Head of Compliance

The AI-powered OS for beauty, wellness and self-care

About the role

Reports to: VP of Security, IT and Compliance

We're looking for someone to own compliance end to end at Fresha. We're already HIPAA and ISO27001 certified, we're heading into a PCI DSS audit shortly, and later this year we'll have GDPR and SOC 2 Type II coming up. The role is based in our dog friendly office in London: The Bower Old Street, London EC1V 9NR.

What you'll own Audits and certifications

• Run the PCI DSS audit to completion, then GDPR and SOC 2 Type II this year
• Serve as the main point of contact for external auditors-scoping, evidence, walkthroughs, findings
• Maintain HIPAA and ISO 27001 compliance between recertifications

Compliance operations

• Quarterly access reviews across in scope systems
• Manage Sprinto: ensure controls are covered, failures are triaged quickly, and evidence is current
• Track vulnerability management closure against agreed SLAs and chase any drifts
• Own the compliance risk register-keep it current, review it regularly, and ensure it informs decisions rather than sitting for auditors

Data protection

• Handle Subject Access Requests and Data Access Requests end to end
• Keep the GDPR ROPA accurate as systems, vendors, and data flows change
• Enforce data retention in the systems-beyond paper policies

Vendor and third party risk

• Review new vendors before onboarding-security posture, data handling, DPAs
• Reassess critical and high risk vendors on a regular cycle
• Maintain a tidy, audit ready vendor inventory, DPAs, and sub processor lists

Policy and awareness

• Write new policies and update existing ones as the environment, regulations, and business change
• Ensure policies are usable, understood, and followed-avoid shelfware
• Own the compliance and privacy training programme: annual training, role specific training for engineers handling PHI or cardholder data, and any framework required training

Automation and AI

• Identify recurring tasks and eliminate unnecessary manual work-evidence collection, control testing, access review workflows, vendor questionnaire triage, SAR data discovery, policy drafting, ROPA upkeep
• Push Sprinto and adjacent tooling to the limit, supplementing gaps with scripts, workflows, or AI where appropriate
• Use LLMs sensibly for drafting, review, and first pass analysis-knowing when human sign off is required, especially for regulator or auditor submissions
• Treat the function's operating model as a product-reduce manual rituals each quarter, not increase them

What we're looking for

• Experience leading compliance through at least a couple of these frameworks (PCI DSS, SOC 2, ISO 27001, HIPAA, GDPR). PCI DSS and GDPR experience is especially valuable at this time
• Direct experience with auditors and confidence in challenging scope or findings that are off
• Hands on mindset-working in Sprinto, tickets, policy drafts, and vendor reviews rather than delegating all tasks
• Fluency with AI tools and building automation-whether Sprinto workflows, scripting against APIs, or utilizing LLMs, while knowing when to engage an engineer for proper implementation
• Ability to translate between engineers and auditors without friction
• Optional bonus: GRC tooling beyond Sprinto, DPO or DPO adjacent work, payments regulatory exposure, or a proven track record of reducing manual compliance work through automation

How you'll work

You'll have one direct report from day one, with growth as workload justifies. You'll collaborate closely with Security, IT, Legal, Engineering, and People teams. Expect to spend significant time with auditors during audit windows and with engineering and vendor teams the rest of the year.

Inclusive workforce

At Fresha, we foster a culture where individuals from all backgrounds feel comfortable and empowered. Everyone who applies will receive fair consideration for employment.

We do not discriminate based on race, colour, religion, sex, sexual orientation, age, marital status, gender identity, national origin, disability, or any other legally protected characteristic in the location where the candidate is applying. If you have any accessibility requirements for the interview process or upon joining, please let us know so we can support you.