[Remote] Senior Security Compliance Engineer
Note: The job is a remote job and is open to candidates in USA. UniUni is a late-stage last-mile logistics company moving millions of parcels across the United States and Canada for major e-commerce platforms. They are seeking a Senior Security Compliance Engineer to manage their governance, risk, and compliance functions, ensuring the health of their ISO 27001 certification and SOC 2 Type II attestation while automating compliance processes and supporting regulatory obligations.ResponsibilitiesRun the ISO 27001 program operations, including surveillance audit prep, internal audits, the annual risk assessment, management reviews, and corrective action trackingRun the SOC 2 Type II program operations, including continuous control monitoring, evidence collection, auditor coordination, and remediation trackingOperate the information security policy lifecycle: drafting, stakeholder review, approval workflows, annual reviews, version control, and employee attestationsMaintain the risk register, drive risk treatment plans through to closure, and prepare risk reporting for the ISO and the executive teamBuild and maintain compliance automation, including evidence collection workflows, control testing, and dashboarding. Treat the GRC platform as a system you actively engineer, not a passive system of recordPlan and run security awareness training and phishing simulation cycles, and report on outcomesOperate UniUni's privacy program in partnership with legal, including data inventories, data flow mapping, retention schedules, and privacy impact assessmentsExecute on regulatory obligations relevant to our business, including the DOJ Data Security Program, Canadian PIPEDA, and applicable US state privacy lawsCoordinate the response to data subject access requests (DSARs) and privacy inquiries within statutory timelinesTrack regulatory developments across the jurisdictions in which UniUni operates and translate them into concrete control changes, evidence requirements, and policy updatesSupport data residency and data minimization commitments, working with engineering and the data security team to verify they hold in practiceLead the response to customer security questionnaires, RFP security sections, and prospect security reviews, in partnership with sales, legal, and the ISOReview and negotiate the security and privacy clauses in customer and vendor contracts, escalating material issues to the ISO and legalRun UniUni's third-party risk management program: vendor inventory, tiering by risk, due diligence, security review of new vendors, periodic reassessment of existing vendors, and remediation trackingOperate the trust center and the security artifact library (SOC 2 reports, ISO certificates, pen test summaries, security overviews) and keep customer-facing materials current and accurateBe a credible representative of UniUni's security posture in front of customers, auditors, and regulatorsWrite clearly and precisely. The work product of this role lands in front of customers, auditors, regulators, and executives, and it has to hold upPartner with engineering, IT, legal, HR, and finance to make compliance a normal part of how the business runs, not an interruptSkills5 to 8 years in security GRC, audit, or a closely related discipline, with hands-on ownership of ISO 27001 and SOC 2 program operations in a cloud-native organizationDirect experience driving SOC 2 Type II audit cycles end to end, including auditor coordination, evidence collection, and remediationWorking knowledge of common control frameworks beyond ISO and SOC (NIST CSF, NIST 800-53, CIS) and the ability to map between themExperience operating a GRC platform (e.g., Vanta, Drata, Secureframe, Hyperproof, ServiceNow GRC, OneTrust) as a power user, including building automated evidence pipelines and control testsExperience leading customer security questionnaires and security reviews for enterprise customers, including reviewing security and privacy clauses in contractsFamiliarity with privacy regulation in North America, including PIPEDA and US state privacy laws, and a working understanding of cross-border data transfer requirementsExperience operating a third-party risk management program at meaningful vendor volumeStrong written communication. You can produce auditor-ready documentation, customer-ready security narratives, and executive-ready risk summaries, and you know which is whichA pragmatic, automation-first mindset. You are bothered by manual evidence collection and you do something about itExperience in logistics, supply chain, marketplaces, or other high-volume operational businessesFamiliarity with the DOJ Data Security Program and bulk data transfer rulesLight scripting ability (Python, SQL) for automating evidence collection or building control queries against AWS, identity providers, and SaaS platformsRelevant certifications such as ISO 27001 Lead Auditor or Lead Implementer, CISA, CISM, CIPP, or CRISCPrior experience supporting a company through a customer-driven security maturation, an investor due diligence cycle, or IPO readinessCompany OverviewUniUni is a transportation company that offers services in freight and package transportation with logistics services. It was founded in 2019, and is headquartered in Richmond, British Columbia, CAN, with a workforce of 501-1000 employees. Its website is https://www.uniuni.com.Company H1B SponsorshipUniUni has a track record of offering H1B sponsorships, with 4 in 2026, 30 in 2025, 12 in 2024, 2 in 2023. Please note that this does not guarantee sponsorship for this specific role.