Information Security Analyst

Job Description

Security compliance doesn’t run itself — and at a company processing real-time pricing decisions for thousands of hotels worldwide, getting it right matters. As Security Engineer at Duetto, you’ll be the operational backbone of our security programme: keeping SOC 2 and ISO 27001 evidence current, running access reviews, managing vendor security assessments, supporting RFPs, and ensuring the governance infrastructure that underpins customer trust and audit readiness stays organised and on track. It’s a detail-oriented, cross-functional role that touches Engineering, IT, Legal, HR, and Sales — and it’s central to how Duetto earns and keeps the confidence of enterprise customers globally.

What Makes Us Different?

Duetto is the hospitality industry’s leading revenue management platform, founded in 2012 by former Wynn Resorts executives who knew the industry needed better technology. We built the world’s first Revenue & Profit Operating System — a suite of tools (GameChanger, ScoreBoard, BlockBuster, Advance and more) that goes beyond room pricing to give hotels, resorts and casinos a complete picture of their revenue and profitability. Trusted by clients ranging from independent boutique hotels to global chains, we’ve been named the #1 Revenue Management Software by HotelTechAwards four years running and the #1 Best Place to Work in Hotel Tech in 2025. Backed by GrowthCurve Capital since 2024, we’re accelerating our investment in AI — and we’re genuinely passionate about the industry we serve. We build products we’re proud of, for customers we care about.

What You’ll Be Doing

• You’ll administer and maintain Vanta (or equivalent GRC platform), collecting and maintaining SOC 2 Type 2 evidence across IT, Engineering, HR, Legal, and Security — and supporting ISO 27001, ISO 42001, NIST CSF, and internal control mapping efforts.
• You’ll coordinate access reviews across production systems, cloud platforms, SaaS tools, privileged accounts, and business-critical systems — tracking onboarding and offboarding evidence, policy acknowledgements, training completion, device compliance, and access removal.
• You’ll maintain the governance policy inventory, review cycles, approvals, exceptions, and evidence — and keep the risk register, risk treatment tracker, remediation due dates, and exception evidence current under Director oversight.
• You’ll support vendor and third-party security reviews including annual assessments, questionnaires, risk ratings, and DPA tracking — and track penetration test findings, vulnerability remediation plans, and closure evidence.
• You’ll draft and maintain approved responses for RFPs, sales questionnaires, and customer trust materials, maintain the Live Trust page in coordination with Security, Legal, and Sales, and support incident response documentation including timelines, RCA records, and post-incident action items.
• You’ll coordinate phishing simulations, security awareness training, completion tracking, and reporting — and assist with ad hoc security requests, customer audits, internal evidence requests, and compliance reporting as needed.

What We’re Looking For

You may be a good fit if you have:

• 2–4+ years of experience in security GRC, IT audit, compliance, security operations, risk management, or technical programme coordination
• Familiarity with SOC 2, ISO 27001, NIST CSF, access reviews, vendor security, and audit evidence collection
• Experience using Vanta or a comparable GRC/compliance platform
• Strong documentation, follow-up, and project tracking skills — you’re the person things don’t fall through the cracks for
• The ability to work with technical teams and understand security evidence in context
• Strong written communication skills for RFPs, questionnaires, policies, and audit responses

Strong candidates may also have:

• Experience in SaaS environments
• Familiarity with AWS evidence, MDM, endpoint security, vulnerability management, and incident response documentation
• Experience supporting customer security reviews or sales security questionnaires
• A basic understanding of GDPR, DPA, DTIA, DPF, and subprocessor management

Why Duetto?

• Compliance work with real commercial stakes. The security programme you support directly enables enterprise deals and customer trust at global hotel brands and casino groups — your work is visible and consequential.
• Cross-functional exposure from day one. You’ll work across Engineering, IT, Legal, HR, and Sales — a breadth of context that accelerates career development in ways a siloed GRC role rarely does.
• AI is how we work. Duetto is an AI-first organisation — even in compliance and governance roles, we’re investing in tools and workflows that help the team work smarter, including AI governance alignment under ISO 42001.
• A growing security programme with real scope. This is a new role, which means you’ll have the opportunity to shape how processes are built, not just maintain what already exists.

The Details

• Location: Remote (Croatia)
• Department: Engineering / Security

Duetto is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. All qualified applicants will receive consideration for employment without regard to race, colour, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, or any other characteristic protected by applicable law.

Sound like you?

You don’t need every item on this list. If you’re detail-oriented, security-minded, comfortable working across functions, and energised by keeping a compliance programme running well — we’d love to hear from you.

#LI-REMOTE