Senior GRC Partner – Governance, Assurance & Third-Party Risk

About Us & The Role

dLocal enables the biggest companies in the world to collect payments in 40 countries in emerging markets. Global brands rely on us to increase conversion rates and simplify payment expansion effortlessly. As both a payments processor and a merchant of record where we operate, we make it possible for our merchants to make inroads into the world's fastest-growing, emerging markets.

We do not do "check-box" compliance, and we don't do corporate fluff.

Within the Security Department, Within the Security Department, under the guidance of GRC and security leadership, our GRC and Assurance team operates with a street-smart, pragmatic approach. We are looking for a versatile, self-driven Senior GRC Partner to take direct ownership across our Governance, Security Awareness, Third-Party Risk Management, and Compliance programs across a complex, fast-moving global business.

This is not a single-track specialist role. You will work across all GRC and Assurance domains, rolling your sleeves up wherever the team needs you most. One week you may be deep in a payment processor assessment. Next, you are tuning a policy, running a compliance mapping exercise, or building out the Security Champions program. If you are looking for a narrow lane, this is not the role. If you want to build something real and touch everything, keep reading.

You will be measured on whether things actually change, not on whether documents exist.

What You'll Do

Own Third-Party Risk & Payment Processor Assessments: Take direct operational ownership of our global Third-Party Risk Management program, including the Payment Processor Assessment Framework, which is one of the team's most critical and complex programs.

Design the Machine: Implement a tiered, risk-based review system: fast-tracks for low-risk vendors, and deep technical scrutiny for critical processors in emerging markets. Work with our security engineers to define and build automated workflows and AI agents that handle the administrative lifting of TPRM (chasing vendors for documentation, parsing SOC 2 reports, tracking internal owners).

Enable the Business Safely: Analyze technical findings from external assessment vendors and translate them into clear, actionable risk positions. When a critical vendor has a high risk score but is a business necessity, define the compensating controls required to safely enable the business (volume caps, reconciliation requirements, escalation thresholds). Eliminate unnecessary overhead so this program moves at the speed of the business.

Operationalize Governance: Policies only have value if people know they exist and can realistically follow them. Renegotiate existing policies to make them practical, risk-calibrated, and enforceable. Run the stakeholder process across security, engineering, and the business to land on controls that reduce risk without grinding operations to a halt.

Drive Security Awareness & Champions: Redefine how security expectations are communicated. No generic broadcasts. Build targeted, high-ROI awareness interventions using modern tools (including AI-assisted delivery) that actually change behavior. Build and run the Security Champions program, recruiting motivated individuals embedded in engineering to act as the first line of security awareness.

Run Compliance & the Risk Register: Map and maintain controls across PCI DSS, SOX, DORA, ISO 27001, and SOC 2. When audit season hits, you are in the trenches: pulling evidence, coordinating with stakeholders, and making sure nothing falls through the cracks.

Shift Left & Protect Business Velocity: Security is not the bottleneck. Give business leaders the transparent data, tools, and rules they need to explicitly accept or reject vendor risk, shifting accountability to the first line of defense where it belongs. When a risk needs to be formally accepted, you draft the paperwork and ensure the business owner signs it.

What You Bring

Track Record Over Tenure: We do not care about arbitrary "years of experience." We care about outcomes. You must have a proven track record of driving governance, assurance, or TPRM programs in fast-paced, complex environments.

Pragmatic Operator Mentality: You move fast and optimize complex, legacy workflows. You know the difference between what genuinely needs to change and what is noise. You are not a methodology presenter; you get things done where ambiguity and speed are the norm.

Hands-On Grit: You are not an ivory tower architect. You have the humility and work ethic to do the manual work yourself while simultaneously building the automation that will eventually replace it.

Disruptive Vision for TPRM: You hate the slow, bureaucratic status quo of traditional risk management. You see TPRM as a program that should enable the business, not block it.

Disciplined Multi-Threading: You are ruthlessly organized. You can manage a payment processor security review, a policy overhaul, a compliance mapping cycle, and a Security Champions workshop simultaneously without dropping the ball.

AI Fluency: Deeply comfortable using LLMs to automate administrative governance work and move faster. You understand how to leverage AI capabilities while maintaining strict data accuracy and hallucination governance.

Regulatory Knowledge: Strong working knowledge of PCI DSS, SOX, DORA, ISO 27001, and SOC 2. You can map controls, prepare audit evidence, and hold a credible conversation with an examiner.

High EQ & Stakeholder Navigation (The Security Diplomat): You read people and complex situations well. You negotiate with VP-level commercial leaders, engineering directors, and external vendors. You find pragmatic compromises between security requirements and business velocity, and you know how to bring people along rather than impose.

Exceptional Communication: Fluent English is mandatory. You distill complex risk and governance topics into clear language for non-technical executive audiences and are equally comfortable in a policy workshop and a board-level risk briefing.

Nice to Have

Prior experience in a fintech, payments, or tech scale-up environment.

Direct experience assessing or securing payment processors and financial institutions in emerging markets.

Experience building or integrating with modern GRC, risk management, or procurement platforms.

Familiarity with the unique cybersecurity challenges of emerging markets: the gap between paper compliance and operational reality.

How You'll Work

High autonomy, high accountability. You take direction from security leadership, figure out the "how," and execute. This is a senior role for someone who wants to build programs that are practical, scalable, and genuinely trusted by the business. You will not specialize in one domain. You will touch everything, build where things are missing, and modernize what has been outgrown.