About the role
RightCapital is seeking an experienced Compliance Manager to lead both advisor-facing regulatory compliance and platform security compliance across our SaaS wealth-tech offering. This role sits at a pivotal intersection: you'll need to operate confidently in the established SaaS platform world of SOC 2, privacy, vendor risk, and financial-services regulatory considerations, while also helping steer the emerging, AI-enabled future we are building toward. You will orchestrate our SOC 2 Type II audit, serve as the primary point of contact for customer trust and vendor risk activities, and an embedded advisor to Product, Marketing, Sales, and Customer Experience on regulatory and privacy matters. You'll partner with engineering and IT, who own the technical controls, by coordinating evidence, surfacing gaps, and pushing for new controls when business or regulatory needs demand them. As AI becomes an increasingly meaningful part of what we deliver, you'll also help shape RightCapital's approach to emerging AI assurance and governance frameworks, including ISO/IEC 42001, the NIST AI Risk Management Framework, and evolving regulatory guidance from the SEC, FINRA, and state regulators, to position the company ahead of customer and regulator expectations.
The Team
This role sits on our Operations team, reporting to the VP, Operations, as part of our combined Legal & Compliance function. Our mission is to enable RightCapital's growth through robust regulatory oversight, disciplined data stewardship, and a credible security and privacy posture. We protect the company, our advisor customers, and the end-clients whose data flows through our platform by anticipating regulatory change, validating that internal controls operate as designed, and serving as a trusted advisor to every team.
The Impact
You will set the bar for how RightCapital demonstrates trust to advisors, enterprise customers, regulators, and auditors by translating complex regulatory, privacy, and security requirements into practical guidance the business can act on, and ensuring our SOC reports and customer assurance posture keep pace with our growth.
Responsibilities
Regulatory & Advisor-Facing Compliance
- Understand how financial services regulations affect our advisor and RIA customer base and our platform, including FINRA, SEC, and Investment Adviser Act considerations as they intersect with the features and communications we deliver
- Partner with Product and Marketing teams as an embedded compliance consultant to review product enhancement proposals, feature releases, and public-facing statements for regulatory adherence and risk exposure
- Develop and maintain compliance guidelines and frameworks for Product and Marketing teams to ensure platform features, promotional materials, and customer communications meet necessary regulatory standards and industry requirements
- Develop and maintain a regulatory horizon-scanning process to monitor changes in FINRA, SEC, state privacy laws, and other relevant frameworks; translate impact into actionable guidance for the business Privacy & Data Stewardship
- Serve as a key operator and enforcer of RightCapital's privacy program, keeping day-to-day practices aligned with the privacy policy and applicable regulations, and driving the internal data inventory / data map, DSAR (data subject access request) intake and fulfillment, and privacy impact assessments for new features
- Enforce privacy requirements across teams, holding data-handling practices accountable to documented policy and escalating exceptions and risks as needed
- Engage with internal stakeholders including business units, information security, and product teams to assess transaction-specific risks, particularly related to data privacy regulations (CCPA and other applicable US state frameworks)
- Operationalize a 'data steward' approach to consumer-permissioned data flowing through the platform, ensuring downstream uses align with consents and contractual commitments
- Manage sub-processor disclosures and customer notifications required under DPAs SOC 2 Audit Orchestration
- Orchestrate the company's annual SOC 2 Type II audit, defining scope, building the audit calendar, managing the relationship with external auditors, coordinating PBC (prepared-by-client) requests, and driving the company across the finish line on time
- Coordinate evidence collection from control owners across engineering, IT, HR, product, operations, and management; track evidence freshness throughout the year so audits aren't a fire drill
- Maintain the SOC 2 control matrix and mapping to internal policies, and ensure each control has a documented owner
- Identify and flag missing, weak, or outdated controls to engineering, IT, HR, product, operations, management, and leadership, including controls that may be needed for future SOC scope changes, new customer commitments, or frameworks we may choose to explore over time. This role does not implement or operate technical controls; it ensures the right controls exist and that gaps are visible and assigned
- Plan and facilitate tabletop exercises required to support SOC 2 and related programs including business continuity (BCP), disaster recovery, and incident response simulations document outcomes and track remediation
- Track and report SOC audit status, control gaps, and remediation progress to leadership on a recurring cadence
AI Governance & Emerging AI Frameworks
- Author and maintain customer-facing AI trust materials (Trust Center AI section, AI rider language, advisor FAQs) in partnership with Marketing and the Legal and governance team
- Serve as the company's internal SME on AI compliance questions from Product, Engineering, Sales, and customers
- Monitor and translate emerging AI regulation, including the Colorado AI Act, evolving US state laws, and SEC / FINRA AI-related guidance (predictive data analytics rule, marketing rule applications to AI), into actionable internal requirements
- Explore, over time, how AI-specific assurance considerations (e.g., emerging AICPA AI overlay guidance) might be reflected in our SOC 2 program in partnership with our external auditor
- Conduct AI vendor due diligence on model providers and AI sub-processors (training-data exclusion, security posture, sub-processor flow-down, ISO 42001 / SOC 2 review)
- Operate and maintain core components of RightCapital's AI governance program, including the AI policy, AI system inventory, AI risk tiering, and pre-launch review process for new AI features
