GRC Engineer

About Qonto

Our mission and customers: We are creating the freedom for SMEs to succeed by delivering Europe's leading finance workspace with banking at its core, augmented by financial tools. We are proud to be rated 4.8 on Trustpilot, based on 55,000+ reviews. Our culture puts customer satisfaction at the core of what we do, as proven by our Net Promoter Score of 75.

Our journey: Founded in 2017 by Alexandre and Steve, Qonto has grown to 1,600+ Qontoers serving over 600,000+ customers across 8 European countries. We have been profitable since 2023, and we are just getting started.

Our beliefs: We hire for skills and potential. With 80+ nationalities, 45% women, and 56% of women in our leadership team, diversity isn't a program; It's who we are. We've built a discrimination-free hiring process because the best teams are built on merit.

AI at Qonto: AI is deeply embedded in how we work (here) - Every Qontoer gets unlimited access to the best AI tools. We want people who experiment without waiting for permission, push AI beyond the obvious, know when to trust it, and when to question it.

Mission

Your mission is to ensure Qonto remains continuously compliant with key security certifications and regulatory requirements (ISO 27001, PCI DSS, DORA) by leading end-to-end audits. Working closely with Ayoub, our VP Security, and Pierre, your manager, you will protect Qonto's ability to operate regulated products by transitioning our compliance processes from manual evidence collection to a streamlined, automated system.

Responsibilities

• Own and deliver external and internal audits/certifications end-to-end with minimal findings, starting with upcoming deadlines like our PCI DSS audit.
• Deliver meaningful tooling and automation to reduce manual evidence collection and reporting, starting with ISO 27001 controls.
• Build and maintain the documentary corpus and control mapping for upcoming regulations (notably DORA), shifting Qonto toward continuously provable compliance.
• Translate compliance requirements into clear, actionable requests for technical teams without creating unnecessary bureaucracy.
• Prepare and defend Qonto’s compliance positions with auditors by combining the spirit of regulatory texts with pragmatic, risk-based implementations.

What you can expect

• Rare multi-framework exposure: It is quite rare to have the opportunity to work across so many different certifications and audits (ISO 27001, PCI DSS, DSP2, PDP, DORA) rather than a single-norm niche, providing you with an incredible learning curve and continuous career growth.
• GRC + Automation scope: You won't just manage spreadsheets; you will build tooling and scripts to transition Qonto from point-in-time checks to automated compliance.
• High-stakes, fast-paced context: You will manage a high audit cadence (~6-7 external and ~5-6 internal audits per year) in a highly regulated fintech environment.
• Pragmatic methodology: We value risk-based argumentation and finding the right balance between strict regulatory requirements and our engineering teams' velocity.
• Cross-functional collaboration: You will act as a key bridge between Internal Control, external auditors (like Mazars or Deloitte), and our Security engineering teams.

About your future manager

You will report directly to Pierre. As Head of Security, he approaches leadership as an engineer first, favoring technical truth over titles and hierarchy. He keeps the team horizontal, providing the necessary context and then stepping back to let people own their execution. Driven by a 'question everything' mindset, he expects his team to challenge 'the way it's always been done' to find leaner, more automated solutions. To ensure a smooth and successful ramp-up, your initial onboarding will also be closely supported by Ayoub, who will provide deep knowledge transfer on our current frameworks.

About You

• Experience: You have proven experience owning security compliance frameworks and audits (such as ISO 27001 or PCI DSS) end-to-end within regulated environments.
• Automation mindset: You have a hands-on approach to problem-solving and have previously built tools, scripts, or integrations to automate repetitive compliance tasks and evidence collection.
• Regulatory reasoning: You can constructively challenge interpretations and defend pragmatic, risk-based compliance positions with external auditors.
• High Autonomy: You have strong project management skills, allowing you to organize your work around an audit calendar and juggle multiple stakeholders and deadlines simultaneously.
• Growth mindset: You are naturally curious, able to quickly grasp technical contexts to collaborate with engineers, and motivated by the prospect of working across multiple regulatory frameworks.

At Qonto we understand that true diversity isn't just about ticking boxes on a hiring checklist. Apply regardless of the boxes you tick! Who knows? You may have the missing piece of the puzzle we've been searching for all along.

On average, our hiring process lasts 20 working days. More information on our candidate journey here

Your security matters to us

Recruitment scams are on the rise. Keep in mind, we will never work with third-party platforms or agencies that request payment from candidates.

If you receive a suspicious message claiming to be from Qonto, please report it right away (support@qonto.com)

Key skills/competency

• GRC Engineer
• ISO 27001
• PCI DSS
• DORA
• Automation
• Security Audits
• Compliance
• Risk Management
• Fintech
• Qonto