Legal & PCI Compliance Officer
Evervault
Evervault builds encryption and data security infrastructure for developers. APIs and primitives for tokenizing, encrypting, and processing sensitive data at scale, currently focused on powering the payments stack for companies like Rippling, Ramp, and Sorare.
Team: Reporting to the CEO
About the Role
Compliance is core to what we sell. Our customers trust us with their most sensitive data (card numbers, credentials, PII) and they need to know we meet the highest security and compliance standards in the industry.
We're looking for a Legal & Compliance Officer to own PCI DSS compliance end-to-end and continue building Evervault's compliance and risk function. Our outgoing Head of Compliance has established strong foundations (policies, processes, certification workflows) so you'll be inheriting a solid base and taking it further as we scale.
If you're also a qualified lawyer who can support commercial legal work (contracts, privacy, regulatory), even better. But the core of this role is compliance.
What You'll Do
PCI DSS & Certification (Core)
Own Evervault's PCI DSS compliance program, maintaining our current certifications and preparing for future assessments
Manage relationships with QSAs and auditors, coordinating evidence gathering and remediation across engineering and operations
Stay ahead of PCI DSS updates (including v4.x requirements) and translate them into actionable engineering and process changes
Own our compliance documentation: policies, procedures, and evidence repositories
Support customers with compliance questions, SAQs, and due diligence requests
Risk & Security Governance
Maintain and improve our information security policies and risk register
Support SOC 2, ISO 27001, and other certifications as we scale upmarket
Work with engineering to embed compliance into how we build, not bolt it on after
Legal (Nice to Have)
Review and negotiate customer contracts, DPAs, and vendor agreements
Advise on data protection (GDPR, international privacy frameworks)
Support regulatory analysis as we expand into new markets and verticals
Who You Are
Deep PCI expertise. You know PCI DSS inside out. You've been through multiple assessment cycles, ideally as a QSA, ISA, or leading compliance at a PCI Level 1 service provider. You understand the standard, not just the checklist.
Technical fluency. You can talk to engineers about encryption, tokenization, key management, and network segmentation without needing everything translated. You don't need to write code, but you need to understand how systems work.
Ownership mindset. We have strong foundations in place. You'll need to maintain what works, improve what doesn't, and build what's missing as we scale into new markets and upmarket customers.
Clear communicator. You can explain compliance requirements to engineers, translate technical architecture to auditors, and brief the CEO on risk, all in the same day.
Pragmatic, not bureaucratic. You care about real security outcomes, not compliance theatre. You find the fastest path to compliance without slowing the business down.
Ideal Background
Qualified Security Assessor (QSA), strongly preferred
Or: ISA-certified, or 3+ years leading PCI DSS compliance at a Level 1 service provider or payment processor
Experience with SOC 2, ISO 27001, or GDPR is a plus
Legal qualification (solicitor, barrister, or equivalent) is a bonus, not a requirement
Experience in a startup or high-growth environment preferred
Why Evervault
Compliance is the product, not a cost centre. Your work directly enables revenue.
Strong compliance foundations already in place. You won't be starting from scratch, but you will have real ownership and room to shape what comes next.
Small team, high trust, high ownership.
Work alongside deeply technical engineers building some of the most security-critical infrastructure in payments.
We are in office Tues->Thursday, Mondays & Fridays encouraged
We are unable to offer sponsorship at this time