifications, and specific work location. This may be different in other locations due to differences in the cost of labor.
  
  The total compensation package for this position may also include annual performance bonus, stock, benefits and/or other applicable incentive compensation plans.
  
  Employment Type
  Permanent
  
  Duration
  Permanent
  
  Business Name
  Proxibid
  
  Function Name
  Technology

• About the company

  The best remote jobs for you

Notice