FlexHired LogoFlexHired
Logo of Instacart

Instacart

Senior Risk & Compliance Engineer (Third Party Risk Management)

Job Summary

This role involves managing and overseeing third-party risk within Instacart's Governance, Risk, and Compliance team. The candidate will conduct vendor evaluations, develop and refine risk management processes, and ensure compliance with regulations such as GDPR and CCPA. It requires experience with risk management tools, security standards, and the ability to communicate complex risks to both technical and non-technical stakeholders. The position offers the flexibility of remote work and provides competitive benefits and equity options.

Required Skills

Stakeholder Engagement
Regulatory Compliance
Cybersecurity
Automation
Risk Management
Contract Negotiation
Data Privacy
Security Frameworks
Security Incident Response
Data Lakes
Vendor Evaluation
AI Security
Third Party Risk
Data Warehouses
GRC Tools
Risk Quantification

Benefits

Competitive Compensation
Remote Work
Flexible Work Arrangements
Equity Grants
Annual Refresh Grants

Job Description

We're transforming the grocery industry

At Instacart, we invite the world to share love through food because we believe everyone should have access to the food they love and more time to enjoy it together. Where others see a simple need for grocery delivery, we see exciting complexity and endless opportunity to serve the varied needs of our community. We work to deliver an essential service that customers rely on to get their groceries and household goods, while also offering safe and flexible earnings opportunities to Instacart Personal Shoppers.

Instacart has become a lifeline for millions of people, and we’re building the team to help push our shopping cart forward. If you’re ready to do the best work of your life, come join our table.

Instacart is a Flex First team

There’s no one-size fits all approach to how we do our best work. Our employees have the flexibility to choose where they do their best work—whether it’s from home, an office, or your favorite coffee shop—while staying connected and building community through regular in-person events. Learn more about our flexible approach to where we work.

Overview

About the Role -

Join Instacart’s Governance, Risk, and Compliance (GRC) team as a Risk & Compliance Engineer specializing in Third Party Risk Management. In this critical role, you will be at the forefront of safeguarding Instacart’s security and privacy posture by managing risks associated with our extensive network of third-party vendors, suppliers, and service providers. You will oversee the entire vendor lifecycle, conducting robust due diligence during onboarding, performing comprehensive recurring reviews, and managing offboarding procedures to assess and quantify third-party information security and privacy risks. Your responsibilities will include identifying and mitigating emerging security risks introduced by technologies such as Artificial Intelligence (AI), Large Language Models (LLMs), data lakes, and data warehouses. Collaborating across teams, you’ll influence decision-makers to mitigate risks while enabling secure business growth. This is an exciting opportunity to drive innovation through advanced risk quantification using models like FAIR-TAM , cutting-edge tooling, and strategic partnerships within Instacart’s diverse, global vendor ecosystem.

Your work will directly inform Instacart’s broader security strategies by ensuring vendors align their controls with Instacart’s expectations and stringent regulatory compliance requirements, including GDPR, CCPA, ISO 27001, NIST, and SOC 2.

About the Team -

The GRC team plays a pivotal role in monitoring, measuring, and informing Instacart’s risk posture. Our team partners with IT, Legal, Security Engineering, and system leaders across various departments to proactively identify and reduce risks. A key priority this year is enabling our business leaders through education and tools to identify and mitigate third-party risks more effectively. We’re a collaborative and forward-thinking group aiming to mature Instacart’s approach to third-party risk management with cutting-edge quantification techniques, automation, and best-in-class tools, fostering active collaboration and data sharing with our third parties.

About the Job

You’ll play a leading role in building and operating Instacart’s GRC strategies and practices by:

  • Reviewing third-party vendors during onboarding due diligence and recurring evaluation processes, meticulously focusing on identifying and mitigating cybersecurity, data privacy, and compliance risks.
  • Operating and improving Instacart's third-party risk management systems, including leveraging tools like Zip for workflows and Safe Security for risk quantification.
  • Partnering with Legal, Security Engineering, and system owners to embed comprehensive security and privacy requirements directly into third-party contracts and agreements, ensuring alignment with Instacart policies and compliance frameworks (e.g., GDPR, CCPA, SOC2, NIST, etc).
  • Liaising with high-tier vendors to understand their security posture, advocate for aligned improvements, and provide advisory on identified risks.
  • Developing and maintaining processes that enhance the efficiency and scalability of third-party evaluations, continuous monitoring, and offboarding procedures.
  • Identifying and quantifying risks, proposing effective mitigation measures, and influencing internal stakeholders to implement necessary security controls to improve the third-party risk posture.
  • Leading vendor risk documentation, including maintaining a comprehensive third-party risk register, developing risk quantification reports using models like FAIR-TAM, and presenting findings, trends, and action plans for senior leadership.
  • Working with internal security teams to investigate and respond to third-party-related security incidents, defining escalation procedures and remediation requirements.

