RevOptimal is building the future of privacy-conscious identity resolution for advertising. Instead of relying on outdated identifiers like cookies, IP addresses, or device IDs, we resolve identity using deterministic, people-based signals to help advertisers reach real audiences with greater precision and confidence.
Our solutions power smarter audience targeting, cross-device attribution, and curated private marketplaces—helping brands and agencies make their data work harder.
The Role
We are hiring a hands-on InfoSec & IT Lead to design, operate, and mature a security, privacy and compliance program that protects our data, enables secure vendor & partner integrations, and keeps RevOptimal audit-ready for SOC 2 and other certifications. You will help design and build a secure cloud architecture, lead SOC 2 and ISO 27001:2022 readiness, drive Zero Trust adoption, own security operations and incident response, and be accountable for privacy compliance across US state laws and GDPR. The role also includes hands-on IT operations for a small company (<20 employees).
What You'll Do
Security strategy & architecture
Define and execute the company security strategy and roadmap across cloud, data, application, and infrastructure security.
Lead the design and pragmatic implementation of Zero Trust architecture principles (identity-centric controls, least-privilege access, micro-segmentation, device posture and conditional access).
Design and enforce secure cloud architecture patterns (AWS best practices for S3, IAM, KMS, VPCs, cross-account roles and clean-room integrations).
Implement secure key management, encryption at rest / in transit, and data classification & retention standards appropriate for sensitive data.
Compliance, GRC & Privacy (SOC 2, ISO 27001 & Data Privacy)
Own SOC 2 readiness, audit lifecycles and evidence automation.
Lead ISO 27001:2022 readiness and the ISMS lifecycle when appropriate (scoping, risk assessment & treatment, SoA, internal/external audits).
Own data privacy compliance frameworks across relevant regimes: US state privacy laws (e.g., CPRA/CCPA and other state statutes) and EU GDPR. Responsibilities include:
Maintain a comprehensive data map / Record of Processing Activities (RoPA) covering personal data flows, storage locations, retention and processors.
Run Data Protection Impact Assessments (DPIAs) for high-risk processing and partner integrations.
Operate a DSAR / DSR process (data subject access/deletion/portability requests) and ensure timely responses that meet legal deadlines.
Manage Data Processing Agreements (DPAs) and contractual privacy controls with vendors and partners.
Implement and enforce privacy-by-design/default controls and data minimization across technical and product solutions.
Ensure lawful cross-border data transfer mechanisms (e.g., SCCs, adequacy assessments, and technical safeguards) and document them appropriately.
Operate and maintain compliance automation tooling (e.g., Vanta) and privacy management tooling; track remediation and evidence collection.
Security operations & engineering
Build and operate detection & monitoring (centralized logging, alerting and lightweight SIEM).
Secure onboarding and hardening of partner integrations (S3 buckets, IAM roles, cross-account access, clean-room patterns).
Assess and govern third-party security and privacy posture with technical and contractual controls.
IT operations & employee support
Manage day-to-day IT for a company <20 people: device lifecycle (MDM), endpoint protection, SSO/MFA, Google Workspace/Slack/Atlassian administration, onboarding/offboarding and enforcement of 2FA.
Own vendor relationships for IT/security/privacy services and provide escalated IT support.
Team, communication & culture
Evangelize security and privacy across the company: training, phishing simulations, privacy awareness.
Report security and privacy KPIs to executives (SOC 2/ISO coverage, Zero Trust adoption, DSAR SLAs, MTTR).
Required Qualifications
6+ years of professional experience in information security, with at least 3 years in a leadership/managerial role.
Proven experience leading SOC 2 readiness and audit programs and operating compliance automation tools.
Practical experience implementing Zero Trust principles in cloud environments.
Practical experience with GDPR and with US state privacy laws (CCPA/CPRA and/or other modern state privacy statutes), including DSAR/DSR handling, DPIAs, RoPA, DPAs and breach notification processes.
Strong operational security capabilities (vulnerability management, IR, logging/monitoring, IAM, encryption).
Practical IT operations experience for small companies (MDM, SSO/MFA, onboarding/offboarding).
Excellent written and verbal communication skills.