Third Party Risk Management and Customer Trust Lead
Apply at source. Replit handles the application directly; Houtini doesn't take a fee from candidates or companies. We curate which companies appear; the listings come from yubhub.
What the team is looking for.
Compensation
The base salary for this role ranges from $210K – $270K.
Replit is the agentic software creation platform that enables anyone to build applications using natural language. With millions of users worldwide, Replit is democratizing software development by removing traditional barriers to application creation.
About the role:
Replit’s ecosystem is powered by an expanding array of external services and essential AI model partners. As the lead for Security Vendor Risk & Contract Reviews, you will architect and execute a risk management program focused on substantive evaluation rather than just processing checklists. You’ll analyze SOC 2 documentation, security assessments, and system architectures to determine actual risk profiles, collaborating with the Legal team to secure necessary contractual protections. This role reports to the Head of Security GRC and involves high-impact partnerships across Legal, Engineering, and Product teams.
Responsibilities
- Run substantive third-party risk management (TPRM), independently evaluating real risk, not just processing questionnaire responses
- Review SOC 2 reports, pen test findings, and architecture documentation to form an independent view of vendor risk, extending the same rigor to AI/model providers
- Partner with Legal on vendor and AI contract terms, including DPAs, subprocessor agreements, and AI-specific provisions
- Review contracts for non-standard security language when flagged by Legal or deal desk, and recommend redlines
- Maintain the vendor and AI/model risk register, feeding findings into the company's master risk register
- Enable sales through maturing the customer trust program
- Build the capability for continuous monitoring of vendor ecosystem
Required Skills & Experience
- 8+ years in third-party/vendor risk management, security risk, or a related GRC role
- Demonstrated ability to independently assess vendor risk rather than relying on questionnaire responses alone, fluent in reading SOC 2 reports, ISO certificates, pen test summaries, and architecture documentation
- Experience reviewing or redlining security and data-handling contract language, ideally in partnership with a legal team
- Working knowledge of data privacy fundamentals (GDPR, CCPA) as they relate to vendor and subprocessor relationships
- Strong cross-functional collaboration skills , this role touches Legal, Engineering, Product, and Sales regularly
- Experience building repeatable, scalable vendor review processes rather than inheriting an existing one
Bonus Qualifications
- Direct experience assessing foundation model providers or AI/ML vendors specifically
- Experience automating or streamlining third-party review workflows (e.g., continuous vendor monitoring, automated evidence pulls) is a plus
- Familiarity with NIST AI RMF, ISO 42001, or the EU AI Act
- Background at an AI-native product company or an LLM/model provider
- Paralegal experience or formal contract review training
- Relevant certifications (CTPRP, CISSP, CIPP/E)
Benefits
- Competitive Salary & Equity
- 401(k) Program with a 4% match (US Only)
- Health, Dental, Vision and Life Insurance
- Short Term and Long Term Disability
- Paid Parental, Medical, Caregiver Leave
- Flexible Time Off (FTO) + Holidays
- Commuter Benefits (In-Office Only)
- Monthly Wellness Stipend
- Autonomous Work Environment
- In Office Set-Up Reimbursement (In-Office Only)
- Quarterly Team Gatherings
- In Office Amenities (In-Office Only)
- third-party risk management
- security risk management
- GRC
- SOC 2 reports
- data privacy
- contract review
- AI/ML vendors
- continuous vendor monitoring
- NIST AI RMF
- ISO 42001
- EU AI Act
- paralegal experience
- CTPRP
- CISSP
- CIPP/E
Other roles you might consider.
Filtered through the same AI-companies allowlist.
Member of Technical Staff (Software Engineer, Inference & Training Platform)
Perplexity
Research Scientist, Life Sciences (Computational)
Anthropic
Product Manager, Safeguards (Verticals)
Anthropic
Power Systems Engineer (Data Center Infrastructure)
SpaceXAI
Electrical Reliability Engineer (Data Center Infrastructure)
SpaceXAI
Harness Engineer
OpenAI
New to AI work? Start with these.
Six pieces of orientation. Most AI-company job specs assume you've done this kind of hands-on work already. If you haven't, an afternoon with one of these is the cheapest way to close the gap.
Claude Desktop, from zero.
The agentic-AI assistant most of the people you'd be working alongside use every day. Install, configure, first useful prompts.
What MCPs areThe best MCPs for Claude Desktop.
MCP servers extend an AI assistant with tools and data. The catalogue most teams use. Useful technical context for any AI-engineering role.
Code with AIClaude Code, the complete beginners' guide.
The CLI for AI-paired development. Required reading if you're applying for any engineering role that mentions agents, or any role full stop.
Run a local modelHow to set up LM Studio.
Running a model on your own machine teaches you more about how AI products work in three hours than a year of using ChatGPT will.
The hardware realityBeginner's guide to AI hardware.
What the infrastructure under the model actually looks like. Useful context for infrastructure, applied-AI and hardware roles.
Browse the stackMCP catalogue.
Eleven MCP servers Houtini maintains or recommends. Each detail page describes a real piece of working AI infrastructure.