- Help explore ISO/IEC 42001 (AI Management System, or AIMS) and contribute to shaping a potential roadmap as customer demand and business needs evolve
- Operationalize the NIST AI Risk Management Framework (Govern, Map, Measure, Manage as the practical foundation for our AI risk practices)
Vendor Risk & Customer Trust
- Act as the primary point of contact for compliance inquiries from prospects and customers, including responding to vendor due diligence questionnaires, security assessments, and regulatory inquiries
- Respond to RFP, RFI, and security questionnaire requests related to compliance matters
- Expand and run a vendor / third-party risk management program, covering initial security and privacy due diligence on new vendors, periodic re-assessment of existing vendors, and a risk register escalated to leadership
- Review all technology and service-provider contracts with an information security and privacy lens, partnering with the Legal and governance team to ensure appropriate security, privacy, and audit-rights provisions are in place
- Maintain a centralized library of compliance artifacts (security questionnaires, certifications, policies, sub-processor list) and a self-serve Trust Center so Sales can answer common questions without escalation
- Policies, Training & Reporting
- Conduct compliance reviews and audits to validate adherence to contractual commitments, data privacy regulations, and internal policies
- Author, maintain, and version-control internal compliance policies and standards
- (acceptable use, data classification, records retention, etc.) and drive annual policy review cycles
- Own the content of the annual compliance training curriculum (privacy, security awareness, code of conduct, regulatory refreshers), authoring and updating materials, defining audiences and cadence, and partnering with the internal trainer who delivers the sessions; track completion and refresh content as regulations evolve
- Partner with InfoSec on the incident response program, owning the legal/regulatory notification workstream (breach notification timelines, regulator communications, customer notices)
- Track and report compliance KPIs (questionnaire turnaround, audit findings, training completion, DSAR SLAs, vendor review backlog) to leadership on a recurring cadence
- Serve as the company's day-to-day liaison with external privacy counsel and compliance consultants
- Provide guidance and subject-matter expertise to internal teams on compliance requirements and best practices
Qualifications
- Bachelor's degree in Business Administration, Legal Studies, Information Security, or related field
- 5+ years of experience in compliance, privacy, audit, or regulatory roles, with direct exposure to SOC 2 Type II audit cycles
- Strong working knowledge of US data privacy regulations (CCPA and other state privacy frameworks) and their practical application
- Working familiarity with at least one major InfoSec framework (SOC 2, ISO 27001, NIST CSF) and the control concepts underpinning them
- Working familiarity with at least one AI governance framework (ISO/IEC 42001, NIST AI RMF, or equivalent) and the practical controls underpinning AI risk management
- Proven ability to manage multiple complex projects simultaneously in a fast-paces environment
Ideal Qualifications
- Experience in SaaS wealth-tech, fintech, or financial services
- Understanding of how FINRA, SEC, and Investment Adviser Act regulations affect financial-advisor customers and the platforms that serve them
- Familiarity with SOC 2 Type II, ISO 27001, or other information security and assurance standards
- Certification in compliance, privacy, or audit (CCEP, CRCM, CIPP/US, CIPM, CISA)
- Experience supporting or quarterbacking a SOC 2 audit cycle end-to-end, including managing external auditors
- Experience standing up an AI governance program in a regulated industry, including AI policy, AI system inventory, and pre-launch risk review
- Familiarity with ISO/IEC 42001, NIST AI RMF, and emerging US state AI regulation (e.g., Colorado AI Act)
- Exposure to SEC / FINRA guidance on AI in financial services (predictive data analytics rule, AI applications to the marketing rule)
- Certification in AI governance or AI risk (e.g., IAPP AIGP, Artificial Intelligence Governance Professional)
- Experience facilitating tabletop exercises (BCP, DR, incident response)
- Experience administering or operating within a GRC / trust platform (SafeBase and Data preferred; OneTrust, AuditBoard, Vanta, or similar also valued)
- Experience reviewing technology contracts (DPAs, MSAs, vendor security addenda) for security and privacy risk
- Outstanding written and verbal communication skills, with the ability to convey complex regulatory, privacy, and security concepts clearly to diverse audiences, including auditors, customers, and executive leadership
- Proven business insight coupled with sharp critical thinking and risk assessment capabilities
- Track record of building collaborative relationships with cross-functional teams, especially engineering and IT
Benefits
- Group medical health insurance – multiple options with generous subsidies
- Vision and Dental group insurance
- 401(k) Plan with 100% employer match up to 3%, then 50% employer match from 3-5%
- Monthly bonus opportunities based on # of demos booked
- $1,200 yearly wellness fund that allows employees to improve all aspects of their wellbeing
- Free onsite gym membership
- Free weekly team breakfast and lunch
- Flexible PTO
- Casual dress code
- Pet friendly office
- Fun and social outings, including happy hours and team building events
- Exciting growth opportunities and did we mention yet that we have a lot of fun!
Location
RightCapital's main office is in Shelton, CT.
Hybrid work schedule, 2 days in our Shelton office per week required.
RightCapital is an equal opportunity employer.
Job Type: Full-time
Job Type: Full-time
Pay: $80,000.00 - $85,000.00 per year
Benefits:
- 401(k)
- 401(k) matching
- Dental insurance
- Employee assistance program
- Health insurance
- Life insurance
- Paid time off
- Professional development assistance
- Referral program
- Vision insurance
Application Question(s):
- What is your desired salary?
Experience:
- Compliance management: 3 years (Required)
- SaaS: 1 year (Required)
- Financial auditing: 1 year (Preferred)
Ability to Commute:
- Shelton, CT 06484 (Required)
Ability to Relocate:
- Shelton, CT 06484: Relocate before starting work (Required)
Work Location: Hybrid remote in Shelton, CT 06484