GRC Engineer

About Us

TherapyNotes is the go-to superhero for behavioral health Practice Management and EHR software! Our top-notch SaaS solution handles scheduling, billing, documenting, telehealth, and more so clinicians can focus on awesome patient care.

We're a dynamic team of pros who love to innovate and push the envelope, keeping our software cutting-edge. Join us, and let's revolutionize behavioral health software together while making a real difference!

About The Position

TherapyNotes is seeking a GRC Engineer who combines strong foundational GRC expertise with the ability to design and implement scalable, automated solutions. This role is responsible for both executing core GRC functions (e.g., risk assessments, policy management, third-party risk) and transforming those processes through engineering and automation.

The ideal candidate understands how GRC work is performed today—and has the technical skills to improve, scale, and modernize it.

What You'll Do

Core GRC Operations (Hands-On Execution)

• Conduct third-party risk assessments (TPRM), including vendor reviews, security questionnaires, and risk evaluations
• Maintain and update security policies, standards, and procedures
• Support compliance initiatives across frameworks (SOC 2, ISO 27001, HIPAA, NIST, etc.)
• Perform internal risk assessments, control testing, and gap analyses

GRC Engineering & Automation

• Identify manual, repetitive GRC processes and design automated solutions
• Build and maintain automated evidence collection (via APIs, scripts, and integrations)
• Implement continuous control monitoring (CCM) to replace point-in-time audits
• Translate compliance requirements into technical controls and system configurations
• Validate control effectiveness through automated testing and monitoring
• Enable real-time or near-real-time risk visibility through dashboards and reporting systems
• Work with Security Engineering to continuously audit configurations and remediate drift programmatically
• Build scalable workflows for vendor risk assessments, re-assessments and tracking
• Integrate vendor data into centralized risk systems
• Automate intake, review, and monitoring processes for third-party security posture
• Develop self-service audit evidence systems and dashboards
• Partner with auditors to provide API-driven or system-generated evidence

What We're Looking For

• Bachelor’s degree in Computer Science, Engineering, or related field (or equivalent experience)
• 3–6+ years in security engineering, GRC, GRC engineering, or cloud security roles
• Strong experience with scripting/programming (Python, Go, or similar)
• Hands-on experience with cloud platforms (AWS, Azure, or GCP)
• Familiarity with Infrastructure as Code (Terraform, CloudFormation, etc.)
• Deep understanding of security controls and how they map to compliance frameworks
• Experience integrating APIs and building automation pipelines

Bonus Points

• Experience with policy-as-code tools
• Experience with GRC automation platforms
• Familiarity with SIEM, SOAR, and security telemetry systems
• Experience building internal tools or platforms for compliance and risk management
• Certifications such as CISSP, CISM, CRISC, or cloud security certifications

What We Offer

• Competitive salary - $100,000-$140,000
• Employer sponsored health, dental, vision, life, and disability insurance
• Retirement plan with company contribution
• Annual company profit sharing
• Personal development/training budget
• Open, collaborative work environment
• Extensive 2-week onboarding plan
• Comprehensive mentorship program