GLOBAL SECURITY, PRIVACY & REGULATORY DOCUMENTATION MANAGER (HEALTHCARE AI)

Location: Denver Metro Area
Employment: Full-time | Individual contributor (with growth to lead a small team)
Reports to: CEO

HOW YOU’LL KNOW YOU’RE SUCCEEDING (30/60/90)

• 30 days: central repo live; index of policies/SOPs/evidence; answer library v1 for U.S. + Brazil (EN/PT-BR).
• 60 days: closed all open client questionnaires; quarterly audit/test calendar set (access recert, vuln scans, BCP/DR, pen test); DPA/BAA templates updated.
• 90 days: SOC 2/ISO 27001 readiness gap list with owners; trust center/pack refreshed; repeatable localization workflow in place.

• Run the documentation program end-to-end: establish a single source of truth for policies, procedures, SOPs, evidence, and answers (e.g., Confluence/Notion + GRC tooling).
• Build a reusable “answer library”: maintain short, copy-ready responses for vendor security questionnaires and IT committee forms (like the 13 control areas: Governance Business Continuity).
• Global privacy ops: maintain ROPA/records, DPIA/RIPD, data maps, data flow diagrams, and lawful bases per region (HIPAA/HITECH, LGPD, GDPR, etc.).
• Security compliance: coordinate SOC 2/ISO 27001 readiness evidence; manage security controls documentation (access, logging, backups, BCP/DR, SDLC/DevSecOps, incident response).
• Healthcare & SaMD docs: partner with Regulatory/Engineering on SaMD documentation (e.g., IEC 62304/82304, ISO 13485 alignment) and U.S. FDA De Novo submissions; maintain country-specific annexes (e.g., ANVISA).
• Customer diligence at scale: own responses to hospital/enterprise due-diligence (SIG/CAIQ/HECVAT-like), RFPs, and security portals; keep evidence current and organized.
• Policy lifecycle: draft, localize, publish, and version policies (security, privacy, acceptable use, incident handling, encryption, retention, asset/network/logical security, BCP/DR).
• Audit & testing cadence: schedule and track internal reviews, vulnerability scans, third-party pen tests, BCP/DR exercises, and access recertifications; collect artifacts and close findings.
• Incident readiness: keep runbooks current; coordinate post-incident documentation, timelines, and notifications (e.g., 48-hour breach clauses).
• Contracts & data processing: maintain DPAs/BAAs/SOW security exhibits; align vendor assessments and subprocessors with privacy/security requirements.
• Localization & translation: manage bilingual documentation (EN + PT-BR; ES a plus); ensure local terminology and legal references are correct.
• Enable the team: deliver lightweight training materials and checklists for Sales, Support, and Engineering; make “the right answer” easy to find.