Security & Privacy Analyst

About the Role

We're looking for a Security & Privacy Analyst to build and operationalize our security and privacy compliance programs from the ground up.

You'll be responsible for implementing controls, driving audit readiness, managing vendor and customer security assessments, and ensuring Credo meets the compliance bar our regulated customers demand. This means working across engineering, infrastructure, and leadership to embed security and privacy into how we build, ship, and operate.

This is a hands-on role at an early-stage company. You won't just maintain compliance checklists — you'll define the policies, build the processes, and work directly with customers who need assurance that their data is handled with the highest standard of care. If you want to own a security program rather than just support one, this is the role.

What you'll do

• Build and maintain Credo's security and privacy compliance programs (SOC 2, GDPR, CCPA/CPRA)
• Implement and monitor security controls across infrastructure, application, and data handling processes
• Lead security and privacy audits, assessments, and certification efforts
• Own customer security questionnaires, vendor assessments, and due diligence reviews — partnering with sales to unblock enterprise deals
• Define and enforce data handling policies for sensitive data: biometric data, government ID images, screening results, and PII
• Partner with engineering to ensure secure development practices — encryption, access controls, key management, and data retention
• Manage the biometric data lifecycle — ensuring data is encrypted during verification and deleted immediately after
• Identify privacy and security risks across the platform and drive remediation
• Develop and maintain security documentation: policies, procedures, incident response plans, and data processing agreements
• Support customer compliance inquiries — regulated customers will need detailed answers about our security posture
• Monitor regulatory changes in data privacy, biometric data laws, and AML/KYC requirements
• Manage relationships with external auditors, penetration testers, and security vendors

What you'll bring

• 3–6 years of experience in security, privacy, compliance, or risk management
• Experience building or contributing to SOC 2, ISO 27001, or similar compliance programs
• Familiarity with privacy regulations: GDPR, CCPA/CPRA, BIPA, or other biometric data laws
• Understanding of cloud security fundamentals (GCP, AWS, or Azure)
• Experience completing security questionnaires and supporting enterprise sales cycles
• Strong ability to work cross-functionally with engineering, legal, and leadership
• Excellent documentation skills — you can write clear policies, not just check boxes
• Comfortable operating with autonomy in a fast-paced, early-stage environment

Nice to have

• Experience at a company handling biometric data, identity verification, or background screening
• Familiarity with AML/KYC compliance requirements and how they affect data handling
• CIPP, CISSP, CISA, or similar certifications
• Experience with GCP security tooling (Cloud Armor, IAM, Security Command Center)
• Previous early-stage startup experience — you've built a compliance program from scratch
• Experience with penetration testing coordination and vulnerability management