Compliance & Information Security Analyst

Compliance & Information Security Analyst Join beqom - where tech meets impact beqom is a high-growth B2B SaaS company that provides industry-leading tools for pay equity and transparency, compensation, and performance management. Trusted by some of the world’s most respected companies, beqom enables HR and business leaders to navigate global compliance and make smarter pay decisions that attract, retain, and motivate top talent. Founded in Switzerland and serving clients worldwide, our powerful, enterprise-ready products are fueled by beqom pay intelligence. Role Overview We are seeking an experienced Compliance & Information Security Analyst to own and manage our compliance and third-party risk management (TPRM) function. This is a hands-on role that sits at the intersection of information security, legal/contractual review, and vendor risk management. The successful candidate will be the primary point of contact for inbound client governance, risk & compliance (GRC) requests, will manage our own vendor and sub-contractor due diligence programme, and will review information security obligations embedded in client and prospect contracts. This role is critical in maintaining client trust, supporting sales cycles, and ensuring the company meets its obligations as a responsible data processor and technology provider. What you'll be doing Client GRC Questionnaires & Third-Party Risk Management (TPRM) Receive, triage, and complete inbound GRC / security questionnaires submitted by existing and prospective clients as part of their vendor assessment and TPRM processes. Develop and maintain a master response library to accelerate questionnaire completion, covering areas such as data security, access controls, business continuity, incident response, and privacy. Coordinate with internal stakeholders (Engineering, Product, Operations, Legal) to gather accurate, up-to-date technical evidence and supporting documentation. Track questionnaire status, deadlines, and outcomes; maintain a central log and escalate blockers in a timely manner. Build relationships with client procurement, risk, and security contacts to manage ongoing TPRM obligations efficiently. Evidence-Based GRC Questionnaires Manage questionnaires that require formal documentary evidence — such as policies, audit reports (e.g. SOC 2, ISO 27001), penetration test summaries, data processing agreements, and certifications. Maintain a structured evidence repository, ensuring documents are current, version-controlled, and accessible for rapid submission. Identify gaps between client evidence requirements and the company's current documentation; work with the Head of Information Security and Compliance or relevant leads to close those gaps. Information Security Review of MSAs & Client Contracts Review information security, data protection, and compliance clauses within Master Service Agreements (MSAs) and other commercial contracts from clients and prospects. Identify obligations and requirements (e.g. audit rights, subprocessor notifications, breach notification timescales, data residency, encryption standards) and assess the company's ability to comply. Liaise with Legal counsel and the Head of Information Security and Compliance to flag materially onerous or non-standard terms; assist in drafting redlines and proposed alternative language where appropriate. Maintain a tracker of contractual information security obligations to ensure ongoing compliance post-signature. Vendor & Sub-Contractor TPRM Design and operate a structured TPRM programme for the company's own vendors and sub-contractors who process client data or have access to company systems. Conduct initial and periodic risk assessments of vendors, including completion of security questionnaires, review of their compliance certifications, and assessment of contractual controls. Categorise vendors by risk tier and ensure appropriate due diligence is applied proportionate to the nature and sensi ... (truncated, view full listing at source)