Find your dream job at a Trinity portfolio company.

About Birdeye
Birdeye is the leading agentic marketing platform for multi-location brands.

Companies like H&R Block, Aspen Dental, and Caesars Entertainment use Birdeye to manage marketing across thousands of locations — from how they get found, to how they convert, to how they retain customers. Our platform replaces disconnected point tools with AI agents that execute work at the location level — responding to reviews, updating listings, publishing content, and driving conversions.

Backed by Marc Benioff, Jerry Yang, and Accel-KKR, Birdeye was named to G2’s 2026 Best Agentic AI Products list — appearing alongside the world’s leading AI companies. We’re expanding rapidly into enterprise, with growing adoption across large, multi-location brands.

About the Role

BirdEye holds ISO 27001:2022, SOC 2 Type II, HIPAA, GDPR, and ICO registration. The compliance foundation is real. What it lacks is a dedicated owner who can maintain, elevate, and operationalise it — and critically, extend it to cover HITRUST CSF r2 (the healthcare gold standard), AI governance (ISO 42001), and privacy (SOC 2 Privacy pillar). This is not a documentation role. This is a Field Security role: you will be on sales calls winning enterprise deals, running vendor risk assessments, driving the ESG security agenda, and building the Common Control Framework that makes all of this scalable.

What You Will Own

• Own the HITRUST Common Security Framework (CSF) r2 certification readiness, implementation, and ongoing maintenance.
• Lead the implementation of the HIPAA Security Rule 2026 Overhaul, including conducting a gap analysis to map current controls against proposed mandatory safeguards.
• Update the annual HIPAA risk assessment to explicitly cover risks associated with AI systems.
• Drive the implementation of missing HIPAA controls (most commonly: MFA expansion, encryption gap remediation, asset inventory, and written patch management policy).
• Update incident response runbooks to meet the regulatory 30-day breach SLA and establish an annual compliance audit cadence.
• Own the SOC 2 Type II renewal — evidence collection, control testing coordination, auditor relationship management. Drive expansion to the Privacy pillar.
• Build and maintain the Common Control Framework (CCF) — map SOC 2, ISO 27001, HITRUST CSF r2, ISO 42001, GDPR, and HIPAA controls into a single evidence layer. Eliminate redundant evidence gathering across audits.
• Drive ISO 42001 (AI Management System) readiness — partner with ML engineering on AI governance, responsible AI documentation, and algorithmic risk assessment.
• Execute vendor risk assessments and Third-Party Risk Management (TPRM) — questionnaire template, risk rating methodology, vendor tiering, reporting cadence.
• Handle "Right to Audit" requests from enterprise customers — coordinate, scope, and manage customer audit exercises.
• Execute quarterly user access reviews across critical systems — document findings formally, track remediation to closure.
• Own the content layer of the Trust Center — certifications, policy summaries, completed questionnaire library.
• Field Security: jump on enterprise sales calls to answer security questions live, accelerate deal velocity, remove security as a sales blocker.
• Drive the ESG security agenda — Ethical AI governance, data privacy programme, responsible AI disclosures.
• Maintain the policy and standards library — keep documentation current, not aspirational.
• Manage GDPR and HIPAA compliance evidence maintenance and annual review cycles.

Must Have

• 5+ years hands-on GRC or compliance engineering — programme ownership, not audit consulting.
• Direct, hands-on experience achieving or maintaining HITRUST CSF (r2 or i1 certification experience highly preferred).
• Proven experience conducting detailed HIPAA regulatory gap analysis and driving control implementation, especially regarding AI systems and mandatory safeguards.
• Direct experience with SOC 2 audits — evidence collection, control mapping, auditor liaison.
• Working knowledge of ISO 27001 control framework and integrated audit approaches.
• Vendor risk assessment experience — questionnaires, risk rating, third-party due diligence, Right to Audit coordination.
• User access review execution experience — not just policy, but hands-on review cycles.
• Experience updating incident response plans to meet strict breach notification SLAs (e.g., 30-day HIPAA breach SLA).
• Ability to write clearly — policies, standards, evidence narratives, customer-facing documentation.
• Comfortable on customer calls — you can explain BirdEye's security posture to a CISO on the other side of the table.

Nice to Have

• ISO 42001 familiarity or AI governance experience.
• Experience building a Common Control Framework (CCF) across multiple standards (especially including HITRUST).
• Experience with GRC platforms (Scrut, Vanta, Drata, or equivalent).
• Trust Center platform experience (SafeBase, Vanta Trust Center).
• CISA, CRISC, CISM, or ISO 27001 Lead Implementer certification.
• ESG reporting or Ethical AI governance experience.
• Experience expanding SOC 2 TSC scope (particularly Privacy pillar).

AI as a Force Multiplier

Every member of the security team is expected to leverage AI tools and capabilities to increase speed, productivity, and coverage. This is not optional — it is how a four-person team operates at the scale of a much larger organisation.

• Use AI-assisted tooling for code review, vulnerability triage, alert correlation, evidence generation, policy drafting, and threat analysis.
• Evaluate and adopt AI-native security tools where they outperform traditional approaches.
• Automate repetitive workflows using AI/ML — the goal is to spend human attention on judgment, not toil.
• Stay current on AI developments in your pillar — and bring recommendations to the team.

Why You’ll Join Us
At Birdeye, we are relentless innovators driven by a singular goal: to lead our category with unparalleled excellence. We don't just set goals – we surpass them. We're a team of doers who roll up our sleeves and get the job done, delivering on our promises with unwavering dedication.

Working here means embracing a culture of action and accountability, where every person is empowered to make an impact. We don't just talk about making a difference – we make it happen.