Job VC
Security Manager
Reply helps thousands of companies automate and scale their sales outreach — and we were among the first to put an AI SDR inside a sales engagement platform. We move fast, stay lean, and solve problems with AI, not headcount.
Now we're looking for a
Security & Compliance Manager
to own our security and compliance programme as we move upmarket. This is a hands-on, build-from-scratch role: you'll own the programme end-to-end, report directly to the CEO, and have the autonomy to shape how security works here rather than inherit someone else's playbook.
👉 If you like turning risk into clear business decisions — and building systems that make security something the company moves faster because of, not slower — you'll thrive here.
🎯 What you'll do
Own and run the security and compliance programme end-to-end
Lead annual SOC 2 Type 2 audits and lay the groundwork for ISO 27001 and other relevant certifications — owning audit readiness throughout: evidence collection, documentation, and representation in audits and regulatory interactions
Own security and privacy governance: policies, standards, and their full lifecycle, aligned with SOC 2 and relevant frameworks
Maintain the risk register across access controls, internal processes, data confidentiality and availability, infrastructure, and third parties — and translate identified risks into clear, prioritised treatment plans with owners and timelines
Own identity and access management across all company systems: onboarding/offboarding, regular access reviews, and least-privilege enforcement
Run vendor and third-party risk management, embedding security requirements into contracts and SLAs
Handle inbound security questionnaires and enterprise security reviews from customers and prospects, independently
Scope, procure, and manage the annual external pentest — you own the process and track remediation through to completion with DevOps
Build and run a security awareness programme in collaboration with HR: training completion, phishing simulations, and behavioural improvement tracking
Partner with engineering and DevOps to translate compliance requirements into technical controls
Treat Claude Code as your core security operating system — use it daily to investigate our systems, automate GRC workflows, build and test controls, and actively challenge our own defences. This role sets the bar for what AI-first security looks like here
Report to leadership on top risks, incidents, control effectiveness, awareness metrics, and compliance status
🧩 Requirements
Must-have:
4+ years in information security or GRC, including hands-on ownership of a SOC 2 programme
Proven hands-on experience with SOC 2 Type 2 and ISO 27001 in a SaaS or product company
Working knowledge of GDPR and its implications for a SaaS business
Experience managing vendor and third-party risk, including security requirements in contracts and SLAs
Experience handling customer-facing security questionnaires and enterprise security reviews independently
Able to assess and communicate risk in business terms
Comfortable working across teams without direct authority
Comfortable operating in cloud environments (we run on Azure)
An AI-first operator who reaches for automation before manual effort — ideally already an exceptional Claude Code power user
Advanced English
Will be a plus:
ISO 27001 Lead Implementer / Auditor or CISM certification
Familiarity with GRC tooling such as Drata, Vanta, or similar
Background in a startup or scale-up where you built processes rather than inherited them
🎁 What we offer
Full ownership of the security programme — build it from the ground up, with direct CEO access and real autonomy
Your work directly enables the company to move upmarket and win bigger customers
High ownership and the freedom to improve systems and processes
Close collaboration with leadership, engineering, and DevOps
100% remote, with minimal meetings and zero bureaucracy
Coverage for professional courses, gym memberships, or therapy sessions
AI-first culture — we actively use advanced AI tools and cover premium software costs
15 paid vacation days, 🇺🇦 national holidays, and ~10 days of Christmas vacation
Unlimited sick leave
Access to internal training, literature, and knowledge sessions
If you're excited about building a security programme from scratch, turning risk into clear decisions, and doing it AI-first — we'd love to hear from you!