ABOUT ASTRA

Astra is building mission-critical infrastructure for moving money at scale. Our platform processes billions in annual transaction volume with 99.9%+ uptime, powering real-time transfers, bank debits, card disbursements, and complex financial compliance systems. We provide APIs and automation tools that enable businesses to move money programmatically while maintaining strict regulatory requirements.

THE ROLE:

As Astra’s first dedicated GRC Program Manager, you will be at the center of how we build trust, scale responsibly, and operate with regulatory excellence. This is more than a traditional compliance role – it’s an opportunity to design the governance, risk, and compliance foundation that enables Astra to grow quickly while meeting the expectations of banks, enterprise customers, auditors, and regulators.

You’ll own the full spectrum of Astra's audit execution: driving SOC 1, SOC 2, PCI DSS, and ISO 27001 programs end-to-end, translating regulatory requirements into practical technical controls, building high-quality documentation and evidence, and helping teams embed security and compliance into everyday operations. You’ll partner closely with engineering and infrastructure teams to ensure controls are real, automated where possible, and aligned with how the platform actually runs.

Because this is an early hire on the compliance team, you’ll have direct input into how Astra structures its audit programs, risk management processes, vendor due diligence workflows, and compliance tooling. You’ll collaborate with leaders across engineering, product, operations, and leadership to build scalable systems that reduce friction while increasing assurance and visibility.

This role is perfect for someone who enjoys rolling up their sleeves to execute today while also designing durable systems for tomorrow – someone who sees compliance not as a checkbox exercise, but as a strategic advantage for building trusted financial infrastructure.

WHAT YOU’LL DO:

• Audit Execution & Readiness: Own day-to-day execution of SOC 1, SOC 2, PCI DSS, and ISO 27001 readiness and audit cycles – including scoping, control testing, evidence collection, auditor coordination, and remediation tracking.

• Control Design & Documentation: Develop and maintain policies, procedures, risk assessments, control narratives, and supporting documentation that meet auditor expectations and scale with the business.

• Cross-Framework Mapping: Map controls across SOC, ISO, PCI, and NIST frameworks to identify overlap, gaps, automation opportunities, and control maturity improvements.

• Risk Management: Facilitate risk assessments for systems, vendors, products, and business initiatives. Maintain risk registers, mitigation plans, and executive reporting on residual risk.

• Engineering Partnership: Partner with engineering and infrastructure teams to translate security requirements into practical technical controls across cloud infrastructure, SDLC, access management, logging, monitoring, and incident response.

• Vendor Risk Management: Manage vendor security reviews, questionnaires, evidence validation, risk scoring, and ongoing monitoring for critical third parties and partners.

• Customer Trust & Due Diligence: Support customer security reviews, security questionnaires, and trust documentation that enable enterprise sales and bank partnerships.

• Continuous Compliance: Help build scalable compliance workflows, tooling, and automation to reduce manual effort and improve evidence quality as Astra grows.

• Metrics & Reporting: Maintain dashboards and reporting on audit status, control health, remediation progress, and risk posture for leadership.

WHAT WE’RE LOOKING FOR:

Required Experience:

• 3–6+ years of experience in governance, risk, compliance, audit, or information security rolls.

• Hands-on experience supporting or leading SOC 1 and/or SOC 2 audits; experience with PCI DSS and ISO 27001 is strongly preferred.

• Strong working knowledge of compliance frameworks (SOC, ISO 27001, NIST CSF, PCI DSS) and how controls operate in practice.

• Experience working cross-functionally with engineering, product, and operations teams in a technical environment.

• Proven ability to build and maintain high-quality documentation, evidence, and audit artifacts.

• Comfort operating in fast-moving environments where priorities evolve and ambiguity is common.

• Ambition to structure and systems 0 to 1, and comfort in creating frameworks, templates, and playbooks that scale.

• Experience collaborating with Product, Sales, and Engineering teams to align on priorities and drive outcomes.

Education:

• Bachelor’s degree in Information Systems, Computer Science, Business, Risk Management, or related field (or equivalent practical experience).

Preferred Experience:

• Fintech / Payments: Experience operating in regulated environments involving payments, banking partners, PCI, or financial audits.

• ISO 27001: Experience supporting certification or operating within an ISO-aligned ISMS.

• Automation & Tooling: Experience implementing compliance tooling, evidence automation, or GRC platforms.

• Vendor Risk Programs: Hands-on ownership of third-party risk management workflows.

• Startup Environment: Experience building or scaling compliance programs in high-growth companies.

KEY SKILLS:

• Audit Operations: Scoping, walkthroughs, evidence management, remediation tracking, auditor coordination.

• Control Design: Ability to translate regulatory requirements into clear, testable, and scalable controls.

• Risk Assessment: Experience performing system, vendor, and operational risk assessments with structured methodologies.

• Technical Fluency: Working understanding of cloud infrastructure, identity and access management, logging, monitoring, SDLC, and security tooling.

• Documentation & Writing: Strong ability to produce clear policies, procedures, narratives, and evidence artifacts.

• Project Management: Ability to manage multiple parallel audits, initiatives, and stakeholders while maintaining quality and deadlines.

• Communication: Ability to explain complex compliance concepts clearly to engineers, auditors, leadership, and external partners.

• Operational Rigor: Highly organized with strong attention to detail and follow-through.

WHY THIS ROLE MATTERS:

Trust is foundational to everything Astra builds. Our customers, bank partners, and regulators depend on the strength of our control environment, operational discipline, and risk management practices.

As a GRC Program Manager, your work will directly:

• Enable Astra to scale responsibly while maintaining strong audit outcomes and regulatory credibility.

• Reduce friction for engineering and product teams by building clear, pragmatic compliance processes.

• Support enterprise sales and partnerships by strengthening customer trust and security posture.

• Improve operational maturity through automation, documentation quality, and continuous improvement.

This role is not just about passing audits – it’s about building durable infrastructure that allows Astra to grow faster and more confidently.

WHAT WE OFFER:

• Competitive compensation with equity in a growing fintech company.

• Remote-first culture with flexible working arrangements

• Small team, big impact — your work directly supports Astra’s ability to scale responsibly

• Professional growth opportunities in compliance and risk management

• Mission-driven — build infrastructure that powers financial innovation while meeting the highest regulatory standards

REMOTE WORK AND CULTURE:

Astra is a remote-first company hiring only within the U.S. We value thoughtful collaboration, clarity, and initiative. We’re proud to be an equal opportunity employer and are committed to building a diverse and inclusive team.

HOW TO APPLY:

If you thrive on building structure, improving systems, and enabling teams to move fast while managing risk, we’d love to hear from you.

Please submit:

• Resume highlighting relevant audit, compliance, and risk program management experience.

• Brief cover letter (300 words max) answering:
  “Describe a compliance, audit, or risk initiative you owned end-to-end. What problem were you solving, and what impact did it have?”

• Optional: Sample documentation (control narrative, audit artifact, or process design) demonstrating clarity and rigor.