Arist is the go-to agent-first enablement platform for the Fortune 500. Every deal ships with a security questionnaire, a Trust Center deep-dive, and a customer who wants to see SOC 2 + ISO 27001 + ISO 42001 evidence before signing. Today this work is split across people who have other day jobs. We need one owner.
This is the person who keeps deals from stalling at security review, keeps our audits clean, and keeps our policies real instead of decorative.
What you'll own
Procurement (deal velocity)
Respond to security and infosec questionnaires from prospects and customers — owning SLAs that match deal timelines.
Build and maintain a centralized answer library so the same question never gets answered three different ways.
Stand up infosec questionnaire automation + AI augmentation so we move from artisanal to assembly-line.
Triage net-new questions to the right SME — Eng for architecture, Security for controls, Legal for data handling, HR for personnel.
Keep the Trust Center current and useful.
Run vendor onboarding (classification + risk review), annual re-reviews, and offboarding.
Compliance (SOC 2, ISO 27001, ISO 42001)
Run continuous compliance — monthly/quarterly control checks
Own the GRC platform (Vanta or Drata) and keep evidence current.
Run incident response when something happens — detection, containment, internal + customer comms, post-mortem, regulatory and contractual notifications.
What you'll have done before
Ideally, you have DevOps chops. We'd love someone who's lived on the engineering side too — comfortable in CI/CD, cloud infra (AWS/GCP), IaC (Terraform), and shipping fixes themselves rather than only filing tickets. The strongest candidates won't just audit our technical controls; they'll harden them. If you've worn both the GRC hat and the DevOps hat, tell us.
Owned SOC 2 Type II at a SaaS company end-to-end. ISO 27001 a strong plus. ISO 42001 a bonus — happy to grow into it.
Run a GRC platform (Vanta, Drata, or similar) as the primary admin.
Read a SaaS application architecture and held your own with engineers about the security implications. You don't need to be a developer, but you can talk to ours.
Led at least one real incident response, not just a a tabletop.
How we'll know you're great
Questionnaire turnaround drops from weeks to days, with consistent answers.
Trust Center is the first thing prospects see and the last thing they ask about.
Audits are non-events. No 11th-hour evidence scrambles.
Policies are followed because they're current and clear, not ignored because they're stale.
When something goes wrong, the response is calm, fast, and well-communicated.
How we work
Small team. High trust. Speed-to-deploy and close deals is our edge, so your job is to make compliance and procurement match that pace, not slow it down. We default to simplicity, not 20-page specs. We expect crisp written communication and a low tolerance for ceremony that slows.
Apply
Send a note to maxine @ arist dot co with 1) why you're interested in Arist and 2) what makes you exceptional for this role that spans security, compliance, and DevOps in a fast-growing startup environment.
