Customer data is the fuel that drives all modern businesses. From product analytics, to marketing, to support, to advertising, advanced data analysis in the warehouse, and even sales – customer data is the raw material for each function at a modern business.
For highly regulated businesses in healthcare, it’s always been a challenge to harness that customer data and get it to the marketing and analytics tools that require it while following patient privacy laws….until now.
Something as simple as running ads to get more users is simple for an e-commerce of software company to do. But common web analytics and advertising tools collect sensitive user identifiers and healthcare information automatically. Those same tools are not HIPAA compliant.
We provide a layer of data governance to make current web analytics tools HIPAA-compliant. For analytics, our customers can continue getting the insights they need to improve the patient experience. For marketing, Freshpaint safeguards health information while helping our customers promote access to care through popular advertising platforms like Facebook, Google, and others.
In short, we help healthcare marketers promote access to care and safeguard patient privacy at the same time. This is an important, complex problem in a massive market (healthcare is 20% of the US GDP).
Our customers manage their customer data with:
Privacy Platform. We help healthcare providers automate their website’s + app’s HIPAA compliance, and safeguard patient data. This is our core product today
Future additional product lines! Our core product provides a platform that we're building marketing applications on top of.
We’re fully remote. If you strongly value in-person work, Freshpaint is likely not the best fit for you. Even though we don’t care where you’re located, we only hire within the US. Many of our team is concentrated in various metro areas like SF or NYC. To balance out our remote-ness, we gather the team 2x times per year for offsites. We’re backed by leading investors including Y-Combinator, Intel Capital, and angel investors like the Head of Data from Slack, Head of Data at LinkedIn, and more.
Freshpaint was founded by web analytics veterans who realized how hard it was for highly regulated companies to collect and use customer data in a compliant way. We started as part of Y Combinator’s S19 cohort and have been focused on enabling healthcare companies collect, safeguard, and activate patient data since.
In 2022 the government issued updated guidance around HIPAA, basically making our software a requirement to use for healthcare companies. As a result, we're one of the fastest growing software companies on earth right now.
Our team has deep analytics and growth experience, with all of us coming from high-growth companies like Heap, Pendo, Iterable, Quantum Metric, and Retool. If you value lots of freedom and ownership in your work, interfacing with customers, and working on a product with high customer impact, then Freshpaint is your home.
About the Role
We’re looking for a Security Operations Lead to own and drive Freshpaint’s operational security initiatives. This role will serve as the connective tissue between our engineering, compliance, and operations teams, helping us maintain and continuously improve our security posture.
You’ll manage day-to-day security operations and lead key security programs, including penetration testing, SOC 2 audits, and HITRUST R2 certification efforts. You’ll also help scale our security processes as we grow, ensuring we stay proactive and compliant across frameworks.
What You’ll Do
Own and manage Freshpaint’s recurring security compliance programs, including SOC 2 Type II, HITRUST R2, and other certifications or audits as needed.
Coordinate and manage annual penetration tests and follow through on remediation activities.
Maintain and continuously improve Freshpaint’s security controls and documentation.
Partner with engineering and product teams to operationalize security best practices across systems, tools, and processes.
Support risk assessments, vendor security reviews, and internal audits.
Act as a key point of contact for external auditors, customers, and vendors on security-related matters.
Drive security awareness and education initiatives across the company.
Qualifications
3+ years of experience in security operations, GRC, or compliance at a SaaS or cloud-based company.
Strong understanding of security frameworks and standards (SOC 2, HITRUST, ISO 27001, etc.).
Experience managing audits and working directly with assessors and penetration testing vendors.
Familiarity with cloud infrastructure (AWS, GCP) and modern software development practices.
Excellent project management and cross-functional communication skills.
You’re organized, detail-oriented, and excited by the challenge of building scalable security programs in a fast-moving environment.
Bonus Points
Experience with automation tools for evidence collection or continuous compliance.
Prior experience working in a startup or high-growth environment.
Relevant certifications (CISA, CISSP, CISM, or HITRUST CCSFP).
We take care of our team—here’s a peek at what you get when you join:
Competitive pay + generous equity (10-year exercise window)
Fully remote (U.S. only) with a $150/month coworking stipend
Half-day Fridays, every Friday
Unlimited PTO—with a required 2-week minimum
Top-tier health, dental & vision (100% covered for you, 80% for dependents)
2 “Treat Yourself” days a year—$100 and a day off, just because
Generous parental leave
Epic offsites twice a year (past trips: Greece, Jackson Hole, Cabo, wine country + more)
And more—check out our careers page for the full list.
Please mention you found this job on AI Jobs. It helps us get more startups to hire on our site. Thanks and good luck!
Be the first to apply. Receive an email whenever similar jobs are posted.
Understand the required skills and qualifications, anticipate the questions you may be asked, and study well-prepared answers using our sample responses.
Operations Lead Q&A's