Compliance Program Manager

OpenFX is expanding globally in a heavily regulated financial environment. As we scale into new regions, regulators, auditors, and enterprise partners expect provable, continuously operating security controls - not slide decks or one-off audits.

Right now, compliance requirements (DORA, GDPR, SOC 2, ISO 27001, and region-specific regulations) are increasing faster than our ability to operationalize them in production systems. If we don’t solve this, we risk:

• Slowing down market expansion
• Failing audits or regulatory exams
• Shipping security controls that look good on paper but don’t actually work

We need someone who can turn regulatory requirements into real, running controls - and then prove to auditors that they work.

This role has been created to support OpenFX as we continue expanding our institution-grade, regulator-facing infrastructure.

You will own the security controls and evidence that regulators and auditors care about, end to end.

Specifically, you will:

1. Own audit-ready security controls
   • Design, implement, and maintain technical and operational controls for SOC 2, ISO 27001, GDPR, DORA, and future regional requirements
   • Ensure controls are not just documented, but actually enforced in AWS, Kubernetes, and application layers
2. Be the technical counterpart to Legal, Compliance & Risk
   • Translate regulatory language into concrete security mechanisms
   • Partner with Legal/Compliance to monitor new regulations and assess technical impact
   • Decide what is “good enough” vs. over-engineered for compliance
3. Run audits instead of reacting to them
   • Own audit preparation, evidence collection, walkthroughs, and remediation tracking
   • Build repeatable, automated evidence pipelines instead of last-minute scrambles
   • Be the person auditors trust when they ask, “Show me how this actually works”
4. Embed compliance into the platform
   • Work with engineering to design systems that are secure by default and defensible to regulators
   • Ensure logging, access controls, encryption, monitoring, and change management meet regulatory expectations
5. Automate compliance wherever possible
   • Build tooling/scripts to continuously validate controls (access reviews, logging coverage, config drift, etc.)
   • Reduce manual compliance work over time by pushing checks into code and infrastructure

You’ll know you’re succeeding if:

• SOC 2 / ISO 27001 audits complete with zero high-severity findings
• Establish control ownership, governance cadence, and compliance roadmap as the company scales
• GDPR and DORA compliance readiness, including regulator-facing engagement and response
• Regulatory requests are answered with evidence, not explanations
• New regional regulatory requirements are implemented without blocking launches
• Audit prep time decreases quarter-over-quarter due to automation
• Engineering teams ship features without creating compliance debt

If audits feel boring and predictable, you’re doing the job well.

Required (Non-Negotiable)

• 6+ years in security engineering, cloud security, or compliance-focused security roles
• Hands-on experience supporting SOC 2, ISO 27001, GDPR, DORA, or similar regulatory frameworks
• Ability to translate regulatory requirements into technical controls
• Strong working knowledge of AWS security fundamentals (IAM, logging, encryption, networking)
• Comfortable owning auditor interactions and explaining systems clearly
• Experience building or automating security/compliance processes (Python, Bash, Go, etc.)

If you’ve never been accountable for an audit outcome, this role is not a fit.

Preferred (Nice to Have)

• Experience securing Kubernetes environments
• Familiarity with AppSec tooling (SAST/DAST, manual testing)
• Experience with AWS security services (GuardDuty, Config, Security Hub)
• Prior work in fintech, payments, or regulated infrastructure
• Security or compliance certifications (CISSP, CISA, ISO 27001 Lead Implementer, AWS Security)

This is not a checkbox compliance role.

In this role, you will:

• Shape how OpenFX proves trust to regulators, banks, and institutions
• Decide how security controls are implemented - not just documented
• See the immediate impact of your work on global expansion

You’ll learn how to build compliance that scales, not compliance that slows teams down - a skillset that’s rare and extremely valuable in fintech.

• You prefer compliance as primarily coordinating between teams rather than owning control execution end-to-end
• You approach audits by repeatedly pulling time and evidence from engineering instead of building scalable, audit-ready processes
• You are not comfortable driving documentation, evidence automation, and regulator-facing accountability
• You prefer compliance to remain a distributed responsibility rather than taking full ownership of outcomes