Information Security & Compliance Officer

Who Are We?

For more than 30 years, Pdftools has helped organizations around the world handle their documents with confidence. Behind every secure form, every archived record and every automated workflow, there's a moment where trust matters — and our technology makes those moments work.

We believe documents are more than files. They're the heartbeat of how people communicate, protect information, prove identity and keep society running. As a Swiss B2B software company, we specialize in PDF processing SDKs, conversion services and document workflow solutions — serving enterprise customers, system integrators and OEMs across regulated industries including financial services, government and healthcare. Part of a growing group, we operate in a market where data security, compliance maturity and regulatory readiness are increasingly decisive.

We're Swiss-built, quality-obsessed and deeply committed to doing things the right way. And we're human at our core: curious, collaborative and motivated by solving real problems for real people.

Today, we're innovating faster than ever and we're ready to grow the team that helps us do it.

PDF Tools AG is building its compliance and security capability from an early-stage foundation toward a structured, auditable framework. Today, compliance responsibilities are distributed across leadership — the CEO is formally accountable, the CTO drives execution — but there is no dedicated operational owner. As the company grows and the regulatory landscape intensifies (GDPR, Swiss FADP, AI Act, DORA, NIS2), we need a single person who owns this domain end-to-end and can move it from reactive gap-closing to a sustained, professional program.

This role was created to provide that dedicated ownership: someone who can take over the running compliance program, close remaining gaps, build repeatable processes, and represent the company's security and compliance posture toward customers, auditors, and partners.

• Own and maintain the Register of Processing Activities (ROPA) — currently established but requiring ongoing expansion and review.

• Ensure compliance with GDPR, Swiss FADP (revDSG), and CCPA requirements across all company operations.

• Manage data subject request (DSR) workflows and ensure timely, compliant responses.

• Own the retention and deletion policy — define, implement, and enforce data lifecycle rules.

• Maintain and improve the company's privacy policies (website, HR, product-level).

• Maintain the processor register and DPA repository.

• Ensure all active vendors/processors have reviewed DPAs with appropriate safeguards (SCCs, Swiss addenda).

• Establish and run an annual vendor review cadence.

• Map and document international data transfers and safeguards.

• Own the company's Technical and Organizational Measures (TOMs) documentation.

• Drive formalization and periodic testing of security controls.

• Coordinate penetration testing with external partners.

• Build toward a security monitoring and incident response capability.

• Own the risk register — maintain it, drive risk owners to close items, report to leadership.

• Evaluate and recommend security tooling (e.g., CVE scanning, static analysis integration, SIEM).

• Track emerging regulatory requirements (AI Act, DORA, NIS2) and assess applicability.

• Prepare the company for potential ISO 27001 or SOC 2 certification when strategically appropriate.

• Coordinate with external legal counsel (currently MLL) on regulatory assessments and policy drafting.

• Respond to customer compliance questionnaires and security assessments.

• Support sales and pre-sales with compliance documentation, certifications overview, and security posture materials.

• Ensure product-level compliance considerations (e.g., OSS license management, SBOM generation) are integrated into engineering workflows.

• OSS license compliance in code
  :
  Engineering owns remediation and CI/CD integration — you provide the policy framework and audit.

• Product security features (enc…