At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If you’re a close but not exact match with the description, we hope you’ll still consider applying. Want to learn more about life at Klaviyo? Visit klaviyo.com/careers to see how we empower creators to own their own destiny.
About Klaviyo
Klaviyo empowers creators to own their destiny by making first-party data accessible and actionable like never before. We see innovators building incredible businesses every day using Klaviyo's platform, and we're here to make sure they have everything they need to succeed. We're a company that puts customers first, leads with curiosity, and builds with velocity.
We're looking for people who are excited about solving hard problems, who thrive in a fast-paced environment, and who want to make a meaningful impact on how businesses grow.
About the Role
We're looking for a Director of Security Risk and Trust who breaks the mold of traditional compliance leadership. This isn't a role where you'll spend your days pushing spreadsheets and chasing attestation deadlines—this is a role where you'll engineer solutions to governance and compliance challenges at scale, build systems that make security and trust a competitive advantage, and lead a team that operates at the intersection of security engineering, risk management, and regulatory compliance.
You'll own the strategy and execution of Klaviyo's Risk and Trust program, partnering deeply with Engineering, Product, Legal, IT, and business teams to embed compliance and risk management into how we build and operate—not bolt it on after the fact. You'll bring a strong technical foundation and an engineering mindset to everything you do, from designing automated compliance pipelines to developing governance frameworks for AI/ML systems. You'll need to be as comfortable reading Terraform configs and reviewing architecture diagrams as you are presenting risk posture to executive leadership.
This role reports to the CISO and is a critical member of the Security leadership team.
How You'll Make a Difference
Build and Own the Risk and Trust Strategy
- Define and execute a forward-looking strategy that scales with Klaviyo's growth, product evolution, and expansion into new markets and regulated industries
- Develop a risk management program that quantifies and communicates risk in terms the business can act on—not just heat maps, but data-driven models that inform real decisions
- Own the compliance roadmap across frameworks including ISO 27001, ISO 42001, ISO 27017, ISO 27018, SOC 2 Type II, HIPAA, GDPR, CCPA/CPRA, and emerging AI governance regulations, identifying where frameworks overlap and engineering unified control sets rather than duplicating effort
- Translate regulatory and compliance requirements into clear, actionable engineering requirements that development teams can implement without ambiguity
Engineer Solutions, Don't Just Document Them
- Build and maintain compliance-as-code infrastructure—automated evidence collection, continuous control monitoring, and policy-as-code implementations that reduce manual toil and increase assurance
- Design and implement tooling and integrations (leveraging APIs, scripting, and orchestration platforms) that connect GRC workflows with engineering systems (CI/CD pipelines, cloud infrastructure, identity platforms, etc.)
- Partner with Engineering and Platform teams to embed security and compliance controls directly into the software development lifecycle, infrastructure provisioning, and deployment pipelines without introducing toil or friction
- Evaluate, select, and optimize platforms and technologies, building automation that turns compliance from a periodic exercise into a continuous, real-time capability
Lead AI Security Governance
- Develop and implement a comprehensive AI/ML governance framework aligned with ISO 42001, the EU AI Act, NIST AI RMF, and emerging global AI regulations
- Partner with ML/AI and Data Science teams to establish security and compliance guardrails for model development, training data governance, model monitoring, and responsible AI deployment
- Conduct and oversee risk assessments specific to AI/ML systems, including risks related to data poisoning, model integrity, bias, prompt injection, and supply chain threats in the AI ecosystem
- Stay ahead of the rapidly evolving AI regulatory landscape and proactively position Klaviyo's governance posture to meet or exceed emerging requirements
Drive Cross-Functional Impact
- Partner with Product and Engineering leadership to ensure security and compliance are built into product design from day one—acting as a trusted technical advisor, not a blocker
- Collaborate with Legal and Privacy teams to operationalize regulatory requirements and ensure alignment between legal interpretation and technical implementation
- Work with Sales, Customer Success, and Trust teams to support customer-facing security and compliance needs, including customer audits, security questionnaires, and trust documentation
- Engage with executive leadership and the Board to communicate risk posture, compliance status, and strategic GRC investments in clear, business-relevant terms
Get Your Hands Dirty
- Roll up your sleeves and do the work—conduct technical risk assessments, review architecture designs, write automation scripts, troubleshoot control gaps, and dive into the details when it matters
- Personally lead critical compliance initiatives, audit responses, and incident-driven governance activities when the stakes are high
- Maintain deep technical currency by staying hands-on with cloud platforms (AWS, GCP, Azure), infrastructure-as-code tools, security tooling, and modern software development practices
What We're Looking For
Must-Haves
- 10+ years of experience in security, governance, risk, and compliance, with at least 5 years in a leadership role building and scaling programs at high-growth technology or SaaS companies
- Strong engineering and technical foundation—you've written code (Python, Go, or similar), built automation, worked in cloud-native environments, and can engage deeply with engineering teams on technical design and implementation
- Deep expertise across multiple compliance frameworks including ISO 27001, ISO 42001, ISO 27017, ISO 27018, SOC 2, HIPAA, GDPR, and SOX IT controls, with a demonstrated ability to rationalize and unify controls across overlapping frameworks
- Demonstrated experience in AI/ML security and governance, including familiarity with AI-specific risk frameworks, responsible AI principles, and the unique security challenges of machine learning systems
- Hands-on experience with cloud infrastructure and security (AWS strongly preferred), including understanding of IAM, networking, encryption, logging/monitoring, and infrastructure-as-code (Terraform, CloudFormation, etc.)
