Overview
About Fresha: Fresha is the AI-powered operating system for the global beauty, wellness and self-care industry, connecting and powering everything from salons and barbers to spas, medspas, fitness studios and health practices. The company is headquartered in London, United Kingdom, with 15 global offices across North America, EMEA and APAC. Fresha enables consumers to discover, book and pay for beauty and wellness appointments with local businesses via its marketplace, while businesses use an all-in-one platform to manage operations with software and financial technology solutions.
Trusted by millions of consumers and businesses worldwide, Fresha serves 140,000+ businesses and 450,000+ stylists and professionals, processing over 1 billion appointments to date.
Fresha’s ecosystem provides merchants the tools to run their business seamlessly, including appointment bookings, point-of-sale, customer records management, marketing automation, loyalty, inventory and team management. The consumer marketplace enables online bookings and automated marketing through mobile apps and integrations with major brands such as Instagram, Facebook and Google.
Role Summary
Reports to: VP of Security, IT and Compliance. We are seeking someone to own compliance end-to-end at Fresha, including data protection, vendor risk, and policy. The role requires taking over current operations, expanding scope, and elevating the function with automation and AI-supported tooling.
This position is based in our London office (The Bower, 207-122, Old Street, London EC1V 9NR) five days per week and fosters a collaborative, face-to-face working environment.
What You'll Own
Audits and certifications
* Run the PCI DSS audit to completion, then GDPR and SOC 2 Type II within the year
* Be the main point of contact for external auditors — scoping, evidence, walkthroughs, findings
* Maintain HIPAA and ISO 27001 between recertifications
Compliance operations
* Quarterly access reviews across in-scope systems
* Sprinto: ensure controls are covered, triage failures quickly, keep evidence current
* Vulnerability management: track closures against SLAs and address drift
* Own the compliance risk register — keep it current, review cadence, and ensure it informs decisions
Data protection
* Handle Subject Access Requests and Data Access Requests end-to-end
* Maintain GDPR ROPA accuracy as systems, vendors, and data flows change
* Own and enforce data retention in systems, not just on paper
Vendor and third-party risk
* Review new vendors before onboarding — security posture, data handling, DPAs
* Reassess critical and high-risk vendors regularly
* Maintain vendor inventory, DPAs, and sub-processor lists in an audit-ready state
Policy and awareness
* Write and update policies as the environment, regulations, and business change
* Ensure policies are usable, understood, and followed
* Own the compliance and privacy training program: annual training and role-specific training for engineers handling PHI or cardholder data
Automation and AI
* Automate recurring tasks where possible using Sprinto, scripts, workflows, and AI
* Push Sprinto and adjacent tooling to the limit and fill gaps with automation
* Use AI for drafting, review, and first-pass analysis with human sign-off for regulator/auditor-facing work
* Operate the function as a product: reduce manual rituals each quarter
What We're Looking For
* Experience leading compliance in at least two frameworks (PCI DSS, SOC 2, ISO27001, HIPAA, GDPR); PCI DSS and GDPR experience is highly valuable
* Direct experience with auditors and a willingness to challenge scope or findings
* Hands-on approach: actively involved in Sprinto, policy drafts, and vendor reviews
* Fluent with AI tools and capable of building automation; you don’t need to be a developer
* Ability to translate between engineers and auditors
* Bonus: experience with other GRC tools, DPO work, payments regulatory exposure, or measurable automation of manual compliance tasks
How You'll Work
You will have one direct report initially and expand the team as workload justifies. You’ll collaborate with Security, IT, Legal, Engineering and People. Expect to work closely with auditors during audit windows and with engineering and vendor teams otherwise.
Interview Process
* Screen Stage — Video call with a Talent Team member (45-60 minutes)
* 1st Stage — Interview with the VP of Security, IT & Compliance (60 minutes)
* Final Stage — Video interview with the CTO (60 minutes) and Head of Talent (30 minutes)
We aim to finalize the interview process and provide feedback within four weeks. Applications are reviewed manually by our talent team; while we strive to assess within seven days, volume may extend this timeline.
Inclusive Workforce
At Fresha we are creating a culture where individuals of all backgrounds feel comfortable. All applicants will receive fair consideration for employment. We do not discriminate based on race, colour, religion, sex, sexual orientation, age, marital status, gender identity, national origin, disability, or any other protected characteristics. If you have accessibility requirements for interviews or joining, please let us know so we can support you. We may use AI tools to support parts of hiring (e.g., reviewing applications, analyzing resumes) but final hiring decisions are made by humans. If you want more information about data processing, please contact us.
#J-18808-Ljbffr