Technical GRC Specialist

Software-as-a-Service (SaaS) Security Practitioner

Our mission at Capacity is to help teams do their best work through our AI-powered support automation platform. Capacity provides everything you need to automate support and business processes in one powerful omni-channel platform.

We believe that each individual voice, perspective and background brings inherent value to enhance our product, serve our customers and generate more ideas to solve complex problems. By continuing to hire talented, driven and humble teammates, we have the opportunity to see Capacity become a premier brand enterprise SaaS platform.

Capacity has raised over $100 million dollars from over 150 investors, giving us the opportunity to make ambitious investments in our team and big bets on our future. Our total addressable market is enormous. Any company that wants to grow revenue, reduce costs, and improve customer and employee satisfaction is an opportunity for Capacity to shine.

Why This Job Is Exciting

The role:

We are looking for an experienced software-as-a-service (SaaS) security practitioner to join our growing Governance, Risk & Compliance (GRC) team. This role will primarily take ownership of our security hardening standards and our Third-Party Risk Management (TPRM), focusing on proactive improvements in cybersecurity, ensuring audit readiness, and scaling GRC processes through automation.

This is a high-impact role suited to someone who wants to influence cybersecurity at scale, enjoys working cross-functionally, and is able to balance strong risk management with commercial pragmatism.

You will work closely with operational stakeholders across the organization, helping strengthen our overall security posture, including vendor assurance, while enabling the business to move safely and quickly.

Responsibilities

In this role, you will be responsible for the following:

Security Hardening & Technical GRC

• Provide hands-on support in the assessment, improvement, and maintenance of technical security baselines based on industry best practices (e.g., NIST, CIS, ISO). You will ensure these configurations satisfy global regulatory mandates (e.g., HIPAA, GDPR).
• Leverage automated tools to monitor security and compliance posture.
• Act as a GRC interface with Infrastructure and Engineering teams to ensure hardening requirements are technically feasible and effectively implemented.

Third-Party Risk Management

• Manage and continuously improve the company's Third-Party Risk Management programme across suppliers, vendors and strategic partners.
• Own end-to-end due diligence processes for new and existing vendors, including inherent risk assessments, security/privacy reviews and ongoing monitoring.
• Review vendor assurance documentation such as ISO 27001 certificates, SOC 2 reports, penetration test summaries, policies and compliance evidence.
• Identify, document and communicate vendor risks, remediation actions and approval recommendations.
• Maintain risk tiering and reassessment schedules for critical and high-risk vendors.
• Act as a trusted partner to internal stakeholders during vendor onboarding, renewals and procurement decisions.
• Engage directly with suppliers to resolve due diligence issues and drive remediation.

GRC Operations & Improvement

• Maintain audit-ready documentation within GRC systems.
• Support team members as necessary with global and contractual compliance efforts, as well as internal and external audits.
• Contribute to security and compliance policy, process, and control improvements.
• Identify opportunities for automation, simplification, and improved GRC tooling.

What success looks like in the first 12 months:

• Strong audit readiness with high-quality, reliable technical evidence.
• Effective use of GRC tooling to automate and streamline compliance processes.
• Mature and efficient Third-Party Risk Management workflows.
• Improved turnaround times for vendor assessments and internal requests.
• Clear visibility of cybersecurity control effectiveness and risk posture.
• Reduced manual effort through automation and improved processes.

Requirements:

Essential

• 3+ years' experience in compliance, GRC, vendor risk management, information security, internal audit or related fields.
• Proven experience in cybersecurity and managing third-party/vendor due diligence programmes.
• Strong understanding of common assurance frameworks such as ISO 27001, SOC 2, NIST or equivalent.
• Good working knowledge of UK GDPR / privacy considerations in supplier relationships.
• Familiarity with cloud/SaaS environments and common systems (e.g. identity providers, cloud platforms, collaboration tools).
• Experience reviewing supplier security documentation and identifying practical risks.
• Strong organisational skills with the ability to manage multiple priorities independently.
• Excellent written and verbal communication skills; proficient in English.

Desirable

• SaaS / software industry experience.
• Experience in a multi-entity or fast-growth business environment.
• Familiarity with Vanta or other GRC tools.
• Relevant certifications (e.g. ISO 27001 Lead Implementer/Auditor, CISM, CRISC, CIPM, CIPP/E).

You are motivated by:

• Hustle: You inspire others to work as hard as you. You will find a way, no matter how hard the task is.
• Ownership: You have an owner/builder mentality. You care about what you deliver and own your mistakes.
• Proactivity: You don't wait for someone to tell you what to do or what problems to solve. You are always looking for ways to learn and improve.
• Excellence: You set a high bar and surpass expectations. You hit your goals and ask for more.
• Humility: You are not above any task in the organization and are willing to drop what you're doing to help a teammate.

What you can expect from us

The team:

Capacity team members enjoy the opportunity and benefits of working at an artificial intelligence startup, but with leaders who've worked at places like Apple, Ebay, Visa, Answers.com, Oracle, Boeing, and many more world-class companies. The culture at Capacity encourages innovation, independent problem solving, and collaboration as we continue to mature our product in the ever-changing world of AI.

We provide:

• Private health insurance
• Profit Interest Unit Appreciation Rights
• 25 days paid leave
• Pension
• Group life assurance
• Group income protection
• Flexible work environment
• A supportive, diverse workplace where we prioritize respect for each other and our clients
• A fun and collaborative team culture

Salary range:

• The expected base salary for the Technical GRC Specialist role is between £50,000 and £65,000; actual salary will be commensurate with a candidate's experience, skill and location.

Still unsure?

At Capacity we value more than just hard skills. Our goal is to build a holistic and diverse team. If you aren't sure if you qualify, just apply! We will carefully consider your application and are always grateful for any time and effort invested in Capacity.

But wait, there's more!

At Capacity we believe in more than just building amazing products and helping our customers. Although we are a remote workforce, we remember the neighborhood where we started. We still strive to elevate our community by furthering access to education and careers in the tech space. Our affiliated nonprofit, Create A Loop, brings rigorous computer science courses to underserved communities with little to no access to formal computer science education. There are many opportunities for our Capacity team members to serve and educate our Create A Loop students throughout the year.