About You -

We’re looking for a technically skilled, collaborative, and innovative professional with a passion for reducing third-party risks and enabling scalable solutions.

Minimum Qualifications

  • 7+ years of progressive experience in third-party security risk management, vendor audits, or compliance roles, preferably within a technology company.
  • Hands-on experience with third-party risk management (TPRM) and Governance, Risk, and Compliance (GRC) tools (e.g., OneTrust, Archer, Prevalent, Process Unity, Venminder, BitSight, SecurityScorecard, Zip, Safe Security).
  • Expertise in leading compliance standards and industry frameworks (e.g., GDPR, CCPA, SOC2, NIST, ISO 27001).
  • Familiarity with common security concepts, including identity and access controls, firewalls, APIs, vulnerabilities (CVE), and software supply chain risks.
  • Proven ability to review and analyze a variety of vendor security documentation, including audit reports, vulnerability scans, and penetration test results.
  • Previous experience with consumer data protection and privacy risk management, including performing privacy risk assessments and suggesting mitigation plans.
  • Strong communication and stakeholder engagement skills, with a proven ability to influence decision-makers and articulate complex technical risks and control concepts to non-technical stakeholders, including senior executives and audit committees.

Preferred Qualifications

  • Professional certifications such as CISSP, CRISC, CISM, CISA, CIPP/US, CIPP/E, CIPM, CIPT, or ISO 27001 Lead Auditor/Implementer.
  • Hands-on experience negotiating vendor contracts with comprehensive security and privacy clauses.
  • Familiarity with and/or hands-on experience applying risk quantification frameworks (e.g., FAIR-TAM) and cybersecurity metrics reporting to assess financial impact.
  • Experience working on innovative risk management programs leveraging automation, AI, and continuous monitoring techniques.
  • Familiarity with AI concepts, tools, policies, and best practices, particularly concerning LLM security risks like prompt injection, training data poisoning, and insecure output handling.
  • Understanding of security and privacy challenges related to data lakes and data warehouses, including large data volumes, unstructured data, complex access controls, and regulatory compliance.

#LI-Remote

Instacart provides highly market-competitive compensation and benefits in each location where our employees work. This role is remote and the base pay range for a successful candidate is dependent on their permanent work location. Please review our Flex First remote work policy here. Currently, we are only hiring in the following provinces: Ontario, Alberta, British Columbia, and Nova Scotia.

Offers may vary based on many factors, such as candidate experience and skills required for the role. Additionally, this role is eligible for a new hire equity grant as well as annual refresh grants. Please read more about our benefits offerings here.

For Canadian based candidates, the base pay ranges for a successful candidate are listed below.

CAN
$151,000$168,000 CAD

Interested in this job?

Application deadline: Open until filled

Logo of Instacart

Instacart

A grocery delivery service allowing users to order from local stores and have items delivered by personal shoppers.

See more jobs
Date PostedMay 31st, 2025
Job TypeContract
LocationCanada - Remote (ON, AB, BC, or NS Only)
Salary$151,000 - $168,000
Exciting remote opportunity (requires residency in Canada) for a Senior Risk & Compliance Engineer (Third Party Risk Management) at Instacart. Offering $151,000 - $168,000 (contract). Explore more remote jobs on FlexHired!

Safe Remote Job Search Tips

Verify Employer Thoroughly

Research the company's identity thoroughly before applying. Check for a professional website with contacts, active social media, and LinkedIn profiles. Verify details across platforms and look for reviews on Glassdoor or Trustpilot to confirm legitimacy.

Never Pay to Get a Job

Legitimate employers never require payment for applications, training, background checks, or equipment. Always reject upfront payment requests or demands for bank details, even if they claim it's for purchasing necessary work gear on your behalf.

Safeguard Your Personal Information

Protect sensitive data like SSN, bank details, or ID copies. Share this only after accepting a formal, written job offer. Ensure it's submitted via a secure company system or portal, never through insecure channels like standard email attachments.

Scrutinize Communication & Interviews

Watch for communication red flags: poor grammar, generic emails (@gmail), vague details, or undue pressure. Be highly suspicious of interviews held only via text or chat apps; legitimate companies typically use video or phone calls.

Beware of Unrealistic Offers

If an offer's salary or benefits seem unrealistically high for the work involved, be cautious. Research standard pay for similar roles. Offers that appear 'too good to be true' are often scams designed to lure you into providing information or payment.

Insist on a Formal Contract

Always secure and review a formal, written job offer or employment contract before starting work or sharing final personal details. Ensure it clearly defines your role, compensation, key terms, and conditions to avoid misunderstandings or scams.

More tips for finding safe remote work

Subscribe Newsletter

Never miss a remote job opportunity. Subscribe to our newsletter today and receive exclusive job alerts, career advice, and industry insights delivered straight to your inbox.