Director, GRC & Privacy Security

About Polymarket

Polymarket is the world's largest prediction market platform. We enable individuals to express views on real-world events by trading on outcomes across politics, economics, sports, culture, and current affairs. Built as a peer-to-peer marketplace with no centralized "house," Polymarket aggregates diverse opinions into transparent, market-based probabilities that reflect collective expectations about the future.

We're growing fast — both in terms of volume ($21B traded in 2025) and adoption as an alternative news source. Our ambition is to become a ubiquitous beacon of truth in global media and we need your help adding fuel to the fire.

About the Role

Polymarket is hiring a Director of GRC & Privacy to build and lead the governance, risk, and compliance function within our security organization. As a high-growth fintech operating across multiple jurisdictions with several subsidiary entities, we carry compliance obligations spanning PCI-DSS, SOC 2 Type II, data privacy regulations, and financial services requirements — and this role will establish the GRC program from scratch.

This is a senior, high-visibility role reporting directly to the CISO. You'll hire and develop a team of three and serve as the primary interface between security, legal, finance, and external auditors and regulators. It requires equal fluency in regulatory requirements, risk management frameworks, and executive communication.

What You'll Do

• Build and own the enterprise security risk management program — risk register, risk appetite framework, risk scoring methodology, and regular reporting to the CISO and executive leadership

• Establish and maintain the security control framework, mapping controls to applicable standards (SOC 2 TSCs, PCI-DSS, CIS Controls) across all entities and subsidiaries

• Drive security policy development and lifecycle management — authoring, reviewing, approving, and enforcing policies across the organization

• Lead the company's security committee and governance forums, ensuring risk decisions are documented, escalated appropriately, and tracked to resolution

• Own the end-to-end compliance program for SOC 2 Type II and PCI-DSS — scoping, control design, evidence collection, auditor management, and remediation tracking

• Build continuous audit readiness rather than a point-in-time posture; automate compliance evidence collection where possible

• Manage relationships with external auditors, certification bodies, and regulators; serve as the primary point of contact for audit engagements across all entities

• Own the third-party risk management program — vendor security assessments, contractual security requirements, ongoing monitoring, and escalation of high-risk findings

• Oversee the data privacy program in partnership with Legal, ensuring compliance with GDPR, CCPA, and applicable regulations across all jurisdictions where the company operates

• Ensure privacy-by-design is embedded in the product development process and that data processing activities are documented, lawful, and consistent with stated privacy notices

• Manage data subject rights obligations and privacy incident response, including breach notification requirements under applicable law

What We're Looking For

• 8+ years of experience in GRC, information security compliance, or a related field, with 3+ years in a management or program leadership role

• Deep, hands-on experience with SOC 2 Type II — you have managed or led multiple audit cycles and understand the TSCs, evidence requirements, and auditor dynamics from the inside

• Strong working knowledge of PCI-DSS v4.0 and experience implementing or managing PCI compliance programs

• Demonstrated experience managing compliance across multiple legal entities or subsidiaries with overlapping and distinct regulatory obligations

• Experience building or significantly maturing a GRC program — not just maintaining one someone else built

• Working knowledge of GDPR and CCPA and the operational requirements they impose on a data-handling business

• Ability to communicate risk and compliance requirements clearly to technical teams, business stakeholders, and executive leadership

• Experience managing external auditor relationships and serving as the primary organizational point of contact during audit engagements

• (Plus) Experience in fintech, payments, cryptocurrency, or financial services — familiarity with money transmitter licensing or FinCEN obligations is a meaningful plus

• (Plus) Professional certifications: CISM, CRISC, CISSP, CIPP/E, CIPP/US, or equivalent

• (Plus) Exposure to ISO 27001, CIS, or NIST CSF as additional compliance frameworks

• (Plus) Experience with GRC platforms (Vanta, Drata, Tugboat Logic, ServiceNow GRC, or equivalent)

• (Plus) Familiarity with AWS cloud environments and how cloud-native architectures affect control design and evidence collection

• (Plus) Prior experience standing up a GRC function in a high-growth, previously unstructured environment

Benefits

• Competitive salary & equity

• Unlimited PTO

• Full Health, Vision, & Dental coverage

• 401k match

• Hardware setup: new MacBook Pro, big display, & accessories