Compliance Manager in City of London

About CourtCorrect

CourtCorrect is the market-leading AI software for complaints resolution in regulated industries. We support businesses across the UK to identify, respond to and learn from complaints. Founded at the University of Cambridge, we are a team of engineers, designers, scientists and commercial operators. Following a £2m+ Seed round, we are scaling rapidly across financial services and other regulated sectors.

The Role

We are hiring a Compliance Manager to join our Legal & Compliance function, reporting directly to the Head of Legal & Compliance. This is a specialist compliance role with deep ownership of CourtCorrect's data protection, information security and AI compliance operations — supporting a fast-growing AI company through complex enterprise client engagements and an evolving regulatory landscape.

You will take meaningful ownership from day one of compliance frameworks, GDPR operations, third-party risk, due diligence responses, NDA review, contract operations and continuous compliance tooling — with scope to grow into independent ownership of CourtCorrect's compliance function.

What You Will Do

• GDPR & Data Protection Operations
• Owning day-to-day GDPR compliance: records of processing (ROPAs), DPIAs, legitimate interest assessments, transfer risk assessments (TRAs), and data subject rights handling
• Maintaining the data protection register and ensuring all processing activities are accurately documented under UK GDPR and EU GDPR
• Supporting the DPO on regulatory matters, breach assessments and ICO correspondence
• Operationalising international data transfer mechanisms (SCCs, IDTA, TRAs)
• Third-Party & Sub-Processor Risk
• Conducting and documenting sub-processor risk assessments (including AI/LLM vendors such as OpenAI), maintaining the sub-processor register, and supporting customer notification obligations under DPAs
• Running vendor risk assessments across data protection, information security and AI risk dimensions
• Maintaining the third-party risk register and ensuring periodic re-assessment of critical vendors
• Information Security & ISO 27001
• Operating CourtCorrect's continuous compliance platform (Vanta), including evidence uploads, control monitoring, and remediation tracking for ISO 27001 and related frameworks
• Coordinating with the Information Security Team Lead on control implementation, audit preparation, and surveillance reviews
• Maintaining the ISMS documentation suite, risk register and policy register
• Due Diligence & Regulatory Questionnaires
• Leading end-to-end responses to client and vendor due diligence, including data protection, information security, AI risk and financial services regulatory questionnaires
• Producing high-quality, commercially aware responses that present CourtCorrect's controls clearly and accurately, with appropriate supporting evidence and consistent positioning across questionnaires
• Coordinating with Engineering, Security and Product to gather evidence; escalating complex matters with clear analysis
• Building and maintaining a reusable DD response library to improve efficiency and consistency over time
• NDA & Contract Operations
• Reviewing and negotiating NDAs against CourtCorrect's playbook, handling end-to-end from receipt to execution
• Coordinating signature workflows on DocuSign (or equivalent): preparing envelopes, routing for signature, managing signing order, chasing counter-signatures and ensuring fully executed copies are correctly filed
• Supporting contract lifecycle management: tracking obligations, renewals, variations and notice deadlines across the customer and vendor portfolio
• Flagging contractual compliance obligations (audit rights, sub-processor notifications, security commitments) to the Head of Legal & Compliance for action
• Escalating substantive contract matters (MSAs, DPAs, complex amendments) to the Head of Legal & Compliance with a clear summary of the key points
• Compliance Policies & Attestations
• Operationalising and maintaining internal compliance policies across UK and EU GDPR, AI governance, information security, anti-bribery and ethics
• Running regular internal compliance checks, policy attestations and evidence collection across the business
• Escalating issues to the Head of Legal & Compliance with clear analysis and proposed actions
• AI Governance
• Maintaining CourtCorrect's AI governance documentation, including model risk records, EU AI Act classification evidence and human-in-the-loop control documentation
• Tracking AI regulatory developments (EU AI Act, ICO AI guidance, sector-specific AI rules) and preparing concise summaries with recommendations
• Documentation & Information Management
• Owning CourtCorrect's legal and compliance document infrastructure: structuring, organising and maintaining contract repositories, compliance evidence libraries and policy registers
• Managing day-to-day document operations: filing executed contracts, NDAs and compliance records in the appropriate repositories; retrieving documents promptly on request from internal stakeholders or external auditors
• Maintaining GDPR records, DPIAs, risk logs, policy attestations, audit trails and evidence repositories to audit-ready standard
• Operating retention schedules and conducting periodic clean-up of legal and compliance records
• Ensuring file naming, version control and access permissions remain consistent and well-governed as the business scales

What We Are Looking For

Essential

• 3+ years of dedicated experience in data protection, privacy or compliance roles at SaaS, technology or regulated businesses
• Recognised privacy certification: CIPP/E, CIPM, or equivalent
• Deep working knowledge of UK GDPR and EU GDPR, including practical experience drafting DPIAs, ROPAs, TRAs and legitimate interest assessments
• Hands-on experience reviewing and negotiating NDAs against a playbook, with sound commercial judgment on routine variations
• Demonstrable experience leading client due diligence responses end-to-end, including information security and AI risk questionnaires
• Hands-on experience with continuous compliance platforms (Vanta, Drata, Secureframe or equivalent) and ISO 27001 evidence management
• Practical experience with DocuSign and managing contract lifecycle workflows
• Strong document management discipline: file structure, version control, retention, access governance
• Working knowledge of information security frameworks (ISO 27001 in particular) and the ability to engage credibly with technical teams
• Exceptional attention to detail and written communication
• Comfortable managing multiple workstreams independently with sound prioritisation

Desirable

• Additional certifications: ISO 27001 Lead Implementer, CISA, CRISC, or equivalent
• Exposure to the EU AI Act and AI governance frameworks
• Experience with financial services client environments (FCA-regulated firms as customers or counterparties)
• Experience supporting SOC 2 audits or other compliance frameworks beyond ISO 27001
• Experience reviewing DPAs and other privacy-related contractual annexes against compliance checklists

What We Offer

• Direct mentorship from the Head of Legal & Compliance, with a clear path to independent ownership of CourtCorrect's compliance function
• Deep, specialist work at the intersection of AI, data protection and information security — at one of the UK's leading AI legal-tech companies
• Real influence on how a scaling AI company builds its compliance function
• EMI share option scheme participation
• Hybrid working and a collaborative team