Director, GRC & Privacy Security

About the role

About PolymarketPolymarket is the world s largest prediction market platform. We enable individuals to express views on real-world events by trading on outcomes across politics, economics, sports, culture, and current affairs. Built as a peer-to-peer marketplace with no centralized house, Polymarket aggregates diverse opinions into transparent, market-based probabilities that reflect collective expectations about the future.We re growing fast - both in terms of volume ($21B traded in 2025) and adoption as an alternative news source. Our ambition is to become a ubiquitous beacon of truth in global media and we need your help adding fuel to the fire.About the RolePolymarket is hiring a Director of GRC & Privacy to build and lead the governance, risk, and compliance function within our security organization. As a high-growth fintech operating across multiple jurisdictions with several subsidiary entities, we carry compliance obligations spanning PCI-DSS, SOC 2 Type II, data privacy regulations, and financial services requirements - and this role will establish the GRC program from scratch.This is a senior, high-visibility role reporting directly to the CISO. You ll hire and develop a team of three and serve as the primary interface between security, legal, finance, and external auditors and regulators. It requires equal fluency in regulatory requirements, risk management frameworks, and executive communication.What You ll DoBuild and own the enterprise security risk management program - risk register, risk appetite framework, risk scoring methodology, and regular reporting to the CISO and executive leadershipEstablish and maintain the security control framework, mapping controls to applicable standards (SOC 2 TSCs, PCI-DSS, CIS Controls) across all entities and subsidiariesDrive security policy development and lifecycle management - authoring, reviewing, approving, and enforcing policies across the organizationLead the company s security committee and governance forums, ensuring risk decisions are documented, escalated appropriately, and tracked to resolutionOwn the end-to-end compliance program for SOC 2 Type II and PCI-DSS - scoping, control design, evidence collection, auditor management, and remediation trackingBuild continuous audit readiness rather than a point-in-time posture; automate compliance evidence collection where possibleManage relationships with external auditors, certification bodies, and regulators; serve as the primary point of contact for audit engagements across all entitiesOwn the third-party risk management program - vendor security assessments, contractual security requirements, ongoing monitoring, and escalation of high-risk findingsOversee the data privacy program in partnership with Legal, ensuring compliance with GDPR, CCPA, and applicable regulations across all jurisdictions where the company operatesEnsure privacy-by-design is embedded in the product development process and that data processing activities are documented, lawful, and consistent with stated privacy noticesManage data subject rights obligations and privacy incident response, including breach notification requirements under applicable lawWhat We re Looking For8+ years of experience in GRC, information security compliance, or a related field, with 3+ years in a management or program leadership roleDeep, hands-on experience with SOC 2 Type II - you have managed or led multiple audit cycles and understand the TSCs, evidence requirements, and auditor dynamics from the insideStrong working knowledge of PCI-DSS v4.0 and experience implementing or managing PCI compliance programsDemonstrated experience managing compliance across multiple legal entities or subsidiaries with overlapping and distinct regulatory obligationsExperience building or significantly maturing a GRC program - not just maintaining one someone else builtWorking knowledge of GDPR and CCPA and the operational requirements they impose on a data-handling businessAbility to communicate risk and compliance requirements clearly to technical teams, business stakeholders, and executive leadershipExperience managing external auditor relationships and serving as the primary organizational point of contact during audit engagements(Plus) Experience in fintech, payments, cryptocurrency, or financial services - familiarity with money transmitter licensing or FinCEN obligations is a meaningful plus(Plus) Professional certifications: CISM, CRISC, CISSP, CIPP/E, CIPP/US, or equivalent(Plus) Exposure to ISO 27001, CIS, or NIST CSF as additional compliance frameworks(Plus) Experience with GRC platforms (Vanta, Drata, Tugboat Logic, ServiceNow GRC, or equivalent)(Plus) Familiarity with AWS cloud environments and how cloud-native architectures affect control design and evidence collection(Plus) Prior experience standing up a GRC function in a high-growth, previously unstructured environmentBenefitsCompetitive salary & equityUnlimited PTOFull Health, Vision, & Dental coverage40

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at Polymarket? Share your experience