Reply helps thousands of companies automate and scale their sales outreach — and we were among the first to put an AI SDR inside a sales engagement platform. We move fast, stay lean, and solve problems with AI, not headcount.
Now we’re looking for a Security & Compliance Manager to own our security and compliance programme as we move upmarket. This is a hands-on, build-from-scratch role: you’ll own the programme end-to-end, report directly to the CEO, and have the autonomy to shape how security works here rather than inherit someone else’s playbook.
If you like turning risk into clear business decisions — and building systems that make security something the company moves faster because of, not slower — you’ll thrive here.
What you’ll do * Own and run the security and compliance programme end-to-end * Lead annual SOC 2 Type 2 audits and lay the groundwork for ISO 27001 and other relevant certifications — owning audit readiness throughout: evidence collection, documentation, and representation in audits and regulatory interactions * Own security and privacy governance: policies, standards, and their full lifecycle, aligned with SOC 2 and relevant frameworks * Maintain the risk register across access controls, internal processes, data confidentiality and availability, infrastructure, and third parties — and translate identified risks into clear, prioritised treatment plans with owners and timelines * Own identity and access management across all company systems: onboarding/offboarding, regular access reviews, and least-privilege enforcement * Run vendor and third-party risk management, embedding security requirements into contracts and SLAs * Handle inbound security questionnaires and enterprise security reviews from customers and prospects, independently * Scope, procure, and manage the annual external pentest — you own the process and track remediation through to completion with DevOps * Build and run a security awareness programme in collaboration with HR: training completion, phishing simulations, and behavioural improvement tracking * Partner with engineering and DevOps to translate compliance requirements into technical controls * Treat Claude Code as your core security operating system — use it daily to investigate our systems, automate GRC workflows, build and test controls, and actively challenge our own defences. This role sets the bar for what AI-first security looks like here * Report to leadership on top risks, incidents, control effectiveness, awareness metrics, and compliance status
Requirements Must-have: * 4+ years in information security or GRC, including hands-on ownership of a SOC 2 programme * Proven hands-on experience with SOC 2 Type 2 and ISO 27001 in a SaaS or product company * Working knowledge of GDPR and its implications for a SaaS business * Experience managing vendor and third-party risk, including security requirements in contracts and SLAs * Experience handling customer-facing security questionnaires and enterprise security reviews independently * Able to assess and communicate risk in business terms * Comfortable working across teams without direct authority * Comfortable operating in cloud environments (we run on Azure) * An AI-first operator who reaches for automation before manual effort — ideally already an exceptional Claude Code power user * Advanced English
Will be a plus: * ISO 27001 Lead Implementer / Auditor or CISM certification * Familiarity with GRC tooling such as Drata, Vanta, or similar * Background in a startup or scale-up where you built processes rather than inherited them
What we offer * Full ownership of the security programme — build it from the ground up, with direct CEO access and real autonomy * Your work directly enables the company to move upmarket and win bigger customers * High ownership and the freedom to improve systems and processes * Close collaboration with leadership, engineering, and DevOps * 100% remote, with minimal meetings and zero bureaucracy * Coverage for professional courses, gym memberships, or therapy sessions * AI-first culture — we actively use advanced AI tools and cover premium software costs * 15 paid vacation days, national holidays, and ~10 days of Christmas vacation * Unlimited sick leave * Access to internal training, literature, and knowledge sessions
If you’re excited about building a security programme from scratch, turning risk into clear decisions, and doing it AI-first — we’d love to hear from you!
