Rodeo
ResourcesPartnersSign in

Fresha

Technical Head of Compliance

London
Posted 2 days ago
Sign up to applySee more jobs like this

How your CV stacks up

1Upload CV
2Analyse CV
3Improve CV

Upload your CV to see how well it fits this job role

?%

Technical Head of Compliance

Chief Compliance Officer at Fresha

The AI-powered OS for beauty, wellness and self-care


About Fresha

Fresha is the AI-powered operating system for the global beauty, wellness and self-care industry, connecting and powering everything from salons and barbers to spas, medspas, fitness studios and health practices.

Trusted by millions of consumers and businesses worldwide, Fresha is used by 140,000+ businesses and 450,000+ stylists and professionals worldwide, processing over 1 billion appointments to date.

Based in London, with 15 global offices across North America, EMEA and APAC, Fresha allows consumers to discover, book and pay for beauty and wellness appointments locally via its marketplace, while businesses manage their entire operations using innovative business software and financial technology solutions.

Fresha’s ecosystem includes:

  • appointment bookings
  • point-of-sale
  • customer records management
  • marketing automation
  • loyalty programmes
  • beauty products inventory
  • team management

The consumer-facing marketplace maximises revenue for businesses through online bookings, automated marketing via mobile apps and secure integrations with major tech platforms including Instagram, Facebook and Google.


About the Role

Reports to: VP of Security, IT and Compliance

We are seeking an experienced Compliance Officer to oversee end-to-end compliance operations at Fresha. Currently meeting HIPAA and ISO 27001 requirements, Fresha is preparing for a PCI DSS audit, GDPR compliance, and externally auditing as part of SOC 2 Type II. This role requires managing multiple frameworks simultaneously with minimal oversight.

Currently handled by one person, this function will expand to cover data protection, vendor risk management, and policy development. While existing frameworks exist (Sprinto for decision tracking, access review schedules, and vulnerability management), improvements involve automating processes, enhancing efficiency, and leveraging AI.

We expect the hired candidate to lead an automated, efficient, and scalable compliance programme—leveraging tooling, configuration, and AI—but not staff growth alone.

The role will be based in our London office, working on-site 5 days per week with a dog-friendly environment in Old Street, EC1V 9NR.


Responsibilities

Audits and Certifications

  • Complete PCI DSS audit to certification, followed by GDPR and SOC 2 Type II audits.
  • Serve as the primary contact for external auditors for scoping, evidence provision and findings implementation.
  • Ensure HIPAA compliance beyond recertification timelines.

Reasons to use Rodeo

I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?

Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.

Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.

Start with a chat, not a search bar

Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.

P

Graduate Consultant — 2026 Scheme

PwC·London, UK
£35,000/yr

Why you're a good match

Strong

Your economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.

See breakdown
Save jobNot relevant
View details

It searches the market for you

Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.

Why you're a good match

You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.

See breakdown
Strong

Experience fit

Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.

See breakdown
Strong

Only hits

No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.

Compliance Operations

  • Conduct quarterly access reviews across relevant systems.
  • Sustain effective Sprinto control assurance, resolving gaps while ensuring up-to-date evidence.
  • Lead vulnerability management, uncovering SLA-related issues and prioritising corrections.
  • Maintain and regularly review the compliance risk register, ensuring it drives business decisions.

Data Protection

  • Handle Subject Access Requests (SARs) and data access requests in full.
  • Maintain the GDPR Records of Processing Activities (ROPA) during evolving systems, vendors, and data flows.
  • Oversee data retention policies, not just documentation but real implementation into business systems.

Vendor and Third-Party Risk

  • Assess new vendors pre-onboarding—security review, data handling compliance, and Data Processing Agreements (DPAs).
  • Conduct regular risk reviews for critical and high-risk vendors.
  • Keep an up-to-date vendor inventory, proofs of compliant processing agreements, and sub-processor lists for audit readability.

Policy and Awareness

  • Develop and update policies as the business environment and regulations change.
  • Ensure policies remain practical, understandable, and actionable—not mere shelfware.
  • Lead the compliance and privacy training program, including annual training and specialized sessions for roles handling PHI, cardholder data, and regulatory obligations.

Automation and AI

  • Challenge repetitive tasks, styling how they can be handled through evidence collection, control testing, access review workflows, vendor questionnaire triage, SAR data discovery, policy drafting & ROPA upkeep.
  • Push capital advanced tooling Sprinto, supplemented by scripts, workflows, or AI integration where relevant.
  • Thoughtfully use large language models for drafting and analysis but validate rigorously, especially in regulatory or auditor-facing materials.
  • Continuously elevate the compliance function as a self-improving product—fewer manual tasks via automation, smarter decisions, not undue reliance on checking boxes.

Requirements

  • Hands-on experience with at least two of these frameworks: HIPAA, ISO 27001, PCI DSS, SOC 2, GDPR.
  • PCI DSS and GDPR frameworks are highly valued given upcoming requirements.
  • Proven ability to communicate clearly with auditors and confidently challenge findings or scoping.
  • Willingness to dive deep, hands-on with compliance tools, Sprinto, training workshops, and policies.
  • Technical automation fluency: APIs, scripting, leveraging GRC platforms, script troubleshooting understanding—no reliance on external build-outs without engagement.
  • Ability to translate between engineers and auditors without frustration on either side.
  • Bonus Considerations:
    • Experience with other GRC tools beyond Sprinto.
    • Direct Data Protection Officer experience or equivalent.
    • Payments regulatory exposure.

Get help with your application

Your very own career expert that helps elevate your application to the next level.

Get help applying for this job

Collaborative Work Model

  • Direct reporting structure: Start with 1 direct report, with the possibility to steward growth as needed.
  • Cross-functional collaboration: Work closely with Security, IT, Legal, Engineering and People teams.
  • Audit partnerships: Expect direct collaboration with auditors during designated windows, and team engagement with engineering and vendors the rest of the year.

How You'll Be Hired

  1. Screen Stage

    • Video-call with Talent Team (45–60 minutes).
  2. First Stage

    • Interview with the VP of Security, IT & Compliance (60 minutes).
  3. Final Stage

    • Video interview with CTO (60 minutes).
    • Video interview with Head of Talent (30 minutes).

Job Application Processing

  • All applications reviewed manually by the Talent Team.
  • Ideally reviewed within 7 days. Due to high traffic, occasional delays can occur.

Inclusive Workforce Commitment

Fresha fosters a culture where individuals of all backgrounds feel valued, contributing fully to the organization’s vision.

We actively welcome diversity, inclusiveness, and equal opportunity, ensuring no discrimination based on:

  • Race
  • [Religion]
  • [Sex]
  • Sexual orientation
  • [Sexual orientation]
  • Age
  • Marital status
  • Gender identity
  • National origin
  • Disability
  • Other legally protected characteristics.

Accessibility If you have accessibility requirements that improve your comfort during the interview process or while working, please notify us so that we can accommodate needs.


AI-Assisted Screening: Fresha may use AI tools to pre-select candidates, particularly for resume analysis, application consistency and verification. These tools supplement—not replace—human, final judgment. For additional information regarding our data processing practices, please see our privacy policy.

Trusted by 25,000+ job seekers

“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”

Jessica, London

Get help applying for this job

Skills

Compliance
PCI DSS
GDPR
SOC 2
ISO27001
HIPAA
Data Protection
Vendor Risk
Policy Writing
Automation
AI Tools
Auditing
Risk Management
Access Reviews
Vulnerability Management
Training

Location

London, England, United Kingdom

Sign up to applySee more jobs like this