What we’re building and why we’re building it.

Every month, millions of people use America’s Rewards App, earning rewards for buying brands they love – and a whole lot more. Whether shopping in the grocery aisle, grabbing a bite at the drive-through or playing a favorite mobile game, Fetch empowers consumers to live rewarded throughout their day. To date, we’ve delivered more than $1 billion in rewards and earned more than 5 million five-star reviews from happy users.

It’s not just our users who believe in Fetch: with investments from SoftBank, Univision, and Hamilton Lane, and partnerships ranging from challenger brands to Fortune 500 companies, Fetch is reshaping how brands and consumers connect in the marketplace. When you work at Fetch, you play a vital role in a platform that drives brand loyalty and creates lifelong consumers with the power of Fetch points. User and partner success are at the heart of everything we do, and we extend that same commitment to our employees.

Ranked as one of America’s Best Startup Employers by Forbes for two years in a row, Fetch fosters a people-first culture rooted in trust, accountability, and innovation. We encourage our employees to challenge ideas, think bigger, and always bring the fun to Fetch.

Fetch is an equal employment opportunity employer.

Position Overview:

The Governance, Risk, and Compliance (GRC) Analyst is responsible for managing and overseeing the company’s Information Security Governance framework and Risk Management program. The role ensures that the organization complies with regulatory requirements, industry standards, and internal policies while mitigating risks that could negatively impact the business. The GRC Analyst will play a key role in leading the organization’s SOC2 certification efforts and leveraging tools like Vanta to streamline compliance and risk management.

Key Responsibilities:

Governance & Compliance:

Develop and maintain security policies, standards, and procedures that align with industry best practices and regulatory requirements.
Manage and oversee the SOC2 compliance program, ensuring all controls are implemented, maintained, and audited successfully.
Assist in compliance assessments (SOC2, ISO 27001, CCPA, etc.) and support internal and external audits.
Collaborate with cross-functional teams to address any gaps identified during audits or assessments and develop remediation plans.
Ensure alignment of security controls with business and regulatory requirements, recommending updates to policies as needed.

Risk Management:

Perform risk assessments, identifying information security risks, evaluating their impact, and recommending risk mitigation strategies.
Maintain and update the organization’s risk register and assist in developing risk treatment plans.
Conduct vendor risk assessments, reviewing third-party security controls and ensuring compliance with contractual agreements and regulations.
Develop and maintain key risk indicators to track and report on security risks across the organization.

GRC PlatformImplementation & Management:

Leverage a GRC platform to monitor and manage compliance activities, automate evidence collection, and track the company’s progress toward SOC2 certification.
Ensure that the GRC platform is properly configured to meet the company’s compliance objectives and maintain system integrity.
Work closely with internal teams to integrate the GRC platform with various systems and processes, ensuring a smooth, automated compliance workflow.
Provide training and guidance to employees on the use of Vanta and on compliance-related responsibilities.

Audit Support & Reporting:

Support both internal and external audit processes, ensuring that appropriate documentation and evidence are provided on time.
Work with stakeholders to ensure audit findings are tracked and remediated efficiently.
Prepare and present reports to senior management, outlining risk assessments, compliance statuses, and remediation efforts.

Continuous Improvement:

Stay current with industry best practices, regulatory changes, and emerging threats to continuously improve the organization’s GRC posture.
Propose and implement improvements to the organization’s security program, ensuring alignment with the latest security frameworks and compliance requirements.
Engage in continuous education and certification opportunities relevant to the role (e.g., CISM, CRISC).

Preferred Qualifications:

Education & Certifications:

Bachelor’s Degree in Information Security, Cybersecurity, Information Technology, or a related field.
GRC-related certifications such as CRISC or CISM are preferred.
Knowledge of SOC2 certification requirements and auditing processes is preferred.
Knowledge of industry standards such as SOC2, ISO 27001, NIST, PCI DSS, GDPR, and CCPA.

