At Playlist, life's richest moments happen when people step away from screens to move, connect, explore, and play. We're building the definitive platform for intentional living, connecting people with inspiring experiences in fitness, wellness, and beyond. With popular brands like Mindbody and ClassPass, Playlist empowers businesses and individuals, making it effortless for aspirations to become actions. Join us in reshaping technology's role to foster meaningful, real-world connections.
Who we are:
Playlist’s GRC team owns governance, risk, third-party risk, and compliance across a complex, multi-brand environment including Mindbody, ClassPass, Booker, Kite and EGYM and the businesses we continue to acquire and integrate. We sit at the intersection of Security, Legal, Engineering, and Finance, and we operate as builders: standing up programs, harmonizing controls across entities, and turning audit-readiness into something the business can scale with rather than scramble through. We’re hands-on, comfortable without a playbook, and biased toward decisions that unblock partners rather than slow them down. If you want to lead a team doing meaningful GRC work at real scale, we’d love to hear from you.
Your role:
The GRC Manager is a player-coach role responsible for two of the most important threads running through our function: the third-party risk management workflow and Playlist’s compliance program portfolio. You’ll lead a team of GRC Analysts and Program Managers, set the operating standards for how we assess vendors and run audits, and serve as the GRC team’s day-to-day operating leader across the broader function.
You’ll own the driving of our compliance programs across SOC 1 Type II, ISO 27001, HITRUST, NIST CSF/800-53, and IT SOX. You’ll partner closely with Legal, Security Engineering, Product, and Finance to make sure these programs reflect how the business operates, and that compliance requirements arrive as guidance rather than friction. You’ll support the TPRM workflow end-to-end; intake, risk tiering, diligence, and ongoing monitoring across our multi-brand vendor footprint.
You’ll be the person who turns strategy into execution, building the team, the cadence, and the tooling that make our compliance posture durable as the portfolio continues to grow.
You’ll pursue continuous improvement to help Playlist achieve its mission: Powering the world’s fitness and wellness businesses and connecting them with more consumers, more effectively, than anyone else.
You will:
- Manage and develop a team of 3–5 GRC team members, set quarterly OKRs, run 1:1s, hire to fill gaps, and coach on technical depth, stakeholder management, and audit discipline.
- Own the third-party risk management workflow end-to-end across Playlist’s multi-brand vendor footprint, vendor intake, risk tiering, due diligence, contract risk review, and ongoing monitoring and continuously tune the program as vendor volume scales with acquisitions
- Lead Playlist’s compliance program portfolio across SOC 1 Type II, ISO 27001, HITRUST, NIST CSF/800-53, and IT SOX scope, control design, evidence collection, and external audit coordination across the brand footprint
- Serve as primary point of contact for external auditors and assessors, manage audit timelines and finding remediation, and challenge scope and interpretation when it matters
- Own the GRC team’s operating cadence, planning rhythms, staff meetings, intake queues, and how the team interfaces with Security Engineering, Legal, Privacy, and Procurement
- Drive Playlist’s compliance automation platform forward, design how controls and evidence flow through the tool, automate high-volume evidence collection, and evolve the tooling strategy as the program scales
- Partner with Legal, Security Engineering, Product, and Finance to surface compliance and third-party risk early in product and infrastructure decisions, with clear accept, mitigate, reject recommendations for partner teams
About the right team member:
You’re a builder-mindset GRC leader who can run multiple programs in parallel without dropping the standard of work. You see gaps and close them without waiting to be told. You lead from the front, be comfortable rolling up your sleeves to run a control walkthrough one day and coaching an analyst through a tricky stakeholder conversation the next. You think in terms of how programs scale, not just whether the current audit gets signed. You partner well across the business, especially with Engineering and Legal, because you treat compliance as something to design into the work rather than to impose it. You’re motivated by high autonomy, direct impact, and the chance to shape how a growing GRC function operates.
You’ll thrive in this role with experience in:
- 7+ years of progressive Information Security GRC, Compliance, or Audit experience, including at least 2 years of direct people management
- Hands-on program ownership across multiple compliance frameworks: SOC 1 Type II is required, plus working depth in at least two of ISO 27001, HITRUST, NIST CSF/800-53, or IT SOX, with the ability to map and rationalize controls across frameworks.
- Demonstrated ownership of a third-party risk management workflow at scale, vendor intake, risk tiering, diligence, and ongoing monitoring including the operating standards and SLAs that hold the program together
- Hands-on experience with a compliance automation platform (Drata, Vanta, Hyperproof, Secureframe, Optro or similar) and a clear point of view on how tooling should scale with program growth
- Strong project management skills, can run multiple audits and integration workstreams in parallel without dropping deadlines
- Direct experience managing external auditors and assessors, including comfort challenging scope and interpretation
- Excellent written and verbal communication, with the ability to translate compliance and risk findings into clear executive and partner-team updates
Nice to Have:
- Experience integrating acquired companies into an existing compliance program, including control harmonization and audit scope decisions
- Background working in a multi-brand or SaaS / consumer-marketplace environment
- CISA, CIPP/US or CIPP/E, ISO 27001 Lead Implementer / Lead Auditor, or PCI ISA certification
- Detection or security engineering literacy strong enough to partner technically with Security Engineering on control design
It is Playlist’s intent to pay all Team Members competitive wages and salaries that are motivational, fair and equitable. The goal of Playlist’s compensation program is to be transparent, attract potential employees, meet the needs of all current employees, and encourage Team Members to stay with our organization. Actual compensation packages are based on several factors that are unique to each candidate, including but not limited to skill set, depth of experience, certifications, and specific work location. The base salary range for this position in the United States is $130,000- $175,000. The total compensation package for this position may also include a performance bonus, benefits, and/or other applicable incentive compensation plan.
Have we piqued your curiosity?Sound like the role for you? We’d love to hear from you! Even if you’re not 100% sure about potential fit, we still encourage you to apply. We’re looking for the right person, not the perfect series of checkboxes.
The Company is an Equal Opportunity Employer. We highly value diversity at our company and encourage people of all different backgrounds, experiences, abilities and perspectives to apply. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, disability status, or other protected characteristics.
By entering your email and phone number and submitting your application, you consent to receive emails, calls and SMS about your application and other roles at The Company, including by auto-dialer. Message and data rates may apply. Opt-out or text STOP to cancel at any time. If you are a California resident or reside outside the United States then by submitting your application you confirm that you have read, understood, agree and - where applicable - grant your prior, free, informed and express consent for the processing of your personal information, including sensitive personal information, as described in our California Applicant Privacy Notice or International Applicant Privacy Notice (as applicable).
Note: This description outlines key responsibilities but isn’t intended to cover every task or duty. Additional responsibilities may be assigned as needed to support the team and business goals.