
How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Technical Head of Compliance
Senior Compliance Manager
Reports to: VP of Security, IT and Compliance
We're looking for an experienced Compliance Manager to drive our compliance program end-to-end at Fresha.
About Fresha
Fresha is the AI-powered operating system for the global beauty, wellness, and self-care industry, connecting and enabling businesses across salons, barbers, spas, medspas, fitness studios, and health practices.
We serve 140,000+ businesses and 450,000+ professionals, processing 1B+ appointments annually. Fresha enables consumers to discover, book, and pay local services through our marketplace, while professionals manage their appointments, finances, marketing, and operations via an intuitive platform.
Fresha’s ecosystem integrates appointment booking, POS systems, customer management, automation, loyalty programs, inventory, and team tools. The consumer-facing marketplace expands revenue through online bookings, targeted marketing (including Instagram, Facebook, and Google integrations), and data-driven insights.
Our headquarters are in London, with offices across North America, EMEA, and APAC.
About the Role
This hands-on role requires ownership of a rapidly scaling compliance program across five critical frameworks:
- HIPAA (ongoing maintenance)
- ISO 27001 (ongoing maintenance)
- PCI DSS (imminent audit)
- GDPR (launching this year)
- SOC 2 Type II (launching this year)
You’ll join a mature but rapidly evolving compliance function with existing processes in place (Sprinto, access reviews, vulnerability management), but the expectation is to expand capabilities, automate workflows, and truly scale efficiency.
For three days a week, you’ll work remotely, with the remainder spent in our dog-friendly London office (The Bower, 207-122 Old Street, EC1V 9NR).
What You’ll Own
Audits & Certifications
- Lead the PCI DSS audit from scoping to completion.
- Prepare for GDPR and SOC 2 Type II certifications.
- Serve as the primary contact for external auditors (evidence collation, walkthroughs, findings mitigation).
- Maintain HIPAA and ISO 27001 certifications between recertifications.
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Compliance Operations
- Conduct quarterly access reviews (users, systems, and permissions).
- Optimize Sprinto workflows for full control coverage, rapid failure resolution, and current evidence.
- Track vulnerability management (closure rates, SLA adherence, drift remediation).
- Lead the compliance risk register (prioritize risks, integrate into business decisions).
Data Protection
- Handle Subject Access Requests (SARs) and Data Access Requests end-to-end.
- Maintain up-to-date GDPR Record of Processing Activities (ROPA) as systems and vendors evolve.
- Enforce data retention policies (theoretical + system-level adherence).
Vendor & Third-Party Risk
- Evaluate new vendors for security/hygiene, data handling, and compliance obligations.
- Conduct regular reassessments of critical/high-risk vendors.
- Manage vendor inventory, Data Processing Agreements (DPAs), and sub-processor lists purposefully.
Policy & Awareness
- Draft new policies and updates as regulations/business change.
- Ensure policies are actionable, understood, and followed in practice (not merely ceremonial).
- Lead the compliance training program (annual + role-specific training for engineers handling PHI/PII).
Automation & AI
- Question why manual processes remain (e.g., evidence collection, access reviews, vendor assessments).
- Maximize Sprinto + adjacent tooling, while adopting scripts, automation, and/or AI expansion (e.g., SAR scoping, vendor questionnaire triage).
- Use LLMs for drafting and analysis—but respect manual sign-off requirements before external/stakeholder engagement.
- Optimize the compliance function’s operating model for long-term efficiency.
What We’re Looking For
Requirements
✔ Direct experience leading compliance functions across at least two frameworks (e.g., PCI DSS, SOC 2, GDPR, ISO 27001, HIPAA). Right now, PCI DSS and GDPR experience are especially valuable. ✔ Demonstrated ability to push back diplomatically during audits (evidence requests, reconsideration of scope). ✔ A hands-on hands-build-it-myself mentality—not a "create recipes and delegate" role. ✔ AI & automation fluency:ángulo Scripter/Python/Bash familiarity or developer collaboration. The mindset is, "Let’s build tools, not just use them." ✔ Comfort translating between engineering culture and regulatory standards without alienating either side. ✔ Bonus: Exposure to GRC tooling beyond Sprinto, DPO/DPO-adjacent experience, payments regulatory frameworks, or a track record demonstrating measurable automation impact.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
How You’ll Work
- One direct report from day one, with entitled bandwidth to expand the function as needed.
- Collaborate with Security, IT, Legal, Engineering, and HR.
- Audit interactions will demand deep engagement (evidence collation, auditor fieldwork). Day-to-day will involve teams responsible for vulnerability fix pipelines, user access maintenance, and innovations that respect compliance requirements.
Interview Process
Stage 1: Video with Talent Team (45–60 mins) Stage 2: Vice President of Security, IT & Compliance (60 mins) Stage 3: Final-stage video (90 mins: CTO & Head of Talent)
Feedback/closing: Aim to deliver feedback within 4 weeks.
Diversity & Inclusion
We build culture for all backgrounds. Fresha checks each and every application for fairness, and aucunnekn accommodates interviewer/office/accessibility needs—let us know how we can support you.
No discrimination based on: race, colour, religion, sex, sexual orientation, age, marital status, gender identity, national origin, disability, or any applicable legally protected characteristic.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location