Location: Remote Europe
Operate UserGems' security and compliance program day-to-day, partnered with the Sr. Director on direction and strategy.
UserGems is an AI platform helping sales and marketing teams double pipeline impact. Our AI agent Gem-E turns signals from CRMs, buying intent, and public data into precise outreach - generating $4B in pipeline and $950M in revenue for customers like CrowdStrike, UserTesting, and SAP LeanIX (15X+ ROI).
UserGems is a ~70-person company with around 25 engineers across Europe and 45 team members in sales and marketing based in the U.S. Several of our customers are top-tier security companies themselves (e.g. CrowdStrike), so our own security posture directly influences how fast revenue can move.
You will be UserGems' single dedicated security person, taking over the operational majority of the security work the Sr. Director currently owns. This is a compliance-led role with hands-on operational components - heavy on SOC 2 / ISO ownership, customer security reviews, day-to-day program operations, and Drata-driven remediation in AWS. Compliance is the primary focus and over time you'll own the full technical scope described below as well. The Sr. Director approves direction; you propose, shape, and execute the program. Cadence is a bi-weekly 1:1 with the Sr. Director plus a weekly work discussion, same as every UserGems employee.
UserGems' security program is in great shape - no fires to put out. SOC 2 Type II is in place for years already, all compliance monitoring is centralized in Drata, scanner findings auto-flow into Linear and are auto-triaged by an in-house automation, and CrowdStrike Complete (managed MDR) handles runtime protection. There's no on-call rotation at UserGems - incident response is a whole-team effort, and the Sr. Director continues to cover during your time off.
The Sr. Director currently runs the whole program in roughly 25% of one person's time, so a dedicated owner has real headroom. Expect your time to split roughly 2โ3 days per week on baseline operations and the remainder on new initiatives. The biggest near-term programs are ISO 27001 and likely ISO 42001 (AI management) - both held back today because no one has the dedicated capacity to drive them. That's the gap you fill.
Lean strongly into compliance/GRC operations - with enough hands-on AWS comfort to action Drata-flagged remediations independently.
Want to own operations end-to-end and influence direction - you propose, the Sr. Director approves, you ship.
Like a startup environment where priorities are clear, ownership is real, and you ship and move on.
Own SOC 2 - keep Drata green and audits clean.
Lead ISO 27001 implementation, then ISO 42001.
Run the customer security questionnaire process (SafeBase + Trust Center) - fast turnaround directly unblocks revenue.
Drata-driven AWS remediation. Action simple Drata findings directly in AWS yourself - IAM tweaks, S3 settings, secrets hygiene, audit-trail follow-ups. Larger or higher-risk changes go to engineering.
Vulnerability management. Oversee and extend the existing scanner-findings automation in Linear; hit SLAs.
Light secure code review. Spot-check high-risk features and new repositories (especially AI/LLM systems) before they go to production; escalate deeper AppSec questions to engineering and external pen testers.
Threat detection & response. Tune GuardDuty findings, evaluate central logging / SIEM options, run tabletop exercises, mature the IRP from written to rehearsed.
Offensive security. Run the annual external pen test, perform regular internal pen tests yourself, handle external researcher reports and bug bounty payouts.
Onboarding & offboarding. Own access provisioning and revocation.
Be the security person at UserGems. Internally and externally, you are the face of security - questions, escalations, customer security reviews, and audit conversations come to you.
UserGems is an AI company, and AI risk shows up in nearly every customer security review. A meaningful portion of this role is shaping how a modern, AI-native company secures both its product and its own internal AI usage - not just answering questionnaires about it.
We're already EU AI Act compliant - so you're extending a working baseline, not starting from zero.
You'll own:
ISO 42001 readiness from scratch.
Model & data governance for Gem-E and our self-hosted LLMs on Azure: data residency posture, prompt-injection threat modeling, access controls on training/inference data.
Internal AI tooling built by non-engineering teams. Sales, marketing, and ops are building their own AI-powered internal tools. You'll shape how this scales safely - guardrails, access boundaries, monitoring, and review.
AI in our own security stack - exte
