Senior Governance, Risk, Compliance (GRC) Analyst

1 in 4 people in the US have a treatable mental health condition, but most providers don't accept insurance, making therapy too expensive for most people. Headway’s mission is to fix this by building a new mental healthcare system everyone can access. We started by solving the biggest barrier to care: insurance. The admin work - credentialing, claims, payment reconciliation - is a nightmare. We've automated that.

But we're going further. Over 75,000 providers across all 50 states run their practice on our software, serving over 1 million patients. We are building the best tools for therapists to run their entire practice, reimagining the experience of finding a therapist, and investing in the platform foundations to enable this at scale. We aren't just a billing layer; we are becoming the platform where care actually happens.

We're a Series D company with $325M+ in funding (a16z, Accel, Spark Capital, etc.), looking for exceptional people to help us achieve this mission. We want your time here to be the most meaningful experience of your career. Join us, and help change mental healthcare for the better.

Headway handles sensitive health data for millions of patients — and that responsibility demands a security and compliance program that scales with the business. We're building out our dedicated GRC team to improve and mature our program!

You'll join the Security team and work across four pillars: security certifications (HITRUST, SOC 2, PCI-DSS, HIPAA), third-party risk management, security awareness training, and technical risk management. You won't be maintaining a stale compliance program — you'll be building a modern, AI-enabled one at a company that's transforming how mental healthcare is delivered in the United States.

This role reports to Blake Atkinson, Director of Security, and partners closely with Privacy and Engineering teams.

• Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating with assessors, tracking control gaps and remediation timelines.

• Build and manage the vendor security assessment lifecycle — questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement across procurement and renewals.

• Stand up and run Headway's security awareness training program — onboarding modules, phishing simulations, annual compliance training, and completion tracking.

• Operate the centralized risk register — identifying, assessing, and tracking technical security risks through mitigation, and surfacing risk-informed priorities to engineering and security leadership.

• Partner cross-functionally with Privacy, Legal, IT, and Engineering to embed compliance into how Headway operates — not bolt it on after the fact.

• You have 5+ years of experience in a GRC, compliance, or security risk role.

• You have working knowledge of at least two of: HITRUST, SOC 2, PCI-DSS, or HIPAA.

• You've used a GRC platform like Vanta, Drata, OneTrust, or similar to automate evidence collection or manage controls.

• You communicate compliance requirements clearly to both technical and non-technical audiences.

• You default to building repeatable processes over one-off heroics.

• You're excited about using AI and modern tooling to scale compliance operations.

• Bonus: you've worked in healthcare or healthtech and understand what HIPAA means in practice, not just in theory.

• Mission that matters — your work directly protects millions of patients accessing mental healthcare.

• Real risk mitigation — this isn't checkbox compliance; the data you're protecting and the programs you're building have direct, tangible impact.

• Forward-thinking healthtech — Headway is investing in AI-enabled security workflows and modern GRC tooling, not spreadsheet-driven compliance.

• Build from scratch — you're standing up Headway's GRC function, not inheriting legacy processes.

Compensation and Benefits:

The expected base pay range for this position is $161,600 to 202,000 based on a variety of factors including qualifications, experience, and geographic location. In addition to base salary, this role may be eligible for an equity grant, depending on the position and level.

We are committed to offering a comprehensive and competitive total rewards package, including robust health and wellness benefits, retirement savings, and meaningful ownership opportunities through equity. Compensation decisions are made holistically, ensuring fairness and alignment with market benchmarks while recognizing individual contributions and potential.

• Benefits offered include:

  • Equity compensation

  • Medical, Dental, and Vision coverage

  • HSA / FSA

  • 401K

  • Work-from-Home Stipend

  • Therapy Reimbursement

  • 16-week parental leave for eligible employees

  • Carrot Fertility annual reimbursement and membership

  • 13 paid holidays each year as well as a Holiday Break during the week between December 25th and December 31st

  • Flexible PTO

  • Employee Assistance Program (EAP)

  • Training and professional development

#LI-RJ1

We believe a team's strength is in its people, and we cannot achieve this mission without a team that reflects the diversity of this problem – across race, ethnicity, gender, sexuality, age, national origin, religion, family status, disability, military status, and experience. Headway is committed to the full inclusion of all qualified individuals. As part of this commitment, Headway will ensure that persons with disabilities are provided with reasonable accommodations. If reasonable accommodation is needed to participate in the job application or interview process, to perform essential job functions, and/or receive other benefits and privileges of employment, please inform the recruiter when they contact you to schedule your interview.

Headway participates in E-Verify. To learn more, click here.

A notice to Headway applicants: To protect yourself against phishing and recruitment fraud, please note that Headway only accepts applications through our official careers page at https://headway.co/careers. Headway will never refer you to external websites, ask for payment or personal information, or conduct interviews via messaging apps. All official communication will come from a @findheadway.com email address. If you are contacted by someone claiming to be from Headway via an unofficial channel, please do not share any information and report it as spam.