Director of Governance, Risk, Compliance & Trust

Everlaw is seeking a pragmatic and execution-oriented Director of GRCT to lead our Governance, Risk, Compliance, and Trust function. This role is responsible for setting the "North Star" for how we manage risk, earn customer trust, and scale compliance programs in a way that enables—rather than slows—business innovation.

Reporting to the VP of Information Technology & Security, you will own the day-to-day execution and continuous evolution of Everlaw’s risk, compliance, and trust programs, ensuring our governance posture scales with the business. This role sits at the intersection of technical rigor and commercial enablement, partnering closely with DevOps, Product Security, Corporate Security, Legal, Engineering, Sales, and Customer teams to translate complex requirements into clear controls and credible assurances that build customer confidence.

Getting started

• We want you to feel like part of the team early on! Our onboarding process will integrate you into the company with informative sessions on our product, policies, processes, and team structure and goals. 
• We’re excited for you to learn, grow, and contribute right away! We trust that you’ll bring experience and knowledge that will uplift and uplevel the team, but we don’t expect you to know everything on Day 1.

In your role, you'll...

Compliance & Audits

• Public Sector Compliance Ownership: Own Everlaw’s public sector compliance posture, including FedRAMP and GovRAMP authorization and ongoing maintenance.
• Regulatory & Contractual Requirements: Ensure compliance with specialized regulatory and contractual requirements (e.g., CJIS, FTI), partnering with HR, Security, and Legal to support personnel, access, and operational controls.
• Global & Industry Certifications: Accountable for global and industry certifications, including SOC 2, ISO 27001/27017/27018, UK CE+, GDPR, and HIPAA, enabling effective IC-led execution.
• Audit Readiness & Execution: Ensure sustained audit readiness through clear control ownership, effective evidence management, and scalable compliance processes.
• Strategic Certifications & Market Access: Own the go/no-go framework for pursuing new certifications or regulatory authorizations (e.g., ISO 42001), balancing customer demand, regulatory risk, and business priorities.
• Regulatory Awareness: Continuously monitor emerging regulatory and industry requirements and advise leadership on impact, readiness, and timing.

Risk Governance & Decision Enablement

• Security Risk Identification & Management: Oversee the identification, assessment, and tracking of information security risks; partner with risk owners to remediate risks in a timely manner.
• Security Impact Analysis (SIA): Partner with Security Engineering to lead the SIA process for major system, infrastructure, and product changes, where SecEng conducts technical SIA and GRCT evaluates risk, notification, and escalation requirements.
• Third-Party Security Risk: Oversee the vendor security risk lifecycle, from onboarding through ongoing monitoring and renewal, ensuring risks are assessed and managed in proportion to data sensitivity and business criticality while supporting efficient procurement.
• Pragmatic Governance & Decision Support: Maintain security policies, standards, and exception processes aligned with how Engineering, Security and IT teams operate, and act as a trusted advisor to facilitate risk-based decisions on architectural trade-offs and control exceptions.
• Emerging Technology & Risk Visibility: Govern security risks related to emerging technologies, including AI/ML, and provide clear, audit-ready risk reporting to leadership that integrates with compliance and evidence pipelines.

Customer Trust & External Assurance

• Customer Trust Ownership: Own Everlaw’s customer-facing trust posture, ensuring external representations of security...