Role Description Figma is growing our team of passionate creatives and builders on a mission to make design accessible to all. Figma’s platform helps teams bring ideas to life—whether you're brainstorming, creating a prototype, translating designs into code, or iterating with AI. From idea to product, Figma empowers teams to streamline workflows, move faster, and work together in real time from anywhere in the world. If you're excited to shape the future of design and collaboration, join us! Figma's GRC team helps build and maintain trust with our users, regulators, business partners, and the organizations that rely on Figma every day. We partner across the company to strengthen security, manage risk, maintain compliance, and scale the programs that support our continued growth. We're growing our team and looking for security, risk, and compliance professionals across several disciplines. Whether your expertise is in compliance, risk management, governance, GRC tooling, or customer trust, you'll have the opportunity to build programs, improve processes, and help shape how Figma scales security and trust. Roles we hire for on this team: - Compliance Management - Lead compliance and certification programs across security and regulatory frameworks - Manage audit cycles, partner with external assessors, and drive audit readiness initiatives - Improve controls, processes, and evidence management practices across the organization - Security Risk Management - Build and maintain risk and controls frameworks that support Figma's security posture - Assess, prioritize, and communicate security risks across the business - Develop third-party risk management strategies and enterprise risk reporting programs - Policy & Governance - Manage the lifecycle of organizational security policies, standards, and procedures - Drive policy awareness and stakeholder engagement across the company - Ensure governance practices align with regulatory requirements and business objectives - GRC Platforms & Enablement - Select, implement, and optimize GRC platforms and supporting workflows - Scale evidence collection, reporting, and program management capabilities - Identify opportunities to automate and streamline GRC operations - Customer Trust - Support customer trust and business enablement activities across the sales lifecycle - Manage security knowledge bases, customer-facing documentation, and trust publications - Respond to customer security inquiries, audits, and questionnaires This is a full time role that can be held from one of our US hubs or remotely in the United States. What you'll do at Figma: - Lead compliance programs across frameworks such as SOC 2, ISO 27001, FedRAMP, SOX ITGC, GDPR, and NIS2 - Manage external audits and certification activities while partnering with auditors and assessors - Build and maintain risk and controls frameworks, including common control frameworks that support multiple certifications - Conduct risk and gap assessments and drive remediation efforts across technical and business stakeholders - Improve control effectiveness and operational efficiency through rationalization and process optimization - Implement and optimize GRC platforms that scale evidence collection and program management - Maintain security policies and governance processes that align with organizational risk objectives - Support customer trust initiatives, including security questionnaires, audits, and customer-facing security communications Qualifications - 4+ years of experience in information security, compliance, risk management, or a related field - Hands-on experience supporting security and compliance frameworks such as SOC 2, ISO 27001, FedRAMP, PCI-DSS, or SOX ITGC - Experience leading or supporting audits and partnering with external assessors - Demonstrated ability to conduct assessments, drive remediation efforts, and manage cross-functional initiatives - Exceptional written and verbal communication skills across technical, business, and executive audiences - Demonstrated ability to improve processes, manage competing priorities, and build strong cross-functional partnerships Requirements - While it’s not required, it’s an added plus if you also have: - Operated in a public company environment with SOX ITGC requirements - Supported FedRAMP authorization, SSP development, 3PAO coordination, or continuous monitoring activities - Earned security or risk certifications such as CISA, CISSP, CISM, or CRISC - Implemented or administered GRC platforms such as Vanta, Drata, or similar tools - Scaled security, compliance, or risk programs in a high-growth environment Benefits - Figma offers equity to employees, as well a competitive package of additional benefits, including: - Health, dental & vision - Retirement with company contribution - Parental leave & reproductive or family planning support - Mental health & wellness benefits - Generous PTO - Company recharge days - Learning & development stipend - Work from home stipend - Cell phone reimbursement - Sales incentive pay for most sales roles - Annual bonus plan for eligible non-sales roles

• You will take ownership of a variety of enrollment and regulatory related work, making sound decisions as you navigate both routine and more complex situations. • You will develop new employer-specific materials and update existing content to reflect plan changes, ensuring materials align with legal plan documents, product standards and marketing guidelines. • You will continually build and apply your knowledge of defined contribution products to ensure materials align with standard product practices. • You will partner closely with stakeholders and vendors to deliver high-quality work on time while maintaining accuracy, efficiency, and managing cost. • You will maintain accurate records and oversee enrollment kit ordering. • You will spot gaps, ask questions, and continuously look for ways to improve processes, quality, and the overall experience, promoting quality and continuous improvement.

• Partner with Product and Engineering on new features, architecture, and user flows to ensure privacy-by-design is integrated before launch, not retrofitted after. • Lead privacy review of AI features and AI vendors, including model training restrictions, PHI usage controls, transparency disclosures, and pre-launch governance checkpoints. • Support clinical research, outcomes tracking, and de-identification workflows so that secondary uses of data are governed under documented standards. • Triage and respond to fast-moving product and commercial requests with calibrated, written guidance. • Own day-to-day execution of core privacy operations alongside the Senior Director of Compliance, with the ability to operate independently on assigned workstreams. • Operate Fullscript’s OneTrust environment for vendor reviews, data mapping, PIAs, consumer rights requests, and reporting, including configuration of new workflows as the program scales. • Lead privacy incident response activities, including intake, triage, coordination with cross-functional stakeholders, documentation, and tracking remediation efforts through resolution. • Build trusted working relationships with stakeholders across the business so that privacy is engaged early on new initiatives rather than at the end. • Translate HIPAA, PIPEDA, Quebec Law 25, CPRA, and other applicable US state privacy laws into plain-language guidance, playbooks, and training materials the business can use without further interpretation. • Maintain ongoing monitoring of Fullscript’s privacy posture, surface emerging risk areas to the Senior Director of Compliance.

• Own and deliver BAU compliance support across IE-regulated entities, including activities subject to CASP and EMI requirements, and relevant conduct and market integrity considerations • Maintain and enhance the IE-regulated entities compliance framework (policies, procedures, governance materials, reporting calendar) to reflect business changes and IE regulatory expectations • Act as a trusted partner to Product, Design, Engineering and Markets teams to assist them to structure and launch products and services and controls • Lead and execute assurance monitoring and testing (risk-based), document findings clearly, and drive pragmatic remediation with accountable owners and timelines • Support regulatory engagement, including responses to information requests, examinations/audits, and routine/periodic reporting obligations where relevant • Review and advise on customer-facing communications and marketing for compliance risk and conduct considerations • Produce reliable management information for senior stakeholders (KRIs, monitoring outcomes, remediation progress, training completion) and assist in preparing reports for Committee and Board meetings on compliance related matters • Provide guidance and monitor outsourced compliance functions (e.g. marketing/complaints) to ensure compliance with CBI/EBA outsourcing guidelines and relevant requirements under MiCA/PSD2/CPC • Develop and deliver compliance training programs, ensuring employees are knowledgeable and aware of their obligations • Provide compliance advisory support and guidance to COs and EU Regional Compliance team on new and existing regulations and rules, best practices and compliance with internal procedures and directives • Ensure all Policies and Procedures are updated and submitted through appropriate governance forums • Contribute to a culture of compliance through training, clear guidance, and practical partnership with the business