Security and Compliance Engineer

About Hevo:

Hevo (www.hevodata.com) is a simple, intuitive, and powerful No-code Data Pipeline platform that enables companies to consolidate data from multiple software for faster analytics.

Hevo powers data analytics for 2000+ data-driven companies across multiple industry verticals, including Cult.fit, Postman, ThoughtSpot, Jawa Motorcycles. By automating complex data integration tasks, Hevo allows data teams to focus on deriving groundbreaking insights and driving their businesses forward.

Hevo’s mission is simple but bold: Build technology from India, for the world that is simple to adopt and easy to access so that everyone can unlock the potential of data.

Based in San Francisco and Bangalore, Hevo has seen exponential growth since its inception. With total funding of $42 million from Sequoia India, Qualgro, and Chiratae Ventures, Hevo is now entering a new phase of hyper-growth.

Hevoites are a bunch of thoughtful, helpful problem solvers who are obsessed with making a difference in the lives of their customers, colleagues, and their own individual trajectory. If you are someone who is passionate about redefining the future of technology, then Hevo is the place for you.

Compliance Program Ownership

• Own and manage Hevo's compliance certifications end-to-end — including SOC 2 Type II, ISO 27001, GDPR, and any other applicable frameworks — across audit cycles, evidence collection, and remediation

• Lead internal readiness assessments and gap analyses against compliance frameworks; define and drive remediation roadmaps in partnership with Engineering and Infrastructure teams

• Serve as the primary point of contact for external auditors, certification bodies, and customer security review teams

• Respond to customer security questionnaires, due diligence requests, and vendor assessments with accuracy and speed

Security Engineering & Controls

• Design, implement, and continuously improve security controls across Hevo's cloud infrastructure, access management, data handling, and software development lifecycle (SDLC)

• Collaborate with DevOps and Engineering teams to embed security and compliance requirements into CI/CD pipelines, infrastructure-as-code, and deployment practices

• Conduct regular security risk assessments, vulnerability reviews, and internal audits — prioritizing findings and driving resolution within defined timelines

• Define and enforce policies around data classification, access controls, encryption, logging, monitoring, and incident response

Policy & Governance

• Develop, maintain, and operationalize security policies, standards, and procedures aligned with industry frameworks and Hevo's risk appetite

• Build and run a compliance awareness and training program across the organization — making security and compliance a shared responsibility

• Establish and maintain a continuous compliance monitoring framework using GRC tooling and automation where possible

• Track and report on compliance metrics, audit findings, and risk posture to leadership on a regular cadence

Cross-Functional Collaboration

• Partner with Product and Engineering to assess compliance implications of new features, integrations, and infrastructure changes early in the development cycle

• Work with the Legal and Finance teams on contractual obligations, data processing agreements (DPAs), and regulatory requirements across geographies

• Support Sales and Customer Success in closing security-sensitive deals by providing timely, accurate responses to enterprise security reviews

• 5–8 years of experience in security engineering, information security, or a compliance-focused engineering role

• Hands-on experience owning SOC 2 Type II audits end-to-end — from scoping and evidence collection to audit management and remediation; ISO 27001 experience is a strong plus

• Strong understanding of cloud security fundamentals — AWS, GCP, or Azure — including IAM, network security, encryption, and logging/monitoring best practices

• Familiarity with GDPR, CCPA, and other data privacy regulations relevant to a SaaS data company

• Experience with GRC platforms (e.g., Sprinto, Tugboat Logic, or equivalent) for continuous compliance monitoring

• Solid grasp of secure SDLC practices, vulnerability management, and DevSecOps principles

• Ability to translate complex compliance requirements into practical, implementable engineering controls

• Experience responding to enterprise customer security questionnaires and participating in vendor risk assessments

• Strong written communication skills — able to author policies, procedures, and audit evidence documentation with clarity and precision

• High ownership and accountability — you treat compliance as a product, not a checklist

• Detail-oriented with a structured, process-driven approach

• Ability to work cross-functionally and influence without authority — getting Engineering teams to prioritize compliance alongside feature work

• Proactive risk-thinking — you anticipate gaps before auditors find them

• Comfortable operating independently in a role with no direct peer — you define the playbook