Director, GRC & Data Protection

This role is open to candidates based in the United States only. Candidates must be located in the Eastern or Central Time zones (ET/CT). Phreesia is looking for a Director, GRC & Data Protection to serve as the CISO’s operating partner and lead our GRC and data security programs in a highly product-driven, SaaS environment. This role is ideal for a deeply technical security leader who can move comfortably between audit rooms, architecture reviews, and executive updates—someone who can both design controls and roll up their sleeves to implement them. The Director, GRC & Data Protection will have overall responsibility and ownership for the design and implementation of Phreesia’s security governance, risk, compliance, and data protection architecture and associated strategy. A key objective of this role is to drive simplification, standardization, and security maturity across our products, platforms, and data environments, while enabling Phreesia’s continued growth. This individual’s primary responsibilities include leading, designing, and operationalizing security controls and processes across multiple regulatory and industry frameworks—such as PCI DSS (Level 1 service provider), HITRUST CSF, SOC 2, SOX ITGC, HIPAA, and NIST CSF—into a coherent, risk-based program. The Director, GRC & Data Protection will function as a key contributor to our target-state enterprise and data architectures, ensuring that data security requirements are considered early in the design of new products, platforms, and integrations. This includes informing architecture decisions for cloud services, data platforms, and SaaS applications, with a particular focus on protecting sensitive healthcare and payment data in line with evolving regulatory and customer expectations. This position will be responsible for collaborating with the Legal/Privacy, Product & Engineering, and Phreesia leadership on emerging challenges and opportunities. The Director, GRC & Data Protection will stay current on evolving regulations, security standards, and best practices in domains such as PCI DSS 4.0, HITRUST, SOC 2, and healthcare privacy/security, ensuring Phreesia’s governance program anticipates rather than reacts to changes. They will establish and maintain the governance processes, risk registers, and decision forums that guide business leaders toward informed, risk-aware choices about platforms, data usage, and third-party services. Success in this role requires strong teamwork with our CISO, Legal, Privacy, enterprise architects, Security Engineering, IT, and Product & Engineering leadership. The Deputy CISO will help these teams understand how governance and data security requirements translate into practical, engineering-grade controls and will ensure that control designs, evidence strategies, and remediation plans are both technically sound and auditable. Candidates for this role must be comfortable leading through both direct management and influence in a highly matrixed environment. You will lead GRC and data-security-focused personnel directly, while also driving outcomes through collaboration with engineering managers, product leaders, infrastructure teams, and internal/external audit stakeholders. This individual has hands-on experience designing, implementing, and communicating controls in restricted and regulated data environments, such as healthcare and payments, and is comfortable working across multiple frameworks and attestations simultaneously (PCI DSS, HITRUST, SOC 2, SOX ITGC, HIPAA/NIST). The ideal candidate will demonstrate strong analytical, interpersonal communication skills, and program management capabilities: able to interpret complex requirements, design practical controls, oversee implementation and testing, and present clear risk and status updates to senior executives and boards. They should be equally comfortable discussing data encryption and segmentation with engineers, explaining audit findings, and walking a customer’s security team through Phreesia’s control environment.