Third-Party Risk Analyst

As Navan continues to scale globally, our ecosystem of vendors and partners grows with us. We are looking for a Third-Party Risk Analyst to join our Security & Compliance team. In this role, you will be the gatekeeper of our vendor lifecycle, ensuring that every third party—from software providers to Travel Management Companies (TMCs)—meets our rigorous security and privacy standards. You will sit at the intersection of Procurement, Legal, and Security, driving the risk assessment process and ensuring that Navan’s data remains protected across our entire supply chain.

• Risk Assessment Ownership: Conduct comprehensive security and privacy risk assessments for new and existing third parties using procurement and GRC tools and partner with Security leadership to escalate high-risk vendors and support documented risk acceptance or remediation decision
• Vendor Due Diligence: Review SOC2 reports, ISO certifications, and penetration test summaries to identify potential vulnerabilities in a vendor’s posture.
• Contractual Redlining: Partner with Legal to review and redline Security Addendums and Data Processing Addendums (DPAs), ensuring vendors commit to Navan’s required security controls.
• Vendor Engagement: Lead the outreach to vendor security teams to clarify questionnaire responses, follow up on remediation items, and ensure compliance with our standards.
• TMC & Partner Management: Work closely with our Travel Management Companies to gather essential security documentation and manage the lifecycle of partner-specific risk reviews and contracts.
• Continuous Monitoring: Monitor the existing vendor landscape for security incidents, certification expirations, for security alerts, news of breaches, or changes in risk profiles, and trigger re-assessments when necessary.
• Cross-Fuctional Collaboration: You will work closely with Procurement, Legal, Privacy, and Engineering teams on third-party security and risk considerations throughout the vendor lifecycle

• Experience: 2–4 years in Third-Party Risk Management (TPRM), Vendor Risk, or IT Audit.
• Regulatory Knowledge: Familiarity with privacy frameworks (GDPR, CCPA) and security standards (SOC 2, ISO 27001).
• Procurement Savvy: Experience working within procurement workflows and using GRC or Vendor Management tools (e.g., OneTrust, Prevalent, or Vanta).
• Analytical Mindset: Ability to spot "red flags" in a vendor’s security documentation and translate those risks into business impact for internal stakeholders.
• Negotiation Skills: Comfortable holding vendors accountable and negotiating security terms in contracts.
• Organization: You can manage dozens of active vendor assessments simultaneously without losing track of deadlines or documentation gaps.