Jobs › Senior Governance, Risk, Compliance (GRC) Analyst
Senior Governance, Risk, Compliance (GRC) Analyst
Role at a glance
- Category
- Compliance
- Work arrangement
- On-site
- Location
- San Francisco, CA
- Salary range
- $161,600
- Posted
- Jun 17, 2026
Headway is hiring a Senior Governance, Risk, Compliance (GRC) Analyst in San Francisco, CA. This is a Compliance role in the governance, risk, and compliance field, with a posted range of $161,600. Review the full details below and apply directly with Headway.
1 in 4 people in the US have a treatable mental health condition, but most providers don't accept insurance, making therapy too expensive for most people. Headway’s mission is to fix this by building a new mental healthcare system everyone can access. We started by solving the biggest barrier to care: insurance. The admin work - credentialing, claims, payment reconciliation - is a nightmare. We've automated that. But we're going further. Over 75,000 providers across all 50 states run their practice on our software, serving over 1 million patients. We are building the best tools for therapists to run their entire practice, reimagining the experience of finding a therapist, and investing in the platform foundations to enable this at scale. We aren't just a billing layer; we are becoming the platform where care actually happens. We're a Series D company with $325M+ in funding (a16z, Accel, Spark Capital, etc.), looking for exceptional people to help us achieve this mission. We want your time here to be the most meaningful experience of your career. Join us, and help change mental healthcare for the better. About the Role Headway handles sensitive health data for millions of patients — and that responsibility demands a security and compliance program that scales with the business. We're building out our dedicated GRC team to improve and mature our program! You'll join the Security team and work across four pillars: security certifications (HITRUST, SOC 2, PCI-DSS, HIPAA), third-party risk management, security awareness training, and technical risk management. You won't be maintaining a stale compliance program — you'll be building a modern, AI-enabled one at a company that's transforming how mental healthcare is delivered in the United States. This role reports to Blake Atkinson, Director of Security, and partners closely with Privacy and Engineering teams. What You'll Own Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating with assessors, tracking control gaps and remediation timelines. Build and manage the vendor security assessment lifecycle — questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement across procurement and renewals. Stand up and run Headway's security awareness training program — onboarding modules, phishing simulations, annual compliance training, and completion tracking. Operate the centralized risk register — identifying, assessing, and tracking technical security risks through
Full responsibilities and requirements are on Headway's application page.
Apply for this role →Location and market context
This role is based in San Francisco, CA on-site. Local candidates benefit from being close to Headway's teams and regional hiring market. Confirm the exact in-office expectation and any relocation support with the employer.
About compliance roles
Compliance programs turn law, regulation, and policy into controls the business can actually run. Demand is strongest where regulatory change, enforcement risk, and new technology intersect. Roles like this one are typically evaluated against frameworks such as relevant regulatory frameworks, control libraries, and audit and monitoring practices.
How to position yourself for this compliance role
Strong candidates emphasize building and monitoring controls, regulatory mapping, policy and training, and partnering with the business to make compliance practical. In your resume and outreach, tie your experience to how Headway would apply relevant regulatory frameworks, control libraries, and audit and monitoring practices, and lead with concrete outcomes rather than duties.
Similar GRC roles
More GRC jobs: All GRC roles · Browse by category & location