Experience:

3+ years of experience in Governance, Risk, and Compliance roles, focusing on security compliance and risk management.
Hands-on experience with compliance platforms like Vanta preferred.
Experience managing SOC2 certification efforts, including preparation, audit facilitation, and remediation.
Strong understanding of risk management frameworks and best practices.
Proven ability to perform and lead risk assessments and vendor risk evaluations.
Experience working with people management and IT ensuring employee onboarding and offboarding steps are performed securely and timely to meet compliance requirements.

Skills:

Strong project management and organizational skills.
Excellent written and verbal communication skills, with the ability to translate technical requirements into business-friendly language.
Attention to detail and strong analytical skills.
Ability to work collaboratively across departments, particularly with IT, Legal, and Business Operations teams.
Experience with cloud computing environments preferred AWS.
Strong understanding of identity providers, preferred Okta.
Familiarity with Mac and Windows management and security issues.

At Fetch, we'll give you the tools to feel healthy, happy and secure through:

Equity for everyone
401k Match: Dollar-for-dollar match up to 4%.
Benefits for humans and pets: We offer comprehensive medical, dental and vision plans for everyone including your pets.
Continuing Education: Fetch provides ten Thousand per year in education reimbursement.
Employee Resource Groups: Take part in employee-led groups that are centered around fostering a diverse and inclusive workplace through events, dialogue and advocacy. The ERGs participate in our Inclusion Council with members of executive leadership.
Paid Time Off: On top of our flexible PTO, Fetch observes 9 paid holidays, including Juneteenth and Indigenous People’s Day, as well as our year-end week-long break.
Robust Leave Policies: 20 weeks of paid parental leave for primary caregivers, 14 weeks for secondary caregivers, and a flexible return to work schedule. $2000 baby bonus.
Flexible Work Environment: Collaborate with your team in one of our stunning offices in Madison, Birmingham, or Chicago. We’ll ensure you are equally equipped with the hardware and software you need to get your job done in the comfort of your home.

Apply for this Job

* Required

First Name *

Last Name *

Email *

Phone

Location (City)

Resume/CV

Dropbox Google Drive

(File types: pdf, doc, docx, txt, rtf)

Cover Letter

Dropbox Google Drive

(File types: pdf, doc, docx, txt, rtf)

Preferred Name *

What are your pronouns?

LinkedIn Profile *

Did a current Fetch employee refer you? If so, please fill in name below. *

What led you to apply to Fetch? *

CCPA Privacy Notice *

Fetch Rewards Privacy Notice for California Consumers (Employees)

Effective date: December 23, 2019

Fetch Rewards, Inc. including its affiliates and subsidiaries (“Fetch Rewards,” “we,” “us,” or “our”) provides this Privacy Notice for California Consumers (Employees) (the “CCPA Employee Privacy Notice”) to you to notify you of our privacy practices as required by the California Consumer Privacy Act of 2018 (“CCPA”).

The CCPA Employee Privacy Notice applies only to individuals residing in the State of California who are considered “Consumers” under the CCPA and from whom we collect “Personal Information” as described in the CCPA (“Consumers”). We provide you this notice because under the CCPA, California Residents who are employees, employee applicants, or contractors qualify as Consumers. For purposes of this CCPA Employee Privacy Notice, when we refer to Consumers, we mean you to the extent you are a California employee, employee applicant, or contractor.

Information We Collect

We may collect Personal Information from you in a variety of different situations, including, but not limited to on our website, your mobile device, through email, in physical locations, through the mail, and/or over the telephone. More specifically, Fetch Rewards collects the following categories of Personal Information from its California applicants, employees, and contractors, which will depend on the particular Business Purpose for which we collect it:

Category	Examples of Personal Information Collected
A. Identifiers.	A real name, alias, postal address, telephone number, mobile device ID, Internet Protocol address, email address, Social Security number, driver's license number, passport number.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, medical information, or health insurance information.
C. Protected classification characteristics under California or federal law.	Age, race, citizenship, marital status, medical condition, physical or mental disability, sex, veteran or military status, genetic information.
D. Commercial information.	None.
E. Biometric information.	None.
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
G. Geolocation data.	Physical location or movements.
H. Sensory data.	Electronic, audio, and visual information.
I. Professional or employment-related information.	Current or past job history or performance evaluations, employee background check.
J. Education information, as defined by the Family Educational Rights and Privacy Act	None.
K. Inferences drawn from other personal information.	None.

