GRC Lead at Retool – San Francisco, California

WHY WE’RE LOOKING FOR YOURetool's Trust Team is seeking an experienced GRC Lead to build and scale our governance, risk, and compliance program. Today, we maintain SOC 2 Type II and ISO 27001 certifications, but we're looking for someone who sees compliance not as a checkbox exercise, but as the foundation of customer trust and operational excellence.
In this role, you'll own the maturity journey from being just "compliant" to enabling true program excellence through building the processes, policies, and evidence infrastructure that let us confidently say what we do and demonstrably do what we say. You'll work at the nexus of security, legal, engineering, and go-to-market teams to ensure our compliance posture enables rather than constrains the business, and engineering to build safely at-speed.
This is a hands-on role with strategic scope. You'll shape GRC strategy, scale our assurance capabilities, and build the operational muscle that enables Retool to earn and maintain customer trust at scale.At Retool, we're not just building a product—we're building a company where security is foundational to everything we do. If you're passionate about leading a critical function in a dynamic, innovative environment, we'd love to hear from you.
IN THIS ROLE, YOU WILL:

• Own and mature our compliance programs (SOC 2, ISO 27001, and future frameworks), including audit preparation, evidence collection, and auditor relationships
• Build and operate our customer assurance function, maintaining Trust Program documentation, managing security questionnaire responses, and supporting customer security reviews
• Develop and govern security policies, standards, and procedures, ensuring alignment between documented controls and operational reality
• Stand up and run our third-party risk management program, assessing vendor security posture across the procurement lifecycle
• Establish risk management practices including risk identification, assessment, treatment tracking, and executive reporting
• Partner with Engineering and Product teams to embed compliance considerations into development workflows without creating friction
• Define metrics and reporting that demonstrate program effectiveness to senior leadership

THE SKILLSET YOU'LL BRING:

• 8+ years in GRC, security compliance, or related roles, with experience building programs, not just operating within established ones
• Deep expertise in SOC 2, ISO 27001, and familiarity with adjacent frameworks (NIST CSF and SSDF, etc.)
• Experience supporting B2B SaaS sales cycles through customer security reviews and Trust documentation
• Strong technical fluency, such that you can read a system architecture diagram and have credible conversations with engineers
• Comfort with ambiguity and the ability to prioritize ruthlessly in a fast-moving environment
• Excellent written and verbal communication, with the ability to translate compliance requirements into business terms
• A builder's mindset for a company of builders: you think about automation, efficiency, and scalability, not just completeness

NICE TO HAVE:

• Experience with FedRAMP, FISMA, or FIPS 140-2/3 compliance requirements
• Familiarity with privacy frameworks (GDPR, CCPA) and their intersection with security compliance
• Hands-on experience with GRC platforms (Vanta, Drata, Delve, etc.) and a perspective on how to use tooling to scale
• Previous experience at a high-growth B2B SaaS company, particularly one selling to security-conscious enterprises
• Relevant certifications (CISA, CRISC, CISSP, CIPP, or similar)
• Experience building or contributing to customer-facing trust centers or security portals