Information Security & Compliance Officer

Who Are We

For more than 30 years Pdftools has helped organizations around the world handle their documents with confidence. Behind every secure form every archived record and every automated workflow theres a moment where trust matters and our technology makes those moments work.

We believe documents are more than files. Theyre the heartbeat of how people communicate protect information prove identity and keep society running. As a Swiss B2B software company we specialize in PDF processing SDKs conversion services and document workflow solutions serving enterprise customers system integrators and OEMs across regulated industries including financial services government and healthcare. Part of a growing group we operate in a market where data security compliance maturity and regulatory readiness are increasingly decisive.

Were Swiss-built quality-obsessed and deeply committed to doing things the right way. And were human at our core: curious collaborative and motivated by solving real problems for real people.

Today were innovating faster than ever and were ready to grow the team that helps us do it.

Goal

PDF Tools AG is building its compliance and security capability from an early-stage foundation toward a structured auditable framework. Today compliance responsibilities are distributed across leadership the CEO is formally accountable the CTO drives execution but there is no dedicated operational owner. As the company grows and the regulatory landscape intensifies (GDPR Swiss FADP AI Act DORA NIS2) we need a single person who owns this domain end-to-end and can move it from reactive gap-closing to a sustained professional program.

This role was created to provide that dedicated ownership: someone who can take over the running compliance program close remaining gaps build repeatable processes and represent the companys security and compliance posture toward customers auditors and partners.

What You Will Own

Privacy Governance & Data Protection

• Own and maintain the Register of Processing Activities (ROPA) currently established but requiring ongoing expansion and review.

• Ensure compliance with GDPR Swiss FADP (revDSG) and CCPA requirements across all company operations.

• Manage data subject request (DSR) workflows and ensure timely compliant responses.

• Own the retention and deletion policy define implement and enforce data lifecycle rules.

• Maintain and improve the companys privacy policies (website HR product-level).

Vendor & Third-Party Risk Management

• Maintain the processor register and DPA repository.

• Ensure all active vendors/processors have reviewed DPAs with appropriate safeguards (SCCs Swiss addenda).

• Establish and run an annual vendor review cadence.

• Map and document international data transfers and safeguards.

Security & Technical Measures

• Own the companys Technical and Organizational Measures (TOMs) documentation.

• Drive formalization and periodic testing of security controls.

• Coordinate penetration testing with external partners.

• Build toward a security monitoring and incident response capability.

• Own the risk register maintain it drive risk owners to close items report to leadership.

• Evaluate and recommend security tooling (e.g. CVE scanning static analysis integration SIEM).

Regulatory & Certification Readiness

• Track emerging regulatory requirements (AI Act DORA NIS2) and assess applicability.

• Prepare the company for potential ISO 27001 or SOC 2 certification when strategically appropriate.

• Coordinate with external legal counsel (currently MLL) on regulatory assessments and policy drafting.

Customer & Business-Facing Compliance

• Respond to customer compliance questionnaires and security assessments.

• Support sales and pre-sales with compliance documentation certifications overview and security posture materials.

• Ensure product-level compliance considerations (e.g. OSS license management SBOM generation) are integrated into engineering workflows.

What You Will NOT Own (But Will Collaborate On)

• OSS license compliance in code: Engineering owns remediation and CI/CD integration you provide the policy framework and audit.

• Product security features (encryption access control signatures): Engineering and Product own implementation you define requirements and validate.

• Contract negotiation: Legal and Sales lead you provide compliance input and review DPA terms.

• IT operations and infrastructure security: IT/DevOps owns day-to-day you define policy and audit.

What This Looks Like Day-to-Day

In the first 6 months you will spend most of your time closing existing gaps: completing the ROPA getting DPAs in place formalizing TOMs and building the risk register into a living document. You will work closely with the CTO who has been driving this work and will hand over operational ownership to you. You will also interface with external counsel and respond to customer questionnaires that come in through Sales.

Once the foundation is solid the role shifts toward maintaining and improving the program: running periodic reviews preparing for audits tracking regulatory changes and building internal awareness through training and guidelines.

