Skip to content

Hiring Briefing: Information Security Compliance Manager

  • Hybrid
    • Vienna, Wien, Austria
    • Berlin, Berlin, Germany
    +1 more
  • Compliance

Job description

💡 We’re looking for an Information Security Compliance Manager (ISO 27001 / GDPR / HIPAA) to take ownership of our certified ISO/IEC 27001 ISMS and our privacy program in a health-data SaaS environment. You will maintain and continuously improve our ISO 27001 system (supported by Vanta), lead internal and external (surveillance) audits, and evolve our GDPR setup to also cover HIPAA expectations and special categories of data in close partnership with Engineering and Tech.

Why Flinn?

  • We are building a truly exceptional culture: While many companies claim to have a great culture, we invite you to discover what truly sets ours apart. Visit our career page, speak with our team, listen to our founders’ podcast, or experience our culture first-hand during the interview process.

  • Make a Meaningful Impact: Your work at Flinn contributes directly to solutions that improve people’s health and lives by making high-quality health products accessible for everyone.

  • Experienced, well-funded, highly professional: As well-funded startup veterans, we know how to sustain long-term business health and success, ensuring an environment for continuous personal growth.

Your contributions to our journey:

  • Take over end-to-end ownership of our certified ISO 27001 ISMS, ensuring it stays effective, current, and audit-ready year-round.

  • Lead preparation and execution support for surveillance audits, including evidence readiness, stakeholder preparation, and closing findings.

  • Run the internal audit program and drive corrective actions (CAPA) to closure with clear ownership and measurable outcomes.

  • Harmonize security and privacy governance by aligning ISO 27001 and GDPR processes (risk, vendor management, incident/breach handling, access governance, retention).

  • Expand the privacy program from GDPR to include HIPAA-related requirements and robust handling of health/sensitive data (incl. vendor/subprocessor controls).

  • Translate security/privacy requirements into pragmatic, actionable work for Engineering and Operations (“what needs to be done, how, and what evidence is needed”).

  • Improve scalability of compliance operations using Vanta (evidence automation, control monitoring, clean documentation) and help prepare for future SOC 2 / NIST needs.

What is in for you?

  • Grow with us. We are committed to supporting you in your professional and personal development, no matter whether you aim to become a great leader, renowned expert, successful entrepreneur, or high performing specialist.

  • Staying healthy is a top priority. We help each other to reflect, stay in balance, and free up company budget to support healthy activities (food, subscriptions, team activities etc.).

  • Competitive compensation, including above-market salaries for exceptional talent.

  • We offer you flexibility and empower you to design your days/weeks according to your needs. Therefore, we offer unlimited vacation and very flexible working hours.

  • We commit ourselves to the highest integrity standards. Great performance is not an excuse for disrespectful, jerk-like behavior.

Job requirements

What you need to be successful:

  • 3–5 years of experience in information security compliance / ISMS / GRC in a tech or SaaS environment

  • Hands-on ownership of an ISO/IEC 27001 ISMS in a certified organization, including operating cadences (risk, SoA, control reviews, metrics, continual improvement)

  • Audit experience you can point to: participation/leadership in external audits (surveillance/recertification) and successful closure of findings

  • Ability to plan/execute (or coordinate) internal audits and drive corrective actions through to verified completion

  • Practical GDPR operations experience (e.g., RoPA, DPIAs, vendor/subprocessor governance, DSAR coordination, incident/breach support)

  • Comfort working in environments processing health data / special categories of data, and ability to operationalize privacy and security expectations (HIPAA exposure is a plus)

  • Solid technical foundation to collaborate with Engineering on controls and evidence (IAM/SSO/MFA/RBAC, logging/audit trails, vulnerability & patch mgmt, change mgmt, cloud/SaaS fundamentals)

  • Excellent English communication skills (written and verbal); German is a plus

  • Location: Vienna or Berlin (hybrid/onsite expectations as applicable)

Attributes we are looking for:

  • Pragmatic doer mindset: you turn standards into workable processes and evidence without creating unnecessary overhead

  • Structured and reliable: strong follow-through, clear prioritization, and comfort running recurring cadences (audits, reviews, actions)

  • Confident stakeholder manager: you can influence cross-functionally without formal authority and build trust with Engineering

  • Audit-ready thinking: you know what “good evidence” looks like and keep the program continuously ready, not just before audits

  • Clear communicator and translator: you can explain requirements simply and adapt your message to technical and non-technical audiences

  • Ownership mentality: you proactively identify gaps, propose improvements, and drive them to completion


At this stage of our company, we can only accept applications from people who are based in Europe with either European citizenship, an active working visa or being self-employed and joining us as a full-time contractor.

We strive to remove barriers, eliminate discrimination, and ensure equal opportunity through our transparent recruitment process. We are open to all groups of people without regard to age, color, national origin, race, religion, gender, sex, sexual orientation, gender identity and/or expression, marital status or any other legally protected characteristic.


or