Sword Health is shifting healthcare from human-first to AI-first through its AI Care platform, making world-class healthcare available anytime, anywhere, while significantly reducing costs for payers, self-insured employers, national health systems, and other healthcare organizations. Sword began by reinventing pain care with AI at its core, and has since expanded into women’s health, movement health, and more recently mental health. Since 2020, more than 700,000 members across three continents have completed 10 million AI sessions, helping Sword's 1,000+ enterprise clients avoid over $1 billion in unnecessary healthcare costs. Backed by 42 clinical studies and over 44 patents, Sword Health has raised more than $500 million from leading investors, including Khosla Ventures, General Catalyst, Transformation Capital, and Founders Fund. Learn more at www.swordhealth.com. As a GRC Analyst, you will be a key driver of trust and regulatory excellence at Sword Health. You will act as the primary interface for our partners and clients, translating our security posture into clear, authoritative responses that enable business growth. Beyond external trust, you will take ownership of certification lifecycles and bridge the gap between technical security controls and medical device quality standards.
We are looking for an agile problem-solver who can pivot quickly to support new products and initiatives in a way that aligns with our fast-paced innovation.
What you’ll be doing:
Acting as the primary subject matter expert for all security and compliance inquiries, including security questionnaires, RFPs, and M&A due diligence; building and maintaining a robust knowledge base to ensure accurate and efficient responses to partners and clients.
Taking end-to-end ownership of certification lifecycles, such as ISO 27001 and Cyber Essentials; ensuring year-round audit readiness, managing the certification process from start to finish, and independently leading external audits.
Working closely with the GRC team to improve existing programs, ensuring that our mapping of controls to processes and documentation remains robust and scalable as we grow.
Partnering with the Quality Assurance & Regulatory Affairs (QARA) team to bridge the gap between security-focused frameworks and Medical Device Compliance initiatives, ensuring a unified approach to the AI Act and other healthcare-specific regulations.
Collaborating with product teams on existing and upcoming initiatives to ensure security-by-design; quickly learning new product architectures and partnering with stakeholders to ensure all necessary compliance and security controls are integrated smoothly into the development lifecycle.
Collaborating with Security, Product, Engineering, and IT teams to ensure that security controls are naturally integrated into their existing workflows without creating operational friction.
Providing subject matter expertise and support for security and compliance training, as well as other general GRC initiatives as they arise.
What you need to have:
5+ years of hands-on experience in GRC, with a proven track record of leading audits and maintaining certifications for internationally recognized security standards.
Hands-on experience with at least three of the following frameworks: ISO 27001, SOC 2, HITRUST, NIS2, Cyber Resilience Act, FedRAMP, CMMC, NIST SP 800-171, NIST SP 800-53, GDPR, HIPAA or PCI DSS.
Exceptional command of the English language, both written and spoken. You must be able to communicate complex security concepts clearly and authoritatively to both technical teams and external stakeholders.
A strong understanding of how security controls apply to Infrastructure and Product environments to effectively map requirements to technical work instructions.
A "wildcard" mindset—the ability to be dropped into a new project or product initiative, learn the context quickly, and define the necessary compliance path forward.
Familiarity with the intersection of cybersecurity (ISO, NIS2) and privacy/regulatory frameworks (GDPR, AI Act, or Medical Device regulations).
Familiarity with Medical Device certifications and regulations, such as ISO 13485 and FDA’s Good Manufacturing Practices (GMP).
Proven experience using LLMs to accelerate personal workflows, including drafting, summarizing, and analyzing GRC-related tasks to achieve significant individual productivity gains.
Demonstrated ability to design and implement AI-driven automations or integrated workflows that replace manual processes and enhance productivity at a team level is a strong plus.
Experience working across diverse teams such as Legal, Quality, and IT to align on shared compliance goals.
Leverage AI to streamline the creation and maintenance of compliance artifacts (e.g., policies, control descriptions, risk assessments), ensuring accuracy, consistency, and proper review processes.
Design and implement AI-assisted workflows for risk tracking and governance, improving visibility, follow-ups, and accountability across risk owners.
Support the automation of evidence collection and control monitoring processes, using AI to reduce manual effort while maintaining auditability.
Ensure that the use of AI in GRC processes preserves traceability, version control, and regulatory compliance requirements.
Define and enforce guardrails for the responsible use of AI in compliance and risk management activities.
Continuously evaluate the reliability and integrity of AI-generated outputs used in governance and reporting processes.
To ensure you feel good solving a big Human problem, we offer:
A stimulating, fast-paced environment with lots of room for creativity.
A bright future at a promising high-tech startup company.
Career development and growth, with a competitive salary.
The opportunity to work with a talented team and to add real value to an innovative solution with the potential to change the future of healthcare.
A flexible environment where you can control your hours (remotely) with unlimited vacation.
Access to our health and well-being program (digital therapist sessions).
Remote or Hybrid work policy.
To get to know more about our Tech Stack, check here.
Portugal - Sword Benefits & Perks:
• Health, dental and vision insurance
• Meal allowance
• Equity shares
• Remote work allowance
• Flexible working hours
• Work from home
• Discretionary vacation
• Snacks and beverages
• English class
Note: Please note that this position does not offer relocation assistance. Candidates must possess a valid EU visa and be based in Portugal.
Sword Health complies with applicable Federal and State civil rights laws and does not discriminate on the basis of Age, Ancestry, Color, Citizenship, Gender, Gender expression, Gender identity, Gender information, Marital status, Medical condition, National origin, Physical or mental disability, Pregnancy, Race, Religion, Caste, Sexual orientation, and Veteran status.
