Senior Risk & Compliance Engineer

Job description

We’re transforming the grocery industry

At Instacart, we invite the world to share love through food because we believe everyone should have access to the food they love and more time to enjoy it together. Where others see a simple need for grocery delivery, we see exciting complexity and endless opportunity to serve the varied needs of our community. We work to deliver an essential service that customers rely on to get their groceries and household goods, while also offering safe and flexible earnings opportunities to Instacart Personal Shoppers.

Instacart has become a lifeline for millions of people, and we’re building the team to help push our shopping cart forward. If you’re ready to do the best work of your life, come join our table.

Instacart is a Flex First team

There’s no one-size fits all approach to how we do our best work. Our employees have the flexibility to choose where they do their best work—whether it’s from home, an office, or your favorite coffee shop—while staying connected and building community through regular in-person events. Learn more about our flexible approach to where we work.

Overview

About the Role -

Join Instacart’s Governance, Risk, and Compliance (GRC) team as a Risk & Compliance Engineer specializing in Third Party Risk Management. In this critical role, you will be at the forefront of safeguarding Instacart’s security and privacy posture by managing risks associated with our extensive network of third-party vendors, suppliers, and service providers. You will oversee the entire vendor lifecycle, conducting robust due diligence during onboarding, performing comprehensive recurring reviews, and managing offboarding procedures to assess and quantify third-party information security and privacy risks. Your responsibilities will include identifying and mitigating emerging security risks introduced by technologies such as Artificial Intelligence (AI), Large Language Models (LLMs), data lakes, and data warehouses. Collaborating across teams, you’ll influence decision-makers to mitigate risks while enabling secure business growth. This is an exciting opportunity to drive innovation through advanced risk quantification using models like FAIR-TAM , cutting-edge tooling, and strategic partnerships within Instacart’s diverse, global vendor ecosystem.

Your work will directly inform Instacart’s broader security strategies by ensuring vendors align their controls with Instacart’s expectations and stringent regulatory compliance requirements, including GDPR, CCPA, ISO 27001, NIST, and SOC 2.

About the Team -

The GRC team plays a pivotal role in monitoring, measuring, and informing Instacart’s risk posture. Our team partners with IT, Legal, Security Engineering, and system leaders across various departments to proactively identify and reduce risks. A key priority this year is enabling our business leaders through education and tools to identify and mitigate third-party risks more effectively. We’re a collaborative and forward-thinking group aiming to mature Instacart’s approach to third-party risk management with cutting-edge quantification techniques, automation, and best-in-class tools, fostering active collaboration and data sharing with our third parties.

About the Job

You’ll play a leading role in building and operating Instacart’s GRC strategies and practices by:

• Reviewing third-party vendors during onboarding due diligence and recurring evaluation processes, meticulously focusing on identifying and mitigating cybersecurity, data privacy, and compliance risks.
• Operating and improving Instacart’s third-party risk management systems, including leveraging tools like Zip for workflows and Safe Security for risk quantification.
• Partnering with Legal, Security Engineering, and system owners to embed comprehensive security and privacy requirements directly into third-party contracts and agreements, ensuring alignment with Instacart policies and compliance frameworks (e.g., GDPR, CCPA, SOC2, NIST, etc).
• Liaising with high-tier vendors to understand their security posture, advocate for aligned improvements, and provide advisory on identified risks.
• Developing and maintaining processes that enhance the efficiency and scalability of third-party evaluations, continuous monitoring, and offboarding procedures.
• Identifying and quantifying risks, proposing effective mitigation measures, and influencing internal stakeholders to implement necessary security controls to improve the third-party risk posture.
• Leading vendor risk documentation, including maintaining a comprehensive third-party risk register, developing risk quantification reports using models like FAIR-TAM, and presenting findings, trends, and action plans for senior leadership.
• Working with internal security teams to investigate and respond to third-party-related security incidents, defining escalation procedures and remediation requirements.

About You -

We’re looking for a technically skilled, collaborative, and innovative professional with a passion for reducing third-party risks and enabling scalable solutions.

Minimum Qualifications

• 7+ years of progressive experience in third-party security risk management, vendor audits, or compliance roles, preferably within a technology company.
• Hands-on experience with third-party risk management (TPRM) and Governance, Risk, and Compliance (GRC) tools (e.g., OneTrust, Archer, Prevalent, Process Unity, Venminder, BitSight, SecurityScorecard, Zip, Safe Security).
• Expertise in leading compliance standards and industry frameworks (e.g., GDPR, CCPA, SOC2, NIST, ISO 27001).
• Familiarity with common security concepts, including identity and access controls, firewalls, APIs, vulnerabilities (CVE), and software supply chain risks.
• Proven ability to review and analyze a variety of vendor security documentation, including audit reports, vulnerability scans, and penetration test results.
• Previous experience with consumer data protection and privacy risk management, including performing privacy risk assessments and suggesting mitigation plans.
• Strong communication and stakeholder engagement skills, with a proven ability to influence decision-makers and articulate complex technical risks and control concepts to non-technical stakeholders, including senior executives and audit committees.

Preferred Qualifications

• Professional certifications such as CISSP, CRISC, CISM, CISA, CIPP/US, CIPP/E, CIPM, CIPT, or ISO 27001 Lead Auditor/Implementer.
• Hands-on experience negotiating vendor contracts with comprehensive security and privacy clauses.
• Familiarity with and/or hands-on experience applying risk quantification frameworks (e.g., FAIR-TAM) and cybersecurity metrics reporting to assess financial impact.
• Experience working on innovative risk management programs leveraging automation, AI, and continuous monitoring techniques.
• Familiarity with AI concepts, tools, policies, and best practices, particularly concerning LLM security risks like prompt injection, training data poisoning, and insecure output handling.
• Understanding of security and privacy challenges related to data lakes and data warehouses, including large data volumes, unstructured data, complex access controls, and regulatory compliance.

#LI-Remote

Instacart provides highly market-competitive compensation and benefits in each location where our employees work. This role is remote and the base pay range for a successful candidate is dependent on their permanent work location. Please review our Flex First remote work policy here. Currently, we are only hiring in the following provinces: Ontario, Alberta, British Columbia, and Nova Scotia.

Offers may vary based on many factors, such as candidate experience and skills required for the role. Additionally, this role is eligible for a new hire equity grant as well as annual refresh grants. Please read more about our benefits offerings here.

For Canadian based candidates, the base pay ranges for a successful candidate are listed below.

CAN

$151,000—$168,000 CAD