Compliance Analyst (contract)

About Forma

The employee benefits market is broken. Companies invest millions annually in benefits that employees neither value nor use regularly. Forma, founded in 2017, set out to challenge this one-size-fits-all approach.

Forma's flexible benefits software enables companies to offer competitive packages while reducing costs and inefficiencies. It gives employees more choice and flexibility in spending their benefit allowances. The platform also saves HR professionals countless hours managing and supporting various solutions.

With Forma, companies can choose from a suite of products, including Lifestyle Spending Accounts, Health Spending Accounts, Health Reimbursement Arrangements, Flexible Spending Accounts, and more. These products allow companies to design and deliver customized benefits programs through a single platform. Employees can then spend account funds in three ways: The Forma Store, The Forma Visa Card, or claim reimbursement.

Forma has helped hundreds of renowned companies, including Stripe, Zoom, Lululemon, and Affirm, design inclusive, flexible benefits programs for nearly a million employees. We have a 98% customer retention rate, 75 NPS, and 98 CSAT ratings from members.

Forma is backed by Emergence Capital and Ribbit Capital. It has received numerous awards for its exponential growth, software innovation, and as a "Great Place to Work." 

We’re looking for a Compliance Analyst to help maintain, scale, and operationalize Forma’s compliance programs across SOC 2, HIPAA, PCI DSS, and privacy frameworks such as GDPR and CCPA. A key part of this role includes supporting the sales process by completing customer RFPs and security questionnaires to demonstrate our strong security and privacy posture. You’ll collaborate with cross-functional teams including InfoSec, Legal, Sales, and Product to build trust with customers and ensure our platform meets the highest standards of security, compliance, and transparency. This role is a 4 month temporary position and will report to the Director of Security and IT.

• Own and manage ongoing compliance efforts across SOC 2,ISO 27001,  HIPAA, PCI DSS, GDPR, and CCPA.

• Maintain and update security and privacy policies, documentation, and evidence to support audits and regulatory requirements.

• Lead coordination and responses for third-party audits, risk assessments, and compliance reviews.

• Support security incident response planning, tracking of corrective actions, and remediation activities.

• Partner with Legal and Product to assess regulatory impacts of new features, vendors, and jurisdictions.

• Collaborate with Sales and Customer Success teams to respond to security RFPs, due diligence questionnaires, and client assessments, helping communicate Forma’s compliance capabilities.

• Own and update a knowledge base of standardized security responses and documentation for efficient RFP and questionnaire handling.

• Conduct vendor security and privacy assessments, ensuring appropriate controls and agreements (e.g., SOC reports, BAAs) are in place.

• Educate internal stakeholders through training and documentation on security and data protection best practices.

• Stay current on evolving security standards, privacy laws, and industry trends to keep Forma audit-ready and proactive.

• 5-8  years in security compliance, GRC, data privacy, or legal/compliance roles at a SaaS or fintech company.

• Hands-on experience with SOC 2, ISO 27001 HIPAA, PCI DSS, GDPR, and CCPA frameworks.

• Familiarity with tools like Vanta, Drata, OneTrust, TrustArc, or equivalent.

• Demonstrated success in completing RFPs, security questionnaires, and supporting enterprise client audits.

• Strong written communication skills with the ability to tailor complex security responses to a non-technical audience.

• Attention to detail, organization, and ability to manage multiple concurrent priorities.

• Bachelor's degree in Information Security, Legal Studies, Business, or a related field.

• Certifications such as CIPP/US, CIPM, CISSP, CISA, or ISO 27001 Lead Implementer are highly desirable.

At Forma, we value diversity, and always treat all employees and job applicants based on merit, qualifications, competence, and talent. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.

Duties and responsibilities may not all be covered in the description, or may change over time at the discretion of Forma. You're encouraged to apply even if your experience doesn't precisely match the job description. Your skills and passion will stand out—and set you apart—especially if your career has taken some extraordinary twists and turns. At Forma, we welcome diverse perspectives, and people who think rigorously / aren't afraid to challenge assumptions. Join us!