Security Assurance & Compliance Specialist

The Security Assurance & Compliance Specialist is responsible for protecting the confidentiality, integrity, and availability of Mercans’ global payroll SaaS platform and internal infrastructure.

This role focuses on governance, risk, and compliance (GRC), ensuring that Mercans meets rigorous international data protection standards (GDPR, LGPD, etc.) and maintains key certifications (ISO 27001, SOC 1/SOC 2).

The specialist will act as a guardian of sensitive payroll and financial data (PII), managing client trust through audit support, internal control monitoring, and risk governance.

Duties and responsibilities:

Global Compliance & Certifications (SaaS Focus)

Manage and maintain the company’s adherence to international security frameworks, specifically ISO 27001, ISO 27701, and SOC 1 / SOC 2 Type II attestations.

Regulatory Monitoring: Continuously track changes in global data privacy laws and payroll-specific regulations to assess their impact on Mercans’ SaaS operations.

Audit Management: Coordinate the full lifecycle of external audits, acting as the primary liaison between external auditors and internal technical teams.

Conduct internal audits and gap analyses to ensure that cloud infrastructure and operational processes align with control objectives.

Governance, Risk, and Policy Management

ISMS Management: Maintain and evolve the Information Security Management System (ISMS), ensuring policies and procedures remain aligned with business growth.

Risk Assessments: Facilitate annual company-wide risk assessments and Data Protection Impact Assessments (DPIAs) for new SaaS features or vendors.

AI & Automation Integration: Identify, evaluate, and implement AI-based automated tools to streamline compliance workflows, policy analysis, and repetitive security tasks.

Policy Lifecycle: Manage the review, update, and approval process for all information security policies.

Reporting: Define and track key security performance indicators (KPIs) and risk indicators (KRIs) to report the state of compliance to senior leadership.

Client Trust & Vendor Risk Management

Client Assurance: Lead the technical response to client security questionnaires (SIG, CAIQ) and RFPs, leveraging AI tools to automate answer retrieval where possible.

Contract Review: Collaborate with the Legal team to review security addendums and Data Processing Agreements (DPAs) in client contracts.

Vendor Risk: Evaluate and monitor third-party vendors and sub-processors to ensure the security of the broader SaaS supply chain.

Maintain the “Security Trust Center” documentation, keeping whitepapers and compliance certificates up to date.

Threat Monitoring & Penetration Testing

Penetration Testing Coordination: Plan and oversee the annual schedule of external penetration tests (black box/gray box) for the SaaS platform and mobile applications. Engage and manage third-party ethical hacking firms.

Vulnerability Management: Manage the internal vulnerability scanning program. Analyze reports, prioritize findings based on risk (CVSS), and enforce remediation SLAs with the DevOps/Engineering teams.

Threat Surveillance: Monitor security information and event management (SIEM) tools for anomalies related to unauthorized data access or geographic login irregularities.

AI-Enhanced Detection: Utilize AI-driven analytics to detect behavioral anomalies and reduce false positives in alert monitoring.

Dynamic/Static Analysis: Coordinate DAST and SAST tool integration within the CI/CD pipeline to ensure code is tested before deployment.

Incident Response & Resilience

Lead incident response efforts for data breaches, specifically handling breach notification timelines required by global regulators and client contracts.

Post-Incident Review: Conduct “Lessons Learned” sessions following incidents to identify root causes.

BCDR Planning: Oversee the maintenance of Business Continuity and Disaster Recovery plans.

Testing & Validation: Coordinate and document the execution of annual Disaster Recovery tests and Tabletop Exercises (TTX).

Business Continuity & Disaster Recovery (BCDR)

BCDR Planning: Oversee the maintenance of Business Continuity and Disaster Recovery plans.

Testing & Validation: Coordinate and document the execution of annual Disaster Recovery tests and Tabletop Exercises (TTX).

Employee Awareness & Human Risk Management

Conduct specialized training for staff on handling PII and financial data securely.

Execute phishing simulations to test resilience against social engineering attacks (BEC/CEO fraud).

Promote a “Security First” culture through internal newsletters and alerts.

Education and experience:

3+ years of experience in Information Security, GRC, or IT Audit, preferably within a SaaS, Fintech, or Payroll provider.

Deep understanding of PII protection and data classification standards.

Proven experience managing or supporting SOC 2 or ISO 27001 audits.

Experience with AI-driven security tools or GRC automation platforms.

Experience responding to enterprise security questionnaires (e.g., SIG, CAIQ).

Familiarity with global privacy laws (GDPR) and their impact on system architecture.

Experience with Business Continuity Planning (BCP) and Disaster Recovery (DR) frameworks.

Good verbal and written communication skills in English.

Nice to have:

Relevant cybersecurity certifications (e.g., CISSP, CISM, CEH, OSCP, or equivalent).

Familiarity with cloud security practices and infrastructure security (AWS, Azure, or GCP).

Knowledge of scripting or programming languages for security automation (Python, PowerShell, Bash).