Our Mission
ButterflyMX is on a mission to empower people to open and manage doors & gates from a smartphone. Our products are installed in more than 20,000+ multifamily, commercial, gated communities, and student-housing properties worldwide, including properties developed, owned, and managed by the most trusted names in real estate. Our features are designed for developers, owners, property managers, and tenants and our products lower operating costs and improve tenant satisfaction.
Our Solution
Developers and owners no longer need to run building wiring or install in-unit hardware. Property managers can grant building access, revoke permissions, and review entry logs from an online dashboard. Residents can open doors from their smartphones, issue visitor access, and see who is trying to enter the building.
Our Culture & Values
Fantastic people are the key to our success. As a distributed, primarily remote workforce, we’re looking for more intelligent, passionate, collaborative, ai-forward, and down-to-earth individuals to join our growing team. We’re driven by a shared commitment to excellence and innovation, grounded in our core values: We delight our customers, We take ownership, We are a community of collaborators, We speak up, We think big and do small, and We are tenacious.
Role Overview
ButterflyMX is seeking a GRC Engineer who is equal parts practitioner and builder. You will own the governance, risk, and compliance program. But more importantly, you will re-engineer how that program operates: replacing manual, point-in-time processes with AI-assisted, automated, and agentic workflows wherever possible. From continuous controls monitoring to automated vendor risk intake to AI-accelerated policy drafting, you will design a GRC function built for scale. This is a generalist role that spans the full GRC surface: compliance operations, risk management, audit management, trust and assurance, vendor/supply chain risk, and operational privacy support. You will own the day-to-day operations of our compliance posture: managing audit readiness, maintaining our risk register, driving policy development, coordinating vendor risk assessments, and building sustainable processes through engineering automations. You are equally comfortable automating a controls evidence request (not just handing it to the control owner!); conducting a supply chain risk analysis (software, firmware, hardware); and building automations and workflows to reduce compliance and documentation burdens. It is an individual contributor position reporting directly to the CISO to build and sustain our governance, risk, and compliance program.
Responsibilities
- Own and continuously mature the company risk register; design a risk management workflow that uses AI tooling to surface, score, and route emerging risks with minimal manual intervention, ensuring the register reflects real-time posture, not a quarterly snapshot.
- Lead external audit management (SOC 2 Type II); automate evidence collection pipelines in Vanta so that audit cycles are driven by continuous monitoring rather than evidence sprints, and begin scoping a readiness path for ISO 42001 (AI management systems).
- Engineer the Trust and Assurance program for scale: build automated intake and triage workflows for security questionnaire requests, deploy AI-assisted response generation against a curated knowledge base, and expand the trust portal so that partner due diligence is largely self-service.
- Build a vendor and supply chain risk program that goes beyond static spreadsheets. Design automated vendor intake, tiered risk scoring, and continuous monitoring triggers (news alerts, rating service integrations, release notes, expiration tracking) that surface risk without requiring manual sweeps.
- Redesign and maintain security and privacy policies; use AI to draft, version, and track policy updates, and build a lightweight workflow for owner review, approval, and attestation that doesn't require a ticketing system to chase people down.
- Own common controls monitoring in Vanta. Configure and tune integrations, checks, and alerting so that control failures surface automatically to the right owners, not just to a GRC inbox. Drive the organization toward an always-on compliance posture.
- Modernize the security awareness and training program.
- Design and operationalize an integrated compliance calendar covering SOC 2, security and IT systems licensing renewals, applicable state privacy regulations, and any other active frameworks with automated reminders and status tracking rather than manual coordination.
- Support the CISO and General Counsel on operational privacy practices: administer cookie consent management tooling, handle or route data subject requests (DSRs) through a documented and auditable workflow, and help maintain the company's privacy notice and data mapping inventory.
- Monitor the regulatory and compliance landscape, including AI governance developments (EU AI Act, NIST AI RMF, ISO 42001). Proactively surface changes that require a policy, control, or product response.
- Leverage AI tools across every GRC workflow; this role is expected to demonstrate measurable efficiency gains through automation and tooling, not simply to own a portfolio of manual processes.
Requirements
- 3+ years of experience in GRC, information security compliance, or risk management.
- Working knowledge of SOC 2 (Trust Services Criteria), with hands-on experience supporting or leading audits.
- Familiarity with additional frameworks is a strong plus: CIS Controls v8, NIST CSF, NIST AI RMF, NIST Privacy Framework, NIST SP 1800 series, NIST 800-53 r5, ISO 42001, ISO 27701, ISO 27001, OWASP Top 10 for Agentic Applications, MITRE D3FEND, MITRE SoT, MITRE ALTAS.
- Experience conducting rapid third-party/vendor risk assessments and managing a supply chain risk program.
- Strong organizational skills with the ability to manage multiple concurrent workstreams and deadlines.
- Excellent written communication, capable of drafting clear, audience-appropriate policy documents and executive risk summaries.
- Experience with Vanta platform (or equivalent)
- Relevant certifications a plus: CISA, CRISC, CISSP, CIPP, or equivalent.
- Proven experience with leveraging AI tools in both professional and personal settings. ButterflyMX is an AI-forward organization and the ability to optimize efficiency using AI is crucial in every role.
Benefits
- Comprehensive Medical, Dental and Vision plans (ButterflyMX covers 80% of the cost) starting day 1
- 401(k) plan with a match
- 10 paid holidays, 20 vacation days, 5 sick days, 3 floating holidays
- Basic Life and Accidental Death and Dismemberment Insurance (ButterflyMX covers 100% of the cost)
- Short and Long Term Disability (ButterflyMX covers 100% of the cost)
- Paid Family Leave
- Employee Assistance Program
- Quarterly self-care stipends
- Access to optional benefits including pre-tax flexible healthcare spending accounts (FSA and HSA), Dependent Care FSA, and Commuter Benefits, as well as optional Supplemental Life, AD&D, Hospital Indemnity, Legal, Accident, Critical Illness, Pet, and Personal Liability Insurance
- And more!
ButterflyMX is an equal opportunity employer and we value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. You must have the authorization to work in the US to become an employee. We strive to create an accessible and inclusive experience for all candidates and employees. If you need reasonable accommodations during the application or the recruiting process, please let our recruiting team know.