Governance, Risk & Compliance Analyst - Docebo

Job Title: Governance, Risk & Compliance Analyst
Job Location: Toronto, Ontario
Job Listing URL: https://jobs.lever.co/docebo/c8203fc8-fd06-4e57-aa83-21fc828d0818
Job Description: Artificial Intelligence. Actual Impact.

At Docebo, AI isn’t just a buzzword — it’s how we help teams move faster, perform better, and focus on the work that actually matters. Our learning platform is built with smart, time-saving tools that personalize training, cut the busywork, and make learning feel like less of a chore (and more of a superpower).

We’re building the future of learning, and we’re doing it with a team that loves to challenge the status quo. If you're excited by the idea of using AI to make work-life better for real people — not just in theory — you're in the right place.

Still thinking it over? At Docebo, values aren’t just posters on the wall — they show up in how we work every day. We lead with what we call the Docebo Heart: we trust each other, assume positive intent, and make space for the differences that make our team stronger.

So… what are you waiting for? Join 900+ Docebians around the world and help us reinvent the way people learn.

About This Opportunity:

The role of Docebo’s Governance, Risk & Compliance Analyst II is crucial for developing, implementing, and maintaining the company's comprehensive security and compliance posture. This position balances the critical internal functions of governance and risk management with the external need to demonstrate the business value of a solid compliance program to prospects and customers.

This role is essential for ensuring that Docebo adheres to a wide range of regulatory frameworks and maintains robust security measures. Collaborating with internal teams to build and enforce policies, they also work closely with Sales & Legal teams to effectively address customer compliance and security requirements. This role involves leading continuous improvement efforts in our control environment and staying current on emerging compliance regulations, security threats, and industry best practices.

To be successful as a Governance, Risk & Compliance Analyst II, you need a proactive and structured approach to building and managing security and compliance programs. Strong, hands-on experience in developing security policies, conducting risk assessments, and managing audit cycles is crucial. Excellent analytical, problem-solving, and communication skills are essential, as you’ll collaborate with various teams, external partners, and auditors.

To enhance your effectiveness in this role, a Bachelor’s degree in computer science, information security, or a related field is beneficial. Certifications such as Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Certified Information Systems Security Professional (CISSP) can further strengthen your qualifications. Additionally, proficiency in GRC platforms (e.g., Drata, OneTrust) will support your success.
Responsibilities:
Governance, Policy, and Control Management: Develop, maintain, and enhance cybersecurity and privacy policies, standards, and control frameworks to align with key industry regulations (e.g., PCI DSS, ISO 27001, SOC 2, ISO 42001) and business objectives.
Risk Management & Assessments: Conduct and coordinate comprehensive cybersecurity risk assessments across the organization to identify, evaluate, and prioritize risks. Develop, monitor, and track risk treatment and remediation plans, providing guidance to stakeholders on mitigation strategies.
Internal and External Audit Support: Lead and coordinate Docebo’s activities for both internal and external audits (e.g., ISO 27001/42001, SOC 2, PCI DSS, SOX), including evidence collection, interfacing with auditors, and managing findings to ensure successful certification and compliance.
Customer Engagement and Response: Respond to customers’ security and privacy related inquiries, compile comprehensive responses (mainly RFI, RFP, and RFQ), and address compliance questionnaires, ensuring timely and accurate information dissemination to actively support the sales process.
Vendor Risk Assessment and Monitoring: Support the evaluation of company third-party vendor-associated risks, monitor security controls, and maintain risk management reporting dashboards to mitigate risk and effectively qualify company suppliers; in collaboration with the GRC team.
Cross-functional collaboration: Collaborate across all company departments to embed security controls and align compliance, security, and privacy efforts with business objectives. Consult with departments to assess changes, advise on compliance obligations, and support the evolution of company compliance programs.
Documentation and Reporting: Maintain comprehensive documentation of compliance activities, including policies, risk assessments, and audit findings. Prepare detailed reports on the status of the GRC program for management and regulatory authorities.
Requirements:
Typically 4+ years of relevant work experience.
Working experience IT Risk Management, Governance, or a similar Information Security role.
Direct, hands-on experience developing security policies, conducting risk assessments, and managing internal/external audit cycles for a SaaS company.
Working knowledge of information security principles, trends, and best practices, specifically cloud environments and services (eg: AWS, Azure, GCloud).
Knowledge of GDPR requirements and other data privacy laws (eg: CCPA, PIPEDA).
Knowledge of ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701, ISO 9001, SOX, DORA, NIST CSF, and AICPA/ISAE 3000 SOC 2 & PCI DSS.
Knowledge of CFR21 Part 11.
FedRamp framework knowledge.