
How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Technical Head of Compliance
Chief Compliance Officer at Fresha
The AI-powered OS for beauty, wellness and self-care
About Fresha
Fresha is the AI-powered operating system for the global beauty, wellness and self-care industry, connecting and powering everything from salons and barbers to spas, medspas, fitness studios and health practices.
Trusted by millions of consumers and businesses worldwide, Fresha is used by 140,000+ businesses and 450,000+ stylists and professionals worldwide, processing over 1 billion appointments to date.
Based in London, with 15 global offices across North America, EMEA and APAC, Fresha allows consumers to discover, book and pay for beauty and wellness appointments locally via its marketplace, while businesses manage their entire operations using innovative business software and financial technology solutions.
Fresha’s ecosystem includes:
- appointment bookings
- point-of-sale
- customer records management
- marketing automation
- loyalty programmes
- beauty products inventory
- team management
The consumer-facing marketplace maximises revenue for businesses through online bookings, automated marketing via mobile apps and secure integrations with major tech platforms including Instagram, Facebook and Google.
About the Role
Reports to: VP of Security, IT and Compliance
We are seeking an experienced Compliance Officer to oversee end-to-end compliance operations at Fresha. Currently meeting HIPAA and ISO 27001 requirements, Fresha is preparing for a PCI DSS audit, GDPR compliance, and externally auditing as part of SOC 2 Type II. This role requires managing multiple frameworks simultaneously with minimal oversight.
Currently handled by one person, this function will expand to cover data protection, vendor risk management, and policy development. While existing frameworks exist (Sprinto for decision tracking, access review schedules, and vulnerability management), improvements involve automating processes, enhancing efficiency, and leveraging AI.
We expect the hired candidate to lead an automated, efficient, and scalable compliance programme—leveraging tooling, configuration, and AI—but not staff growth alone.
The role will be based in our London office, working on-site 5 days per week with a dog-friendly environment in Old Street, EC1V 9NR.
Responsibilities
Audits and Certifications
- Complete PCI DSS audit to certification, followed by GDPR and SOC 2 Type II audits.
- Serve as the primary contact for external auditors for scoping, evidence provision and findings implementation.
- Ensure HIPAA compliance beyond recertification timelines.
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Compliance Operations
- Conduct quarterly access reviews across relevant systems.
- Sustain effective Sprinto control assurance, resolving gaps while ensuring up-to-date evidence.
- Lead vulnerability management, uncovering SLA-related issues and prioritising corrections.
- Maintain and regularly review the compliance risk register, ensuring it drives business decisions.
Data Protection
- Handle Subject Access Requests (SARs) and data access requests in full.
- Maintain the GDPR Records of Processing Activities (ROPA) during evolving systems, vendors, and data flows.
- Oversee data retention policies, not just documentation but real implementation into business systems.
Vendor and Third-Party Risk
- Assess new vendors pre-onboarding—security review, data handling compliance, and Data Processing Agreements (DPAs).
- Conduct regular risk reviews for critical and high-risk vendors.
- Keep an up-to-date vendor inventory, proofs of compliant processing agreements, and sub-processor lists for audit readability.
Policy and Awareness
- Develop and update policies as the business environment and regulations change.
- Ensure policies remain practical, understandable, and actionable—not mere shelfware.
- Lead the compliance and privacy training program, including annual training and specialized sessions for roles handling PHI, cardholder data, and regulatory obligations.
Automation and AI
- Challenge repetitive tasks, styling how they can be handled through evidence collection, control testing, access review workflows, vendor questionnaire triage, SAR data discovery, policy drafting & ROPA upkeep.
- Push capital advanced tooling Sprinto, supplemented by scripts, workflows, or AI integration where relevant.
- Thoughtfully use large language models for drafting and analysis but validate rigorously, especially in regulatory or auditor-facing materials.
- Continuously elevate the compliance function as a self-improving product—fewer manual tasks via automation, smarter decisions, not undue reliance on checking boxes.
Requirements
- Hands-on experience with at least two of these frameworks: HIPAA, ISO 27001, PCI DSS, SOC 2, GDPR.
- PCI DSS and GDPR frameworks are highly valued given upcoming requirements.
- Proven ability to communicate clearly with auditors and confidently challenge findings or scoping.
- Willingness to dive deep, hands-on with compliance tools, Sprinto, training workshops, and policies.
- Technical automation fluency: APIs, scripting, leveraging GRC platforms, script troubleshooting understanding—no reliance on external build-outs without engagement.
- Ability to translate between engineers and auditors without frustration on either side.
- Bonus Considerations:
- Experience with other GRC tools beyond Sprinto.
- Direct Data Protection Officer experience or equivalent.
- Payments regulatory exposure.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Collaborative Work Model
- Direct reporting structure: Start with 1 direct report, with the possibility to steward growth as needed.
- Cross-functional collaboration: Work closely with Security, IT, Legal, Engineering and People teams.
- Audit partnerships: Expect direct collaboration with auditors during designated windows, and team engagement with engineering and vendors the rest of the year.
How You'll Be Hired
-
Screen Stage
- Video-call with Talent Team (45–60 minutes).
-
First Stage
- Interview with the VP of Security, IT & Compliance (60 minutes).
-
Final Stage
- Video interview with CTO (60 minutes).
- Video interview with Head of Talent (30 minutes).
Job Application Processing
- All applications reviewed manually by the Talent Team.
- Ideally reviewed within 7 days. Due to high traffic, occasional delays can occur.
Inclusive Workforce Commitment
Fresha fosters a culture where individuals of all backgrounds feel valued, contributing fully to the organization’s vision.
We actively welcome diversity, inclusiveness, and equal opportunity, ensuring no discrimination based on:
- Race
- [Religion]
- [Sex]
- Sexual orientation
- [Sexual orientation]
- Age
- Marital status
- Gender identity
- National origin
- Disability
- Other legally protected characteristics.
Accessibility If you have accessibility requirements that improve your comfort during the interview process or while working, please notify us so that we can accommodate needs.
AI-Assisted Screening: Fresha may use AI tools to pre-select candidates, particularly for resume analysis, application consistency and verification. These tools supplement—not replace—human, final judgment. For additional information regarding our data processing practices, please see our privacy policy.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location