Senior Compliance Officer; US EST​/EMEA - Remote

Position: Senior Compliance Officer (US EST/EMEA - Remote)
tldr;
We build software for short-term rentals to rent themselves, with a state-of-the-art product and user experience.

We have crafted an Applicant Handbook, which we highly recommend you check out, where you can find out more about the company, culture, how we recruit, what we do, and how we do it:

Hospitable is a remote-only, global, and trust-based company. We believe exceptional work comes from exceptional people - no matter their background, geography, or path. Our team spans continents, cultures, and experiences, and that diversity is one of our biggest advantages. We move fast, think boldly, and build with intention.

Our product is loved. Our customers are vocal. Our roadmap moves fast.

Feel free to join one of our upcoming public, bi-weekly Town Halls on You Tube to get a glimpse of it for yourself:

About the role

Hospitable processes over $6 billion in annual reservation value for more than 20,000 customers. As we scale, so does the trust our customers, partners, and future acquirers place in us. Compliance isn't a checkbox exercise here - it's a core part of how we protect that trust and accelerate the business.

We're hiring our first dedicated Senior Compliance Officer to own and mature our compliance program. You'll be building on a solid foundation - we already hold SOC 2 Type II and use Vanta as our GRC platform - but there's a big roadmap ahead. PCI DSS (Service Provider Level
1), GDPR formalisation, and potentially ISO 27001 are all on the horizon. This role is about designing the program, driving it forward, and making compliance a competitive advantage rather than a burden.

You'll work cross-functionally with engineering, product, infrastructure, and customer-facing teams. This is a high-agency role where you'll need to be comfortable operating independently, making judgment calls, and getting your hands dirty with evidence collection and control management on a daily basis.
What you will be working on

• Own and operate our SOC 2 Type II compliance program end-to-end - managing the annual audit cycle, maintaining controls in Vanta, coordinating evidence gathering across teams, and remediating gaps before they become findings.
• Design and lead the rollout of PCI DSS Service Provider Level 1 compliance, working with a QSA and internal engineering teams to scope the assessment, implement required controls, and prepare for audit.
• Build out our GDPR compliance posture - formalising data processing records, ensuring DSAR processes are robust, and working across departments to close gaps in our data protection practices.
• Manage our GRC tooling (Vanta) day-to-day - configuring tests, maintaining integrations, triaging failing checks, and keeping evidence fresh and audit-ready.
• Respond to customer and partner security questionnaires, due diligence requests, and trust-related inquiries. You'll be the face of Hospitable's security posture externally.
• Work with Sam whose favourite fruit is Mango.
• Partner with engineering and infrastructure to translate compliance requirements into actionable technical work - writing clear tickets, not vague mandates.
• Identify where compliance automation can reduce manual effort and implement it. We're a tech company; we should act like one when it comes to compliance too.
• Evaluate and recommend additional frameworks or certifications that strengthen our market position as we scale.

Requirements

Hospitable is a remote-only and distributed company. For this position, your location is not a requirement. The ideal fit would work under US Eastern or EMEA timezones.

Don't tick all the boxes? Talk to us about why you're still an amazing fit. In the meantime, here's what we're paying attention to:

• Significant hands-on experience running compliance programs in a SaaS or technology company - you've been through multiple audit cycles and know what great looks like.
• Deep working knowledge of SOC 2 and PCI DSS frameworks. You understand controls at a practical level, not just a theoretical one.
• Experience with GRC platforms, ideally Vanta. You should be comfortable configuring tests, managing integrations, and using the platform as a source of truth rather than a reporting afterthought.
• Familiarity with GDPR and data protection requirements. Formal DPO experience is a plus but not required.
• The ability to work cross-functionally with engineering teams - you can read an architecture diagram, understand what a Kubernetes cluster is, and translate compliance requirements into language engineers actually want to act on.
• Avid user of AI to improve and automate your workflows, knowing when to reach for it and when to step in - we don't want to be the next Delve-like.
• Strong written communication. We're remote-first and async-heavy. Most of your influence will come through clear documentation, well-written tickets, and persuasive Slack messages rather than meetings.
• Self-motivated and able to operate with high autonomy. You won't have a compliance team around you (yet). You need to be comfortable owning the…