Personal information does not include deidentified or aggregated consumer information.

Fetch Rewards obtains the categories of Personal Information listed above from the following categories of sources:

Directly from you. For example, from forms you complete or products and services you purchase.
Indirectly from you. For example, from observing your actions on our website or from information your computer or mobile device transmits when interacting with our website or mobile applications, among other things.
Consumer reporting agencies relating to employee background checks.

How We Use Personal Information

We may use or disclose the Personal Information we collect from you or about you to do one or more of the following:

To fulfill or meet the purpose for which you provided the information. For example, if you share your name and contact information to apply for a job or become an employee, we will use that personal information in connection with your employment or employment application.
To contact you and to inform you about benefits or information relating to your employment or employment application.
To provide, support, personalize, and develop our website and services relating to your employment or employment application.
To create, maintain, customize, and secure your information or account with us.
To process your requests or transactions and prevent transactional fraud.
To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
To help maintain the safety, security, and integrity of our systems, App or Website, services, databases and other technology assets, and business.
For research, analysis, and business development, including to develop and improve our business processes, Website and services.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
As described to you when collecting your personal information or subsequently agreed to by you.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Fetch Rewards assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Fetch Rewards about our Consumers is among the assets transferred.

How We Share Personal Information

Fetch Rewards may disclose your Personal Information to a third party for a business purpose, including to our service providers.

We share your personal information with the following categories of third parties:

Service providers.
Third parties with whom you direct us to share your personal information, including consumer reporting agencies to conduct employment background checks.

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Fetch Rewards has disclosed the following categories of personal information for a business purpose:

Category A: Identifiers.
Category B: California Customer Records personal information categories.
Category C: Protected classification characteristics under California or federal law.
Category I: Professional or employment-related information.

We disclose your personal information for a business purpose to the following categories of third parties:

Service providers.
Third parties with whom you direct us to share your personal information, including consumer reporting agencies to conduct employment background checks.

Other California Privacy Rights

We do not disclose your Personal Information relating to you being an employee applicant, employee, or contractor with Fetch Rewards to third parties for their direct marketing purposes. We do not share such Personal Information with third parties for their direct marketing purposes.

Changes to Our CCPA Employee Privacy Notice

Fetch Rewards reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on privacy@fetchrewards.com and update the notice's Effective Date above.

If you have any questions or comments about this notice, the ways in which Fetch Rewards collects and uses your information described above, please do not hesitate to contact us at:

Email: privacy@fetchrewards.com

Postal Address:
ATTN: Privacy Team
Fetch Rewards, Inc.
1050 E Washington Ave
2nd Floor
Madison, WI 53703

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Fetch’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Gender

Are you Hispanic/Latino?

Please identify your race

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Veteran Status

Voluntary Self-Identification of Disability

Form CC-305

Page 1 of 1

OMB Control Number 1250-0005

Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

Alcohol or other substance use disorder (not currently using drugs illegally)
Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
Blind or low vision
Cancer (past or present)
Cardiovascular or heart disease
Celiac disease
Cerebral palsy
Deaf or serious difficulty hearing
Diabetes
Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
Epilepsy or other seizure disorder
Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
Intellectual or developmental disability
Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
Missing limbs or partially missing limbs
Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
Partial or complete paralysis (any cause)
Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
Short stature (dwarfism)
Traumatic brain injury

Disability Status

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

Enter the verification code sent to to confirm you are not a robot, then submit your application.

Security Code *

This application was flagged as potential bot traffic. To resubmit your application, turn off any VPNs, clear the browser's cache and cookies, or try another browser. If you still can't submit it, contact our support team through the help center.