Compliance Manager

Location: Bristol, UK (must be able to commute to Bristol)

Employment Type: Full-time

About Us

Narwhal Group (trading as Narwhal Labs) is a Bristol-based agentic AI communications company building DeepBlue OS, a platform that handles voice, SMS, WhatsApp and email interactions for enterprise clients. We're 37 people, ISO 27001 and SOC 2 certified, and mid-Series A with strong investor backing. We move fast, take compliance seriously, and want someone who can do both.

Role Overview

As Compliance Manager you will own and lead Narwhal's ISMS, acting as the primary day‑to‑day custodian of our ISO 27001 and SOC 2 certifications. Reporting directly to the CFO/COO, you'll work across engineering, product, HR, legal, and commercial teams to embed a culture of security and compliance as we scale. This is a hands‑on, high‑ownership role — you'll be writing policy, running audits, managing our external audit relationship with Scrut, and advising leadership on risk.

Key Responsibilities

• Own and continuously improve the ISMS in line with ISO 27001:2022 and SOC 2 Type II requirements
• Lead all internal audit activity and manage the relationship with Scrut as external auditor
• Maintain the risk register, run periodic risk assessments, and present findings to the leadership team
• Serve as Document Controller, overseeing version control of all policies, procedures, and evidence artefacts

Policy & Controls

• Draft, review, and update information security policies across the full Annex A control set
• Ensure controls are operational, evidenced, and audit‑ready at all times
• Manage supplier and third‑party risk assessments and due diligence processes
• Support the DPO function on UK GDPR obligations, data subject requests, and breach response

Cross‑functional Compliance

• Partner with the CTO on technical security controls and vulnerability management
• Work with the HR team on security, onboarding/offboarding, and access reviews
• Support commercial and legal teams on security questionnaires, RFP responses, and customer DPAs
• Advise on compliance implications of new products, integrations, and markets (including international expansion)

Governance & Reporting

• Prepare compliance reporting for board meetings and investor due diligence
• Manage the compliance calendar: surveillance audits, recertification cycles, management reviews
• Run security awareness training across the company
• Act as a point of escalation for information security incidents alongside the Incident Response Lead

Who We’re Looking For

• 3+ years in an information security, compliance, or GRC role
• Demonstrable hands‑on experience with ISO 27001 — ideally having led or co‑led a certification or recertification
• Working knowledge of SOC 2, UK GDPR and data protection principles
• Experience writing and maintaining security policies, procedures and risk registers
• Confident communicator — able to translate technical risk into board‑level language
• Highly organised with strong attention to detail and the ability to manage multiple workstreams

Desirable Qualifications

• Experience in a SaaS, AI, or high‑growth tech company
• Familiarity with compliance automation tooling (Scrut, Vanta, Drata, or similar)
• Exposure to international compliance requirements (Ireland, UAE, Australia)

Diversity and Inclusion

We're building something global at Narwhal, and we mean that in every sense. The work we do requires different ways of thinking and different ways of thinking come from different people. At Narwhal, we’re committed to building a diverse and inclusive team. We welcome applications from people of all backgrounds, identities, and experiences, and we actively work to ensure our hiring process is fair and accessible for everyone. Reasonable adjustments are available at every stage, just reach out and we’ll make it happen.