Senior Governance, Risk, Compliance GRC Analyst

1 in 4 people in the US have a treatable mental health condition, but most providers don't accept insurance, making therapy too expensive for most people. Headway’s mission is to fix this by building a new mental healthcare system everyone can access. We started by solving the biggest barrier to care: insurance. The admin work - credentialing, claims, payment reconciliation - is a nightmare. We've automated that.

But we're going further. Over 75,000 providers across all 50 states run their practice on our software, serving over 1 million patients. We are building the best tools for therapists to run their entire practice, reimagining the experience of finding a therapist, and investing in the platform foundations to enable this at scale. We aren't just a billing layer; we are becoming the platform where care actually happens.

We're a Series D company with $325M+ in funding (a16z, Accel, Spark Capital, etc.), looking for exceptional people to help us achieve this mission. We want your time here to be the most meaningful experience of your career. Join us, and help change mental healthcare for the better.

About the Role

Headway handles sensitive health data for millions of patients — and that responsibility demands a security and compliance program that scales with the business. We're building out our dedicated GRC team to improve and mature our program!

You'll join the Security team and work across four pillars: security certifications (HITRUST, SOC 2, PCI-DSS, HIPAA), third-party risk management, security awareness training, and technical risk management. You won't be maintaining a stale compliance program — you'll be building a modern, AI-enabled one at a company that's transforming how mental healthcare is delivered in the United States.

This role reports to Blake Atkinson, Director of Security, and partners closely with Privacy and Engineering teams.

What You'll Own

• Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating with assessors, tracking control gaps and remediation timelines.
• Build and manage the vendor security assessment lifecycle — questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement across procurement and renewals.
• Stand up and run Headway's security awareness training program — onboarding modules, phishing simulations, annual compliance training, and completion tracking.
• Operate the centralized risk register — identifying, assessing, and tracking technical security risks through mitigation, and surfacing risk-informed priorities to engineering and security leadership.
• Partner cross-functionally with Privacy, Legal, IT, and Engineering to embed compliance into how Headway operates — not bolt it on after the fact.

You'd be a great fit if…

• You have 5+ years of experience in a GRC, compliance, or security risk role.