The Role

• We’re looking for a Lead, Compliance & Security to own and operationalise 100ms’s entire security posture, regulatory compliance programmes, and privacy framework. Reporting to the CTO (or CEO), you will be the single-threaded owner of HIPAA compliance, SOC 2 certification, and enterprise security—building policies, tooling, and a culture of security from scratch.
• This is a foundational, high-impact role. You’ll work cross-functionally with Engineering, Product, Legal, and Customer Success to make security a competitive advantage with U.S. healthcare enterprise customers.

What you’ll do

• Regulatory Compliance & Privacy
• Design, implement, and maintain a comprehensive HIPAA compliance programme covering the Privacy Rule, Security Rule, and Breach Notification Rule.
• Serve as the designated Privacy Officer and/or Security Officer for the organisation.
• Develop and enforce Business Associate Agreements (BAAs) with all vendors and partners handling PHI.
• Conduct periodic Security Risk Assessments (SRA) and maintain a risk register with clear remediation timelines.
• Monitor evolving U.S. healthcare regulations (HITECH, state privacy laws, CMS interoperability rules, 21st Century Cures Act) and update policies accordingly.
• Lead external audit readiness for SOC 2 Type II, HITRUST CSF, and customer-required security assessments.
• Security Architecture & Engineering
• Define and enforce 100ms’s security architecture across cloud infrastructure (AWS / GCP / Azure), application layer, AI agent pipelines, and U.S.-based data storage.
• Implement IAM policies, encryption standards (at rest and in transit), and network segmentation controls.
• Own vulnerability management: scanning, triage, SLA-driven patching, and penetration testing schedules.
• Establish and manage a Security Incident Response Plan (SIRP), including tabletop exercises and on-call rotation.
• Evaluate and deploy security tooling (SIEM, EDR, DLP, CSPM) appropriate for a startup—balancing rigour with speed.
• Ensure security of LLM-based agent workflows, including prompt injection defences, data leakage prevention, and PHI handling in AI pipelines.
• Governance, Risk & Trust
• Build 100ms’s security documentation library: policies, standards, procedures, and evidence repositories using GRC frameworks like (Sprinto, Vanta, Drata, Secureframe).
• Set up and manage continuous compliance monitoring and automated evidence collection via Sprinto for SOC 2 and HIPAA audit readiness.
• Own the vendor risk management programme, including third-party security reviews and ongoing monitoring.
• Respond to customer security questionnaires, RFPs, and due-diligence requests alongside Sales and Customer Success.
• Drive security awareness training across the organisation, including onboarding programmes and phishing simulations.
• Track security KPIs and present a quarterly compliance posture report to the leadership team.
• Cross-Functional Partnership
• Embed secure-by-design principles into the SDLC: threat modelling, secure code reviews, and dependency scanning.
• Collaborate with Engineering on DevSecOps practices—CI/CD pipeline security, secrets management, and infrastructure-as-code hardening.
• Partner with Legal on data processing agreements, breach notification protocols, and regulatory filings.
• Support customer-facing teams in addressing compliance concerns and positioning security as a sales differentiator with U.S. healthcare buyers.

What you bring : Required Experience

• 5+ years of experience in information security, compliance, or risk management, with at least 2 years working with U.S. healthcare data or health-tech products.
• Deep working knowledge of HIPAA (Privacy, Security, and Breach Notification Rules), HITECH, and SOC 2 frameworks.
• Hands-on experience implementing and maintaining compliance programmes in a cloud-native (AWS, GCP, or Azure) environment.
• Experience leading or significantly contributing to SOC 2 Type II or HITRUST certification efforts.
• Hands-on experience with Sprinto or similar GRC/compliance automation platforms (Vanta, Drata, Secureframe).
• Strong understanding of modern application security, cloud security architecture, and DevSecOps practices.
• Proven ability to translate complex U.S. regulatory requirements into actionable engineering and operational controls.
• Excellent written and verbal communication skills; comfortable presenting to executives, auditors, and U.S. enterprise customers.

You’ll stand out if you have

• Relevant certifications such as CISSP, CISM, HCISPP, CCSP, or HITRUST CCSFP.
• Experience at an early-stage or high-growth startup, building compliance programmes from zero to one.
• Familiarity with AI/LLM security considerations—prompt injection, data leakage, model safety, and PHI handling in agentic workflows.
• Familiarity with FDA software regulations (SaMD) or CMS interoperability standards (FHIR, HL7).Background in penetration testing, application security, or security engineering.
• Experience with state-specific U.S. health data privacy laws (e.g., CMIA, SHIELD Act, Washington My Health My Data Act).Experience managing Sprinto end-to-end for SOC 2 / HIPAA audit readiness and evidence automation.
• Prior experience working in IST time zones while collaborating with U.S.-based teams and customers.

What we offer : Compensation & Benefits

• Competitive salary: ₹50–80 LPA based on experience and skills.
• Significant ESOP grant: meaningful equity reflecting early-stage impact and founder proximity.
• Comprehensive health insurance for you and your family.
• Flexible work arrangements.
• Direct access to founders and strategic decision-making.

Why 100ms

• Massive market opportunity: Patient access bottlenecks affect millions of patients and cost the U.S. healthcare system billions annually. You’ll help build the trust infrastructure from the ground up.
• Foundational role: You’ll be the first dedicated compliance and security hire—shaping the programme, the tooling, and the culture.
• Real-world impact: Your work directly translates to patients accessing life-saving medications faster and healthcare workers focusing on care instead of administrative burden.
• Cutting-edge technology: Work at the intersection of LLMs, AI agents, healthcare operations, and enterprise-grade security.
• Founder proximity: Work directly with founders who have built successful products and deeply understand both AI infrastructure and healthcare operations.
• Early-stage leverage: Join at the ground floor where individual contributions materially impact company trajectory.
• Exceptional team: Collaborate with ex-entrepreneurs, AI engineering experts, and healthcare operations specialists building the future of healthcare automation.
• Career acceleration: Build deep expertise in U.S. healthcare compliance and AI security from India while working closely with U.S. customers and partners.

Additional Information

• At 100ms, we value in-person collaboration for faster iteration and stronger product culture.
• Team members are expected to work from the office at least three days a week—Tuesday, Wednesday, and Friday.
• Some overlap with U.S. time zones (EST/PST) will be required for customer and partner interactions.

Website Link

• https://www.100ms.ai/

5000000 - 8000000 INR a year