Role Description Function Health is building a lean, automation-first compliance program that is agile enough to adapt to both security and privacy requirements. From SOC 2 and HIPAA to CCPA and beyond, the program must be ready to respond to whatever the task demands. This requires an individual who can see the totality of the problem and not just a piece of it. As a Security Program Manager, you'll support and execute our compliance operations, partner with cross-functional teams to enable compliant product growth and unblock business deals, and help ensure our controls and policies scale with the business. This role is hands-on and impact-driven: you'll be a key contributor to audit readiness, run day-to-day compliance and privacy operations, and help Function meet the trust expectations of our members, partners, and regulators. Key Responsibilities - Execute SOC 2 Type II and HIPAA compliance operations, including evidence collection, control testing, and audit readiness. - Coordinate audit activities with auditors, external assessors, and internal stakeholders under the direction of compliance leadership. - Maintain and update a unified control framework that maps SOC 2, HIPAA, and future frameworks (e.g., HITRUST). - Drive vendor and third-party risk management, including onboarding reviews, risk assessments, and BAA/DPA tracking. - Understand privacy obligations (HIPAA Privacy Rule, GDPR, state laws) and design solutions with a privacy-first focus. - Partner with Sales and Legal to support business deals, including security questionnaires and contractual agreements. - Execute quarterly compliance rituals: access reviews, risk register updates, policy acknowledgments, and training compliance. - Translate regulatory requirements into engineer-friendly tickets, policy updates, and compliance summaries. - Identify and implement opportunities for automation in compliance workflows (evidence collection, access certifications, vendor reviews). - Coordinate privacy operations, including data retention, deletion, and handling of member data requests. - Build awareness across the business so compliance and privacy are seen as enablers, not blockers. Qualifications - 4–7 years of experience in compliance, GRC, or risk management, ideally in SaaS or healthtech. - Strong knowledge of SOC 2 and HIPAA; familiarity with privacy frameworks such as GDPR, CCPA/CPRA, or HITRUST. - Experience supporting audits end-to-end and preparing documentation for external parties. - Experience coordinating across functions (Engineering, IT, Legal, Ops) to implement and sustain controls. - Ability to connect regulatory requirements to business context and communicate tradeoffs clearly to technical and non-technical stakeholders. - Familiarity with compliance automation tools (Vanta, Tugboat Logic, ConductorOne) and cloud environments (Okta, GCP, GitHub). - Strong communication skills; able to draft policies, auditor-facing documentation, and compliance summaries. - Ability to work cross-functionally to support secure, compliant patterns without slowing down business goals. - Bonus: experience with healthcare data protection or supporting privacy programs in regulated industries. Benefits - Competitive salary and benefits package. - Flexible working hours. - Dynamic work environment where creativity and innovation are encouraged. Core Values - Ruthless Prioritization: We don’t let perfect get in the way of progress. We move quickly to drive value, not perfection. We prioritize what drives impact. We never compromise on standards of excellence. - Member-First, Always: We design and deliver like we’re caring for someone we love. We create calendar, actionable, human experience. We prioritize responsiveness, peace of mind, and outcomes. We empower members with truth, clarity, and care. - One Team, Moving Fast: We are aligned in purpose, prioritization, and speed. We gather diverse perspectives to make informed decisions. We clear paths for each other and move fast together. We communicate clearly and respectfully, rallying around shared goals. - Radical Ownership, Relentless Execution: We don’t just ship– we own outcomes and drive results. We act with urgency and precision. We anticipate, initiate, and follow through. We meet challenges with grit and pragmatism. We embrace new tech to deliver better outcomes. - Mission Over Ego: We are ruthlessly aligned to our mission– and leave ego at the door. We disagree and commit. We don't tolerate politics or withholding information. We operate with honesty, transparency, and respect. - Sustained Integrity in Every Detail: We earn trust by obsessing over accuracy, quality, and clarity in everything we do. We prioritize clinical precision– data must be right. We sweat the details because outcomes depend on them.

• Build, defend, and scale the security posture of our SaaS platform • Take ownership of engineering proactive guardrails and automate incident response workflows • Secure emerging technologies like AI and machine learning • Design and maintain automated response playbooks using orchestration workflows • Develop custom SecOps applications and autonomous workflows to triage alerts • Implement 'Infrastructure as Code' across our multi-cloud infrastructure (AWS/GCP)

• Define and maintain the governance framework for AI-enabled capabilities across the software and model lifecycle, including intake, design review, implementation controls, testing expectations, deployment review, and ongoing monitoring. • Establish technical control requirements for AI systems, including documentation standards, model and prompt inventories, traceability, approval paths, and change management expectations. • Ensure governance requirements are practical for engineering teams and embedded into delivery workflows where possible. • Operate the processes required to support internal and external compliance expectations for AI-enabled products and internal AI use cases. • Maintain evidence, decision records, inventories, risk assessments, and control mappings needed for audits, client diligence, investor diligence, and internal reviews. • Coordinate responses to AI-related diligence requests and partner with subject matter experts to ensure responses are accurate and supportable. • Partner with Security, Privacy, Legal, and Engineering to identify and manage risks related to model behavior, data handling, access patterns, third-party AI services, output quality, explainability, and system changes. • Build and run review paths for new AI use cases, material updates, and exceptions requiring elevated scrutiny. • Define escalation criteria, mitigation tracking, and approval workflows for higher-risk AI implementations. • Work directly with product and engineering teams to translate policy and control requirements into technical implementation guidance. • Help teams design compliant approaches for logging, testing, access control, human review, fallback behavior, documentation, and monitoring. • Influence architecture and delivery decisions so governance is built into systems rather than applied after the fact. • Maintain current inventories of AI systems, models, vendors, prompts, datasets, and related technical dependencies as required by company governance standards. • Ensure documentation is complete and usable across lifecycle stages, including design intent, data usage, review outcomes, testing artifacts, and operational controls. • Improve the tooling and process model for collecting, maintaining, and retrieving governance evidence. • Identify opportunities to automate governance activities within engineering and product workflows, including intake routing, policy checks, documentation capture, control verification, and evidence collection. • Partner with engineering teams to embed governance checks into existing delivery systems and lifecycle tooling. • Scale governance operations in a way that increases control coverage without creating unnecessary process overhead.

• Design and implement secure cloud architectures across public, private, and hybrid cloud environments (AWS, Azure, GCP). • Define cloud security standards, reference architectures, and security blueprints aligned with business objectives. • Assess cloud applications and infrastructure for security risks and recommend mitigation strategies. • Lead threat modeling, security architecture reviews, and risk assessments for cloud workloads. • Implement identity and access management (IAM), encryption, key management, and network security controls. • Ensure compliance with security frameworks and regulations such as ISO 27001, SOC 2, GDPR, HIPAA, and PCI-DSS. • Collaborate with DevOps, engineering, and infrastructure teams to integrate security into CI/CD pipelines (DevSecOps). • Evaluate and implement cloud-native and third-party security tools (CSPM, CASB, CWPP, SIEM, SOAR). • Provide security guidance for containerization, Kubernetes, and serverless architectures. • Mentor and guide security engineers and contribute to security awareness across teams. • Stay up to date with emerging cloud security threats, vulnerabilities, and best practices.