What We Are Looking For

Must-Have

• 35 years of experience in information security data protection or compliance roles ideally in a B2B software or SaaS environment.

• Working knowledge of GDPR and Swiss FADP including hands-on experience with ROPAs DPAs DSR handling and data transfer mechanisms (SCCs adequacy decisions).

• Familiarity with security frameworks and controls: ISO 27001 SOC 2 or similar you dont need to have led a certification but you should understand the requirements.

• Ability to build and maintain a risk register and drive risk mitigation across teams.

• Strong written and verbal communication in English (working language). German is a significant plus for Swiss regulatory context and local vendor interactions.

• Pragmatic and structured: you can prioritize what matters in a 50-person company not gold-plate processes designed for 5000.

• Comfortable working independently this is a one-person function with leadership support not a large team.

Nice-to-Have

• Experience with OSS license compliance (SBOM generation license scanning tools like BlackDuck FOSSA or similar).

• Exposure to AI Act DORA or NIS2 requirements.

• Background in software development or engineering enough to understand CI/CD pipelines cloud infrastructure and product architecture at a conceptual level.

• Experience in an M&A or due diligence context where compliance posture was a factor.

• Relevant certifications: CIPP/E CIPM CISM ISO 27001 Lead Implementer or similar.

Why youll love working at Pdftools

Pdftools is a place where people genuinely care about doing things well.

We believe in precision empathy collaboration and continuous improvement - and we live those values every day.

Youll be supported by deep technical expertise surrounded by kind people and given the space to build something meaningful. With a strong trusted product behind you and a team committed to solving real problems together your work will matter far beyond marketing.

Because our technology touches essential workflows around the world your impact will reach people and organizations who rely on us when trust and integrity matter most.

If you want to help shape the way the world shares information with trust and integrity - wed love to meet you.

Our benefits

You get to impact how over 30 million people get work done monthly.

Push boundaries and dare to fail - thats how we learn!

30 vacation days - yep you read that right - you can take them whenever you need them.

Flexibility: we have flexible working hours.

Need a long break We offer sabbatical leave to employees whove been with us for over two years.

16 weeks parental leave - 100% of your salary - for all new parents.

Dont leave your four-legged friends at home; our Zurich office is pet-friendly.

A well-being budget of up to 2000 CHF every year that can be used for training and development (plus days off for courses or training) and for physical and mental well-being purposes.

Possibility of a Phantom stock option plan - PSOP (Conditions apply).

Hack days to challenge you and your team plus build amazing things.

How to Apply

Please apply using the form below and upload your CV - in English as its the standard working language at Pdftools. A PDF format is preferred.

Compensation philosophy

At Pdftools we believe compensation should be fair transparent and thoughtfully aligned with the value each person brings to our team. Our approach balances several key factors - current market trends role expectations seniority experience and geographic location - to ensure every offer is both competitive and equitable.

We review our salary ranges regularly to stay in step with the evolving market and we make decisions based on skills impact and responsibility rather than negotiation strength. Our goal is simple: to recognize and reward great work support long-term growth and create a compensation structure that feels fair consistent and grounded in integrity.

We want everyone at Pdftools to feel valued supported and empowered to do their best work - and our compensation philosophy is designed to reflect exactly that.

Hiring policy

Pdftools is an equal-opportunity employer and we believe our strength comes from a team that reflects a wide range of backgrounds identities perspectives and lived experiences. We welcome applicants of all genders ethnicities ages abilities orientations and life paths. Youll also have the option to share your pronouns and answer an anonymous demographic questionnaire when you apply. This information is completely voluntary but it helps us stay accountable in building an inclusive and equitable hiring process.

We use AI thoughtfully in our day-to-day work but we value human curiosity creativity and integrity above all. Were excited to meet candidates who bring genuine expertise real stories and authentic experience to the table.

By submitting your application you agree to Pdftools handling and storing your data in accordance with our privacy guidelines.

Required Experience:

Unclear Seniority