Why should you join dLocal?
dLocal enables the biggest companies in the world to collect payments in 40 countries in emerging markets. Global brands rely on us to increase conversion rates and simplify payment expansion effortlessly. As both a payments processor and a merchant of record where we operate, we make it possible for our merchants to make inroads into the world’s fastest-growing, emerging markets.
By joining us you will be a part of an amazing global team that makes it all happen. Being a part of dLocal means working with 1000+ teammates from 30+ different nationalities and developing an international career that impacts millions of people’s daily lives. We are builders, we never run from a challenge, we are customer-centric, and if this sounds like you, we know you will thrive in our team.
About Us & The Role
dLocal enables the biggest companies in the world to collect payments in 40 countries in emerging markets. Global brands rely on us to increase conversion rates and simplify payment expansion effortlessly. As both a payments processor and a merchant of record where we operate, we make it possible for our merchants to make inroads into the world's fastest-growing, emerging markets.
We do not do "check-box" compliance, and we don't do corporate fluff.
Within the Security Department, Within the Security Department, under the guidance of GRC and security leadership, our GRC and Assurance team operates with a street-smart, pragmatic approach. We are looking for a versatile, self-driven Senior GRC Partner to take direct ownership across our Governance, Security Awareness, Third-Party Risk Management, and Compliance programs across a complex, fast-moving global business.
This is not a single-track specialist role. You will work across all GRC and Assurance domains, rolling your sleeves up wherever the team needs you most. One week you may be deep in a payment processor assessment. Next, you are tuning a policy, running a compliance mapping exercise, or building out the Security Champions program. If you are looking for a narrow lane, this is not the role. If you want to build something real and touch everything, keep reading.
You will be measured on whether things actually change, not on whether documents exist.
Own Third-Party Risk & Payment Processor Assessments: Take direct operational ownership of our global Third-Party Risk Management program, including the Payment Processor Assessment Framework, which is one of the team's most critical and complex programs.
Design the Machine: Implement a tiered, risk-based review system: fast-tracks for low-risk vendors, and deep technical scrutiny for critical processors in emerging markets. Work with our security engineers to define and build automated workflows and AI agents that handle the administrative lifting of TPRM (chasing vendors for documentation, parsing SOC 2 reports, tracking internal owners).
Enable the Business Safely: Analyze technical findings from external assessment vendors and translate them into clear, actionable risk positions. When a critical vendor has a high risk score but is a business necessity, define the compensating controls required to safely enable the business (volume caps, reconciliation requirements, escalation thresholds). Eliminate unnecessary overhead so this program moves at the speed of the business.
Operationalize Governance: Policies only have value if people know they exist and can realistically follow them. Renegotiate existing policies to make them practical, risk-calibrated, and enforceable. Run the stakeholder process across security, engineering, and the business to land on controls that reduce risk without grinding operations to a halt.
Drive Security Awareness & Champions: Redefine how security expectations are communicated. No generic broadcasts. Build targeted, high-ROI awareness interventions using modern tools (including AI-assisted delivery) that actually change behavior. Build and run the Security Champions program, recruiting motivated individuals embedded in engineering to act as the first line of security awareness.
Run Compliance & the Risk Register: Map and maintain controls across PCI DSS, SOX, DORA, ISO 27001, and SOC 2. When audit season hits, you are in the trenches: pulling evidence, coordinating with stakeholders, and making sure nothing falls through the cracks.
Shift Left & Protect Business Velocity: Security is not the bottleneck. Give business leaders the transparent data, tools, and rules they need to explicitly accept or reject vendor risk, shifting accountability to the first line of defense where it belongs. When a risk needs to be formally accepted, you draft the paperwork and ensure the business owner signs it.
Track Record Over Tenure: We do not care about arbitrary "years of experience." We care about outcomes. You must have a proven track record of driving governance, assurance, or TPRM programs in fast-paced, complex environments.
Pragmatic Operator Mentality: You move fast and optimize complex, legacy workflows. You know the difference between what genuinely needs to change and what is noise. You are not a methodology presenter; you get things done where ambiguity and speed are the norm.
Hands-On Grit: You are not an ivory tower architect. You have the humility and work ethic to do the manual work yourself while simultaneously building the automation that will eventually replace it.
Disruptive Vision for TPRM: You hate the slow, bureaucratic status quo of traditional risk management. You see TPRM as a program that should enable the business, not block it.
Disciplined Multi-Threading: You are ruthlessly organized. You can manage a payment processor security review, a policy overhaul, a compliance mapping cycle, and a Security Champions workshop simultaneously without dropping the ball.
AI Fluency: Deeply comfortable using LLMs to automate administrative governance work and move faster. You understand how to leverage AI capabilities while maintaining strict data accuracy and hallucination governance.
Regulatory Knowledge: Strong working knowledge of PCI DSS, SOX, DORA, ISO 27001, and SOC 2. You can map controls, prepare audit evidence, and hold a credible conversation with an examiner.
High EQ & Stakeholder Navigation (The Security Diplomat): You read people and complex situations well. You negotiate with VP-level commercial leaders, engineering directors, and external vendors. You find pragmatic compromises between security requirements and business velocity, and you know how to bring people along rather than impose.
Exceptional Communication: Fluent English is mandatory. You distill complex risk and governance topics into clear language for non-technical executive audiences and are equally comfortable in a policy workshop and a board-level risk briefing.
Nice to Have
Prior experience in a fintech, payments, or tech scale-up environment.
Direct experience assessing or securing payment processors and financial institutions in emerging markets.
Experience building or integrating with modern GRC, risk management, or procurement platforms.
Familiarity with the unique cybersecurity challenges of emerging markets: the gap between paper compliance and operational reality.
High autonomy, high accountability. You take direction from security leadership, figure out the "how," and execute. This is a senior role for someone who wants to build programs that are practical, scalable, and genuinely trusted by the business. You will not specialize in one domain. You will touch everything, build where things are missing, and modernize what has been outgrown.
What do we offer?
Besides the tailored benefits we have for each country, dLocal will help you thrive and go that extra mile by offering you:
- Flexibility: we have flexible schedules and we are driven by performance.
- Fintech industry: work in a dynamic and ever-evolving environment, with plenty to build and boost your creativity.
- Referral bonus program: our internal talents are the best recruiters - refer someone ideal for a role and get rewarded.
- Social budget: you'll get a monthly budget to chill out with your team (in person or remotely) and deepen your connections!
- dLocal Houses: want to rent a house to spend one week anywhere in the world coworking with your team? We’ve got your back!
Flexibility in how you work: We focus on impact and productivity over fixed hours. This means our teams have flexible schedules and, depending on your role and location, you will combine self‑managed focus time with moments of in‑person connection in our collaboration hubs.
What happens after you apply?
Our Talent Acquisition team is invested in creating the best candidate experience possible, so don’t worry, you will definitely hear from us. We will review your CV and keep you posted by email at every step of the process!
Also, you can check out our webpage, Linkedin and Youtube for more about dLocal!
We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.
