Technical GRC Specialist

About the role

Who we are Our mission at Capacity is to help teams do their best work through our AI-powered support automation platform. Capacity provides everything you need to automate support and business processes in one powerful omni-channel platform. We believe that each individual voice, perspective and background brings inherent value to enhance our product, serve our customers and generate more ideas to solve complex problems. By continuing to hire talented, driven and humble teammates, we have the opportunity to see Capacity become a premier brand enterprise SaaS platform. Capacity has raised over $100 million dollars from over 150 investors, giving us the opportunity to make ambitious investments in our team and big bets on our future. Our total addressable market is enormous. Any company that wants to grow revenue, reduce costs, and improve customer and employee satisfaction is an opportunity for Capacity to shine. Why this job is exciting The role: We are looking for an experienced software-as-a-service (SaaS) security practitioner to join our growing Governance, Risk & Compliance (GRC) team. This role will primarily take ownership of our security hardening standards and our Third-Party Risk Management (TPRM), focusing on proactive improvements in cybersecurity, ensuring audit readiness, and scaling GRC processes through automation. This is a high-impact role suited to someone who wants to influence cybersecurity at scale, enjoys working cross-functionally, and is able to balance strong risk management with commercial pragmatism. You will work closely with operational stakeholders across the organization, helping strengthen our overall security posture, including vendor assurance, while enabling the business to move safely and quickly. Responsibilities: In this role, you will be responsible for the following: Security Hardening & Technical GRC Provide hands-on support in the assessment, improvement, and maintenance of technical security baselines based on industry best practices (e.g., NIST, CIS, ISO). You will ensure these configurations satisfy global regulatory mandates (e.g., HIPAA, GDPR). Leverage automated tools to monitor security and compliance posture. Act as a GRC interface with Infrastructure and Engineering teams to ensure hardening requirements are technically feasible and effectively implemented. Third-Party Risk Management Manage and continuously improve the company's Third-Party Risk Management programme across suppliers, vendors and strategic partners. Own end-to-end due diligence processes for new and existing vendors, including inherent risk assessments, security/privacy reviews and ongoing monitoring. Review vendor assurance documentation such as ISO 27001 certificates, SOC 2 reports, penetration test summaries, policies and compliance evidence. Identify, document and communicate vendor risks, remediation actions and approval recommendations. Maintain risk tiering and reassessment schedules for critical and high-risk vendors. Act as a trusted partner to internal stakeholders during vendor onboarding, renewals and procurement decisions. Engage directly with suppliers to resolve due diligence issues and drive remediation. GRC Operations & Improvement Maintain audit-ready documentation within GRC systems. Support team members as necessary with global and contractual compliance efforts, as well as internal and external audits. Contribute to security and compliance policy, process, and control improvements. Identify opportunities for automation, simplification, and improved GRC tooling. What success looks like in the first 12 months: Strong audit readiness with high-quality, reliable technical evidence. Effective use of GRC tooling to automate and streamline compliance processes. Mature and efficient Third-Party Risk Management workflows. Improved turnaround times for vendor assessments and internal requests. Clear visibility of cybersecurity control effectiveness and risk posture. Reduced manual effort through automation and improved processes. Requirements: Essential 3+ years' experience in compliance, GRC, vendor risk management, information security, internal audit or related fields. Proven experience in cybersecurity and managing third-party/vendor due diligence programmes. Strong understanding of common assurance frameworks such as ISO 27001, SOC 2, NIST or equivalent. Good working knowledge of UK GDPR / privacy considerations in supplier relationships. Familiarity with cloud/SaaS environments and common systems (e.g. identity providers, cloud platforms, collaboration tools). Experience reviewing supplier security documentation and identifying practical risks. Strong organisational skills with the ability to manage multiple priorities independently. Excellent written and verbal communication skills; proficient in English. Desirable SaaS / software industry experience. Experience in a multi-entity or fast-growth business environment. Familiarity with Vanta or other GRC tools.

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at Capacity? Share your experience