- Proven ability to build compliance-as-code and automated GRC capabilities, including evidence collection automation, continuous monitoring, and integration with engineering toolchains
- Exceptional cross-functional leadership skills—you've successfully partnered with Engineering, Product, Legal, and executive stakeholders to drive security and compliance outcomes without relying on authority alone
- Experience managing external audits and regulatory examinations end-to-end, with a track record of clean results and efficient audit processes
Strong communication skills with the ability to translate complex technical and regulatory concepts for diverse audiences—from engineers to board members
**Massachusetts Applicants: **It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.
Our salary range reflects the cost of labor across various U.S. geographic markets. The range displayed below reflects the minimum and maximum target salaries for the position across all our US locations. The base salary offered for this position is determined by several factors, including the applicant’s job-related skills, relevant experience, education or training, and work location.
In addition to base salary, our total compensation package may include participation in the company’s annual cash bonus plan, variable compensation (OTE) for sales and customer success roles, equity, sign-on payments, and a comprehensive range of health, welfare, and wellbeing benefits based on eligibility.
Your recruiter can provide more details about the specific salary/OTE range for your preferred location during the hiring process.
Base Pay Range For US Locations:
$233,600—$350,400 USD
This role may require up to 10% travel for purposes such as new hire onboarding, client or partner work if applicable, team meetings, and industry events. Travel is coordinated in advance.
Get to Know Klaviyo
We’re Klaviyo (pronounced clay-vee-oh). We empower creators to own their destiny by making first-party data accessible and actionable like never before. We see limitless potential for the technology we’re developing to nurture personalized experiences in ecommerce and beyond. To reach our goals, we need our own crew of remarkable creators—ambitious and collaborative teammates who stay focused on our north star: delighting our customers. If you’re ready to do the best work of your career, where you’ll be welcomed as your whole self from day one and supported with generous benefits, we hope you’ll join us.
_AI fluency at Klaviyo includes responsible use of AI (including privacy, security, bias awareness, and human-in-the-loop). We provide accommodations as needed. _
_By participating in Klaviyo’s interview process, you acknowledge that you have read, understood, and will adhere to our Guidelines for using AI in the Klaviyo interview Process. For more information about how we process your personal data, see our Job Applicant Privacy Notice. _
Klaviyo is committed to a policy of equal opportunity and non-discrimination. We do not discriminate on the basis of race, ethnicity, citizenship, national origin, color, religion or religious creed, age, sex (including pregnancy), gender identity, sexual orientation, physical or mental disability, veteran or active military status, marital status, criminal record, genetics, retaliation, sexual harassment or any other characteristic protected by applicable law.
IMPORTANT NOTICE: Our company takes the security and privacy of job applicants very seriously. We will never ask for payment, bank details, or personal financial information as part of the application process. All our legitimate job postings can be found on our official career site. Please be cautious of job offers that come from non-company email addresses (@klaviyo.com), instant messaging platforms, or unsolicited calls.
By clicking "Submit Application" you consent to Klaviyo processing your Personal Data in accordance with our Job Applicant Privacy Notice. If you do not wish for Klaviyo to process your Personal Data, please do not submit an application._ _You can find our Job Applicant Privacy Notice here and here (FR).