Director, GRC & Privacy Security

Polymarket is seeking a Director of GRC & Privacy Security to lead governance, risk, and compliance functions. This senior role involves building a GRC program and managing compliance across multiple jurisdictions.

Polymarket is the world's largest prediction market platform. We enable individuals to express views on real-world events by trading on outcomes across politics, economics, sports, culture, and current affairs. Built as a peer-to-peer marketplace with no centralized "house," Polymarket aggregates diverse opinions into transparent, market-based probabilities that reflect collective expectations about the future. We're growing fast — both in terms of volume ($21B traded in 2025) and adoption as an alternative news source. Our ambition is to become a ubiquitous beacon of truth in global media and we need your help adding fuel to the fire.

• •Build and own the enterprise security risk management program — risk register, risk appetite framework, risk scoring methodology, and regular reporting to the CISO and executive leadership
• •Establish and maintain the security control framework, mapping controls to applicable standards (SOC 2 TSCs, PCI-DSS, CIS Controls) across all entities and subsidiaries
• •Drive security policy development and lifecycle management — authoring, reviewing, approving, and enforcing policies across the organization
• •Lead the company's security committee and governance forums, ensuring risk decisions are documented, escalated appropriately, and tracked to resolution
• •Own the end-to-end compliance program for SOC 2 Type II and PCI-DSS — scoping, control design, evidence collection, auditor management, and remediation tracking
• •Build continuous audit readiness rather than a point-in-time posture; automate compliance evidence collection where possible
• •Manage relationships with external auditors, certification bodies, and regulators; serve as the primary point of contact for audit engagements across all entities
• •Own the third-party risk management program — vendor security assessments, contractual security requirements, ongoing monitoring, and escalation of high-risk findings
• •Oversee the data privacy program in partnership with Legal, ensuring compliance with GDPR, CCPA, and applicable regulations across all jurisdictions where the company operates
• •Ensure privacy-by-design is embedded in the product development process and that data processing activities are documented, lawful, and consistent with stated privacy notices
• •Manage data subject rights obligations and privacy incident response, including breach notification requirements under applicable law

• •Competitive salary & equity
• •Unlimited PTO
• •Full Health, Vision, & Dental coverage
• •401k match
• •Hardware setup: new MacBook Pro, big display, & accessories

• •8+ years of experience in GRC, information security compliance, or a related field, with 3+ years in a management or program leadership role
• •Deep, hands-on experience with SOC 2 Type II — you have managed or led multiple audit cycles and understand the TSCs, evidence requirements, and auditor dynamics from the inside
• •Strong working knowledge of PCI-DSS v4.0 and experience implementing or managing PCI compliance programs
• •Demonstrated experience managing compliance across multiple legal entities or subsidiaries with overlapping and distinct regulatory obligations
• •Experience building or significantly maturing a GRC program — not just maintaining one someone else built
• •Working knowledge of GDPR and CCPA and the operational requirements they impose on a data-handling business
• •Ability to communicate risk and compliance requirements clearly to technical teams, business stakeholders, and executive leadership
• •Experience managing external auditor relationships and serving as the primary organizational point of contact during audit engagements
• •(Plus) Experience in fintech, payments, cryptocurrency, or financial services — familiarity with money transmitter licensing or FinCEN obligations is a meaningful plus
• •(Plus) Professional certifications: CISM, CRISC, CISSP, CIPP/E, CIPP/US, or equivalent
• •(Plus) Exposure to ISO 27001, CIS, or NIST CSF as additional compliance frameworks
• •(Plus) Experience with GRC platforms (Vanta, Drata, Tugboat Logic, ServiceNow GRC, or equivalent)
• •(Plus) Familiarity with AWS cloud environments and how cloud-native architectures affect control design and evidence collection
• •(Plus) Prior experience standing up a GRC function in a high-growth, previously unstructured environment