Compliance Analyst Ii

Overview: We believe that every experience is a memory that can last a lifetime. Experiences shape the way people feel about a company. And they greatly influence how likely people are to advocate, contribute, and stay. At Medallia, we are committed to creating a world where organizations are loved by their customers and their employees. We empower exceptional people to create extraordinary experiences together. Bring your whole self. **The Role and Team** As a Compliance Analyst (Level 2), you will be a key driver in the operational success of our Information Security and Compliance program. You will transition from supporting roles to owning the execution of evidence collection, control testing, and GRC automation. This role is designed for a technically-minded compliance professional who wants to move away from manual spreadsheets and toward a high-velocity, automated SaaS compliance environment. This is an excellent opportunity for an ambitious individual looking to build a career in GRC (Governance, Risk, and Compliance) within a fast-paced, high-growth technology environment. **Responsibilities**: **Key Responsibilities** - Execution of Controls: Own the end-to-end evidence collection process for audits and certifications (like SOC 2 Type, PCI and ISO). You will ensure that all control evidence is accurate, complete, and uploaded to a GRC tool ahead of audit deadlines. - Compliance Automation & Integration: Actively work with Engineering and IT to transition manual evidence requests into automated workflows. You will help configure and monitor automated evidence pulls from AWS/Azure, Okta, GitHub, Jira, etc. - Continuous Control Monitoring (CCM): Perform periodic testing of control effectiveness. You will identify "broken" controls early and work with task owners to remediate them before they become audit findings. - Unified Controls Implementation: Maintain the mapping within our Common Controls Framework. You will ensure that evidence collected once is correctly applied across our entire certification portfolio (ISO, SOC 2, HIPAA, etc.). - Audit Liaison: Act as a primary point of contact for external auditors during fieldwork. You will be responsible for explaining technical evidence, managing "follow-up" requests, and ensuring a smooth audit experience. - Remediation Management: Take ownership of the remediation tracker. You will not just track gaps but will partner with technical teams to understand why a control failed and suggest process improvements to prevent recurrence. - Documentation Management: Maintain our internal "Compliance Knowledge Base." You will translate complex security policies into "how-to" guides for employees to ensure they understand their compliance obligations. **Teamwork and Professional Development** Success in this role requires a collaborative mindset and a dedication to continuous improvement: - Collaborative Environment: Actively participate as a key member of the Compliance team, contributing to team goals and supporting colleagues with evidence collection and documentation needs. - Acceptance of Review: Must be open and responsive to peer review and direct feedback on work quality, documentation, and performance from senior team members and managers. - Accountability: Take full ownership and accountability for tasks and mistakes, documenting lessons learned and implementing corrective actions to prevent recurrence. - A curious and adaptable mindset: The ability to navigate evolving workflows with a critical eye, feeling comfortable questioning established methods and suggesting ways to make our daily operations more efficient **Certifications and Standards Supported** You will be involved in supporting the compliance efforts for the following critical standards: - ISO Standards: ISO 27001 (Information Security Management), ISO 27017 (Cloud Security), ISO 27018 (PII Protection in the Cloud), and ISO 27701 (Privacy Information Management). - PCI: PCI DSS - US Compliance: HITRUST, SOC 2 Type II, HIPAA (Health Information Portability and Accountability Act). - Global Privacy: GDPR (General Data Protection Regulation), CBPR/PRP (Cross-Border Privacy Rules/Privacy Recognition Program), PIPEDA (Personal Information Protection and Electronic Documents Act - Canada). - UK/Financial: FSQS (Financial Services Qualification System), Cyber Essentials Plus. Qualifications: **Minimum Qualifications** - Experience: At least 2 years of experience in IT, GRC, IT Audit, or Information Security within a SaaS or technology-focused company. - Audit Exposure: At least one cycle of experience participating in an external audit. - Automation Mindset: Proven ability to use GRC tools or API-based integrations to streamline manual tasks. - Technical Literacy: Basic understanding of cloud infrastructure (AWS/Azure) and knowledge on SaaS companies software development life cycle (GitHub, Jira, etc). - Documentation: Proven ability to document technical procedures, integrations and o