About The RoleAs Senior Privacy & Security Counsel, you will own GC AI's privacy, data protection, and security compliance legal work, reporting to the General Counsel initially. You will be the go-to lawyer for everything from GDPR and CCPA compliance to SOC 2 and ISO certification programs, DPA negotiations, and AI governance. You will partner with the Privacy & Compliance team on operational execution, work alongside the commercial legal team on customer-facing data protection terms, and advise product and engineering on privacy-by-design. At a company that builds legal AI, you will also be shaping how privacy and security counsel work gets done in the future.
The Impact You Will Have- Own GC AI's privacy and security legal posture across every regulatory framework that touches the business.
- Serve as the internal subject matter expert that product, engineering, sales, and the commercial legal team rely on for privacy and security guidance.
- Directly enable enterprise deals by handling the DPA and security addendum negotiations
that sophisticated customers require. - Build and maintain the privacy and security playbook positions that scale with GC AI's growth.
- Keep GC AI ahead of the regulatory curve on AI governance, international privacy
frameworks, and emerging US state privacy laws.
What You Will Do- Own the legal framework for GC AI's SOC 2, ISO 27001, and ISO 42001 compliance
programs, partnering with the GRC and Compliance team on operational execution. - Advise product and engineering on privacy-by-design, data protection impact assessments, and AI governance requirements.
- Own GC AI's regulatory compliance posture for GDPR, CCPA/CPRA, EU AI Act, and emerging US state privacy laws.
- Serve as the escalation point for complex DPA and security addendum negotiations, working alongside the commercial legal team.
- Directly handle DPA and security addendum redlines for strategic and high-value customer deals.
- Maintain and evolve GC AI's standard DPA, security addendum, and Information Security Addendum templates and playbook positions.
- Support enterprise sales by joining security calls with sophisticated prospects and responding to detailed security and privacy inquiries.
- Assist with managing relationships with external auditors and compliance vendors (e.g., SOC 2 auditors, penetration testing firms, privacy tooling providers).
- Advise on incident response legal obligations, breach notification requirements, and customer communications.
- Own the legal review of the Trust Center, security marketing claims, and subprocessor disclosures.
- Provide guidance on cross-border data transfers, international privacy frameworks, and jurisdiction-specific data protection requirements.
- Assist with other compliance projects (including entity compliance management)
- Take on additional projects and tasks as needed in response to the evolving needs of a fast- growing startup.
Required Experience- JD and active bar membership in at least one US jurisdiction.
- 5-10 years of privacy and security legal experience, with a meaningful portion in-house at a technology or SaaS company.
- Deep working knowledge of GDPR, CCPA/CPRA, and the broader US and international data protection regulatory landscape.
- Experience supporting sales processes at a B2B SaaS company, including security reviews, procurement questionnaires, and customer-facing calls.
- Experience negotiating DPAs and data protection terms in a B2B SaaS context, including GDPR Article 28 processor obligations, standard contractual clauses, and cross-border transfer mechanisms.
- Demonstrated ability to work independently, prioritize competing demands, and deliver under pressure.
- Comfort working at startup pace with ambiguity, shifting priorities, and limited precedent.
Nice To Have- CIPP/US, CIPP/E, or similar privacy certification.
- Experience with AI governance frameworks (EU AI Act, NIST AI RMF) or ISO 42001.
- Hands-on experience supporting security compliance programs (SOC 2, ISO 27001, or similar), including policy drafting, audit support, and gap analysis.
- Background in cybersecurity incident response or breach management.
- Experience at a high-growth startup or scale-up company (Series B through pre-IPO).
- Prior big law firm experience in privacy, data protection, or technology transactions
Location PolicyThis is a remote role unless you fall within the following parameters. If you live within approximately 50 miles of our San Mateo, CA or Provo, UT office, the position follows a hybrid schedule with in-office days on Tuesdays, Wednesdays, and Thursdays.