Senior Governance, Risk, Compliance (GRC) Analyst

At Oura, our mission is to empower every person to own their inner potential. With our award-winning Oura Ring and app, we help over 2.5 million people turn insights about sleep, activity, and readiness into healthier, more balanced lives. We believe that starts from within — by creating a culture where our team feels supported, included, and inspired to do their best work. Our values guide how we show up for each other and our community every day.

This is a remote U.S. role with a strong preference for candidates based in the East Coast. We have offices in San Francisco and San Diego for those who prefer hybrid or office settings. Oura employees in other major cities (like Boston and New York) occasionally gather informally at local co-working locations.

We are looking for a Senior Governance, Risk and Compliance (GRC) Analyst to join our Security Team.  This role will serve as a subject matter expert (SME) leading compliance, risk, and governance initiatives. Working alongside the Governance Risk and Compliance Team, the Senior GRC Analyst will help mature our security and compliance programs such as SOC 2, HIPAA, ISO27001, ISO27799, HITRUST, NIST 800-171, CMMC, and FedRAMP.

The ideal candidate has hands-on experience leading and implementing compliance frameworks, conducting risk assessments, supporting audits, and developing policies that drive security and business alignment.

What you will do:

• Plan and lead strategic GRC initiatives such as attaining industry certification (e.g. SOC 2, HITRUST), as well as tactical initiatives for efficiency and automation.
• Policy & Procedure Management – Analyze, draft, update, and maintain security and compliance policies to align with regulatory requirements and industry best practices.
• Change Management Security Reviews – Collaborate with Product, Engineering, and Privacy teams to assess security risks in new product features, infrastructure changes, and business processes, and integrate Oura security controls within their workflows.
• Monitor and analyze regulatory changes and industry trends to ensure continuous improvement of the GRC program and maintain up-to-date compliance.
• Risk Management – Perform risk assessments, track remediation efforts, and collaborate with stakeholders to mitigate security and compliance risks.

Requirements

We would love to have you on our team if you have:

• Experience: 6+ years leading GRC, IT compliance, security, risk management projects.
• Compliance Knowledge: Strong understanding of various frameworks such as SOC 2, HIPAA, HITRUST, NIST 800-171, ISO27001, ISO27799, CMMC, FedRAMP, and related frameworks.
• Technical Skills: Familiarity with IT environments, cloud environments, security controls, and compliance tooling (e.g., AWS, GCP, GitHub).
• Risk & Audit Expertise: Hands-on experience conducting and leading risk assessments, managing audits, and supporting compliance reporting.
• Strong Communicator: Ability to translate compliance requirements into actionable policies and procedures.
• Certifications (Preferred): CGRC, CISA, CRISC, CISSP, or equivalent.

Benefits

At Oura, we care about you and your well-being. Everyone here at Oura has a ring of their own and we are continually looking to improve employee health.

What we offer:

• Competitive salary and equity packages
• Health, dental, vision insurance, and mental health resources
• An Oura Ring of your own plus employee discounts for friends & family
• 20 days of paid time off plus 13 paid holidays plus 8 days of flexible wellness time off
• Paid sick leave and parental leave

Oura takes a market-based approach to pay, which may vary depending on your location. US locations are categorized into tiers based on a cost of labor index for that geographic area. While most offers will be closer to the starting range, successful candidates' pay will be determined based on job-related skills, experience, qualifications, work location, internal peer equity, and market conditions. These ranges may be modified in the future.

• Region 1: $126,000 - $157,000 
• Region 2: $115,000 - $144,000 
• Region 3: $108,000 - $135,000 

A recruiter can determine your zones/tiers based on your US location.

We are not considering candidates residing in the following states: Alaska (AK), Delaware (DE), Iowa (IA), Mississippi (MS), Missouri (MO), Nebraska (NE), Rhode Island (RI), South Dakota (SD), Vermont (VT), West Virginia (WV), and Wisconsin (WI)

Oura is proud to be an equal opportunity workplace. We celebrate diversity and are committed to creating an inclusive environment for all employees. Individuals seeking employment at Oura are considered without regard to age, ancestry, color, gender (including pregnancy, childbirth, or related medical conditions), gender identity or expression, genetic information, marital status, medical condition, mental or physical disability, national origin, protected family care or medical leave status, race, religion (including beliefs and practices or the absence thereof), sexual orientation, military or veteran status, or any other characteristic protected by federal, state, or local laws. We will not tolerate discrimination or harassment based on any of these characteristics.

We will work to ensure individuals with disabilities are provided reasonable accommodation to participate in the interview process, to perform essential job functions, and to receive other benefits and privileges of employment.

Disclaimer: Beware of fake job offers!
We’ve been alerted to scammers posing as ŌURA recruiters, especially for remote roles. Please note:

• Our jobs are listed only on the ŌURA Careers page and trusted job boards.
• We will never ask for personal information like ID or payment for equipment upfront.
• Official offers are sent through Docusign after a verbal offer, not via text or email.

Stay cautious and protect your personal details.

To all recruitment agencies: Oura does not accept agency resumes. Please do not forward resumes to our jobs alias, Oura employees, or any other organization's location. Oura is not responsible for any fees related to unsolicited resumes.