Senior GRC Program Manager

Inclusion at Bumble Inc. 

Bumble Inc. is an equal opportunity employer and we strongly encourage people of all ages, colour, lesbian, gay, bisexual, transgender, queer and non-binary people, veterans, parents, people with disabilities, and neurodivergent people to apply. We're happy to make any reasonable adjustments that will help you feel more confident throughout the process, please don't hesitate to let us know how we can help.

In your application, please feel free to note which pronouns you use (For example: she/her, he/him, they/them, etc).

About Bumble

At Bumble, we’re building secure, AI-driven systems that empower connection and trust globally. Security and privacy are at the heart of that mission.

We’re looking for a Senior Security GRC Program Manager to lead our PCI, SOX, ITGC, and GDPR programs — driving audit excellence, automation maturity, and cross-functional compliance alignment across Bumble’s products and infrastructure.

This role is ideal for someone who thrives in fast-moving environments and knows how to transform compliance from a checkpoint into a scalable, automated enabler of trust.

Please note: We are unable to offer Visa transfers or Visa sponsorship

• Own Bumble’s Core Compliance Programs:
• Lead end-to-end management of PCI, SOX, ITGC, and GDPR frameworks — from annual audit planning through evidence collection, remediation, and executive reporting.
• Drive Audit Efficiency & Automation:
• Partner with Security Engineering, Finance IT, and Product teams to automate evidence workflows, control attestations, and testing pipelines via tools such as Drata, Vanta, or ServiceNow GRC.
• Lead SOX & ITGC Program Delivery:
• Co-own SOX ITGC compliance with Finance IT, directly manage external audit partners, and maintain strong control hygiene across identity, change management, and infrastructure layers.
• Oversee PCI Compliance Operations:
• Maintain Bumble’s PCI program scope, manage annual assessments, and coordinate with payments and infrastructure teams to ensure ongoing adherence and minimal audit fatigue.
• Steward GDPR Alignment:
• Partner with Legal, Privacy, and Data Engineering to operationalize GDPR requirements, ensuring data protection principles and privacy-by-design controls are consistently validated.
• Report Risk & Remediation Metrics:
• Build dashboards and KPI reports that provide visibility into audit readiness, control performance, and remediation progress for executive stakeholders.

• Program Leadership Experience:

• 6+ years of experience in Security GRC, audit, or compliance within a cloud-native or technology-driven environment.
• Proven ownership of PCI, SOX, ITGC, and GDPR compliance programs — from planning through audit closure.
• Demonstrated success driving measurable improvements in audit efficiency, control maturity, or automation adoption.

• Technical Acumen:
• Strong working knowledge of cloud architectures (AWS, GCP) and common ITGC control areas — including access management, change management, and incident response.
• Experience integrating GRC tools with engineering systems (e.g., CI/CD pipelines, Jira, Slack, or identity platforms like Okta).
• Ability to design or refine control automation workflows and collaborate with engineers on technical control implementation.
• Practical understanding of data flow mapping and system-of-record validation to support GDPR evidence and privacy controls.

• Execution & Communication:
• Track record of leading multi-stakeholder audits (Finance, Legal, Engineering, Privacy) and aligning diverse teams on deadlines and deliverables.
• Skilled at presenting complex audit or risk topics to executive leadership using concise, data-driven insights.
• Capable of drafting clear, audit-ready documentation and control narratives without excessive bureaucracy.

• Mindset & Operating Style:
• Automation-first: Seeks opportunities to replace manual audit processes with system-driven controls.
• Business-aligned: Understands how to balance compliance requirements with engineering velocity.
• Outcome-driven: Measures success through reduced audit fatigue, improved evidence hygiene, and faster remediation cycles.
• Collaborative: Builds trust with auditors and internal stakeholders through transparency and consistency.

• Hands-on experience automating evidence collection or audit testing workflows.
• Familiarity with data protection impact assessments (DPIAs) and GDPR privacy operations.
• Experience building or maintaining risk registers, executive dashboards, or compliance OKRs/KPIs.
• Certifications such as CISA, CISM, CISSP, CRISC, or ISO Lead Auditor.
• Background in payments, fintech, or regulated SaaS environments.

About Us

Bumble Inc. is the parent company of Bumble, Badoo, Bumble For Friends, and Geneva. The Bumble platform enables people to build healthy and equitable relationships, through Kind Connections. Founded by Whitney Wolfe Herd in 2014, Bumble was one of the first dating apps built with women at the center and connects people across dating (Bumble Date), friendship (Bumble For Friends) and professional networking (Bumble Bizz). Badoo, which was founded in 2006, is one of the pioneers of web and mobile dating products. Bumble For Friends is a friendship app where people in all stages of life can meet people nearby and create meaningful platonic connections. Geneva is a group and community app for people to connect based on shared interests.

AI in Bumble Hiring 

At Bumble, we may use AI tools to support parts of our recruitment process — such as helping us record, transcribe, and summarize conversations, and supporting job alignment by comparing resumes and job descriptions to highlight skills and potential roles that may be a good match. These tools help us work more efficiently and stay focused on you during our conversations. Importantly, all hiring decisions are made by people. AI is used only to support our team’s efficiency and improve the candidate experience — not to evaluate or decide on your candidacy. Participation in AI-supported interviews and conversations is completely voluntary and will not impact your candidacy. If you’d prefer to opt out, simply let your recruiter or interviewer know at the start of a call, or anytime during the interview or conversation. Summaries and related data are retained only as long as needed in line with our internal data retention policies. If at any point you’d like a transcription or summary deleted, please contact your recruiter directly.