Member of Technical Staff, Security Compliance

Envoy protects the places the world relies on most by unifying people, spaces, and communications in one secure, integrated workplace management platform and ecosystem. More than 16,000 workplaces around the world trust Envoy to run secure, compliant, and connected operations across every location.

From manufacturing sites and data centers to life sciences labs, healthcare facilities, and corporate headquarters, Envoy unifies visitor management, risk assessment, mailroom management, digital signage software, resource booking, and emergency management into one integrated platform.

With deep integrations across access control, identity, compliance screening, and collaboration tools—including LenelS2, Brivo, Genetec, Honeywell, Cisco Meraki, Okta, Microsoft Azure, Microsoft Teams, Slack, ServiceNow, DocuSign, Avigilon Alta, and Descartes Visual Compliance—Envoy helps organizations reduce risk, stay audit-ready, and operate with clarity at scale.

Learn more at envoy.com

This is an L4 opportunity. Successful candidates typically have 7–10 years of experience and come from senior or early staff-level roles with a proven track record of technical leadership, cross-functional influence, and the ability to drive meaningful impact at scale.

About the role

Envoy is building a security program where controls are embedded in how we build and operate software, risk is clearly owned, and audit readiness is continuous rather than reactive.

As a Security Compliance Engineer, you will design and operate the systems that make our security posture measurable, defensible, and scalable as we grow.

This is not a documentation-only compliance role. You will work directly with Product and Infrastructure engineering teams to translate real-world cloud and application implementations into unified, cross-framework controls that are automated wherever possible and grounded in technical reality.

You will combine security domain expertise with hands-on engineering capability to reduce manual compliance work and build durable assurance systems.

Today our compliance program spans ISO 27001, SOC 2, CMMC Level 1, and HIPAA. As we expand our enterprise and public sector footprint, FedRAMP readiness is part of our future accreditation roadmap.

This is an on-site position that requires 4 days a week (Monday through Thursday) in our San Francisco HQ office.

You will

• Own and evolve Envoy’s unified cross-framework control model across ISO 27001, SOC 2, CMMC Level 1, HIPAA, and support future FedRAMP readiness

• Maintain and mature the security risk register, ensuring risk decisions are explicit, documented, and visible

• Drive continuous audit readiness without quarterly scramble

• Define and reinforce clear control ownership across Product and Infrastructure teams

• Operate and mature key assurance programs including vendor risk management, data classification, and security awareness

• Build lightweight tooling and automation to continuously validate controls and eliminate manual evidence collection

• Use code, APIs, and cloud integrations to automate recurring compliance workflows

• Leverage AI to accelerate control mapping, questionnaire drafting, evidence summarization, and internal self-serve compliance knowledge

• Define and report on security KPIs to leadership, and streamline enterprise security questionnaire responses

AI & Automation Expectations

• This role treats AI as a force multiplier, not a shortcut.

• You will:

  • Use AI-assisted workflows to accelerate framework normalization and control mapping

  • Implement AI-generated first drafts for questionnaires and audit narratives, grounded in structured control data

  • Build or integrate internal AI interfaces that allow engineers to self-serve on control ownership, policy intent, and risk status

  • Ensure AI augments deterministic, API-driven evidence collection rather than replacing it

• Success means measurable reductions in manual effort, faster trust workflows, and stronger consistency, without weakening audit defensibility.

What success looks like

• A unified, cross-framework control model with clear engineering ownership and direct linkage to the risk register

• Continuous audit readiness across ISO, SOC 2, CMMC, HIPAA, with a clear path toward FedRAMP maturity

• Vendor risk, data classification, and awareness programs operating as measurable, structured systems

• Security KPIs that provide leadership and enterprise customers with clear visibility into risk posture

• Significant reduction in manual evidence gathering through automation and AI-assisted workflows

You have

• 5+ years of experience in security engineering, security assurance, or a related field

• Direct experience owning or leading ISO 27001 and/or SOC 2 audit cycles

• Experience mapping real technical implementations to security control frameworks

• Working knowledge of modern cloud environments such as AWS

• Ability to evaluate access control trade-offs and logging adequacy

• Experience maintaining or operating a security risk register

• Ability to write scripts or small internal tools in languages such as Python, Bash, or similar

• Experience using APIs and cloud integrations to automate workflows or evidence collection

• Comfort working in engineering repositories and collaborating via pull requests

• Curiosity and practical experience experimenting with AI tools to reduce manual operational work

• Strong written and verbal communication skills, with the ability to explain risk in clear, practical terms

• A pragmatic mindset that balances long-term system improvement with real-world delivery constraints

Nice to have

• Experience with CMMC Level 1 or federal compliance environments

• Exposure to FedRAMP requirements or public sector security standards

• Experience with HIPAA safeguards and healthcare-related controls

• Experience automating compliance evidence using cloud-native tooling

• Familiarity with infrastructure-as-code and CI/CD security patterns

• Experience designing tiered vendor risk programs

• Experience defining or implementing data classification models

• Experience building security dashboards or reporting frameworks

By applying for this position, you acknowledge that you have fully read and understand the job requirements and received the Envoy Privacy Notice for applicants, which is linkedhere. Completing this application requires you to provide personal data, such as your name and contact information, which is mandatory for Envoy to process your application. Envoy is an EEO Employer and does not discriminate on the basis of any characteristic protected by local, state or federal law.