About UsTherapyNotes is the go-to superhero for behavioral health Practice Management and EHR software! Our top-notch SaaS solution handles scheduling, billing, documenting, telehealth, and more so clinicians can focus on awesome patient care.We're a dynamic team of pros who love to innovate and push the envelope, keeping our software cutting-edge. Join us, and let's revolutionize behavioral health software together while making a real difference!About The PositionTherapyNotes is seeking a GRC Engineer who combines strong foundational GRC expertise with the ability to design and implement scalable, automated solutions. This role is responsible for both executing core GRC functions (e.g., risk assessments, policy management, third-party risk) and transforming those processes through engineering and automation.The ideal candidate understands how GRC work is performed today—and has the technical skills to improve, scale, and modernize it.What You'll DoCore GRC Operations (Hands-On Execution)Conduct third-party risk assessments (TPRM), including vendor reviews, security questionnaires, and risk evaluationsMaintain and update security policies, standards, and proceduresSupport compliance initiatives across frameworks (SOC 2, ISO 27001, HIPAA, NIST, etc.)Perform internal risk assessments, control testing, and gap analysesGRC Engineering & AutomationIdentify manual, repetitive GRC processes and design automated solutionsBuild and maintain automated evidence collection (via APIs, scripts, and integrations)Implement continuous control monitoring (CCM) to replace point-in-time auditsTranslate compliance requirements into technical controls and system configurationsValidate control effectiveness through automated testing and monitoringEnable real-time or near-real-time risk visibility through dashboards and reporting systemsWork with Security Engineering to continuously audit configurations and remediate drift programmaticallyBuild scalable workflows for vendor risk assessments, re-assessments and trackingIntegrate vendor data into centralized risk systemsAutomate intake, review, and monitoring processes for third-party security postureDevelop self-service audit evidence systems and dashboardsPartner with auditors to provide API-driven or system-generated evidenceWhat We're Looking ForBachelor’s degree in Computer Science, Engineering, or related field (or equivalent experience)3–6+ years in security engineering, GRC, GRC engineering, or cloud security rolesStrong experience with scripting/programming (Python, Go, or similar)Hands-on experience with cloud platforms (AWS, Azure, or GCP)Familiarity with Infrastructure as Code (Terraform, CloudFormation, etc.)Deep understanding of security controls and how they map to compliance frameworksExperience integrating APIs and building automation pipelinesBonus PointsExperience with policy-as-code toolsExperience with GRC automation platforms Familiarity with SIEM, SOAR, and security telemetry systemsExperience building internal tools or platforms for compliance and risk managementCertifications such as CISSP, CISM, CRISC, or cloud security certificationsWhat We OfferCompetitive salary - $100,000-$140,000Employer sponsored health, dental, vision, life, and disability insuranceRetirement plan with company contributionAnnual company profit sharingPersonal development/training budgetOpen, collaborative work environmentExtensive 2-week onboarding planComprehensive mentorship program