Information Security & Compliance Officer

Compliance And Security Manager

PDF Tools AG is building its compliance and security capability from an early-stage foundation toward a structured, auditable framework. Today, compliance responsibilities are distributed across leadership — the CEO is formally accountable, the CTO drives execution — but there is no dedicated operational owner. As the company grows and the regulatory landscape intensifies (GDPR, Swiss FADP, AI Act, DORA, NIS2), we need a single person who owns this domain end-to-end and can move it from reactive gap-closing to a sustained, professional program.

This role was created to provide that dedicated ownership: someone who can take over the running compliance program, close remaining gaps, build repeatable processes, and represent the company's security and compliance posture toward customers, auditors, and partners.

Privacy Governance & Data Protection

• Own and maintain the Register of Processing Activities (ROPA) — currently established but requiring ongoing expansion and review.
• Ensure compliance with GDPR and Swiss FADP (revDSG) and CCPA requirements across all company operations.
• Manage data subject request (DSR) workflows and ensure timely, compliant responses.
• Own the retention and deletion policy — define, implement, and enforce data lifecycle rules.
• Maintain and improve the company's privacy policies (website, HR, product-level).

Vendor & Third-Party Risk Management

• Maintain the processor register and DPA repository.
• Ensure all active vendors/processors have reviewed DPAs with appropriate safeguards (SCCs, Swiss addenda).
• Establish and run an annual vendor review cadence.
• Map and document international data transfers and safeguards.

Security & Technical Measures

• Own the company's Technical and Organizational Measures (TOMs) documentation.
• Drive formalization and periodic testing of security controls.
• Coordinate penetration testing with external partners.
• Build toward a security monitoring and incident response capability.
• Own the risk register — maintain it, drive risk owners to close items, report to leadership.
• Evaluate and recommend security tooling (e.g., CVE scanning, static analysis integration, SIEM).

Regulatory & Certification Readiness

• Track emerging regulatory requirements (AI Act, DORA, NIS2) and assess applicability.
• Prepare the company for potential ISO 27001 or SOC 2 certification when strategically appropriate.
• Coordinate with external legal counsel (currently MLL) on regulatory assessments and policy drafting.

Customer & Business-Facing Compliance

• Respond to customer compliance questionnaires and security assessments.
• Support sales and pre-sales with compliance documentation, certifications overview, and security posture materials.
• Ensure product-level compliance considerations (e.g., OSS license management, SBOM generation) are integrated into engineering workflows.

What You Will Not Own (But Will Collaborate On)

• OSS license compliance in code : Engineering owns remediation and CI/CD integration — you provide the policy framework and audit.
• Product security features (encryption, access control, signatures): Engineering and Product own implementation — you define requirements and validate.
• Contract negotiation : Legal and Sales lead — you provide compliance input and review DPA terms.
• IT operations and infrastructure security : IT/DevOps owns day-to-day — you define policy and audit.

What This Looks Like Day-to-Day

In the first 6 months, you will spend most of your time closing existing gaps: completing the ROPA, getting DPAs in place, formalizing TOMs, and building the risk register into a living document. You will work closely with the CTO, who has been driving this work and will hand over operational ownership to you. You will also interface with external counsel and respond to customer questionnaires that come in through Sales.

Once the foundation is solid, the role shifts toward maintaining and improving the program: running periodic reviews, preparing for audits, tracking regulatory changes, and building internal awareness through training and guidelines.

What We Are Looking For

Must-Have

• 3–5+ years of experience in information security, data protection, or compliance roles — ideally in a B2B software or SaaS environment.
• Working knowledge of GDPR and Swiss FADP, including hands-on experience with ROPAs, DPAs, DSR handling, and data transfer mechanisms (SCCs, adequacy decisions).
• Familiarity with security frameworks and controls: ISO 27001, SOC 2, or similar — you don't need to have led a certification, but you should understand the requirements.
• Ability to build and maintain a risk register and drive risk mitigation across teams.
• Strong written and verbal communication in English (working language). German is a significant plus for Swiss regulatory context and local vendor interactions.
• Pragmatic and structured: you can prioritize what matters in a 50-person company, not gold-plate processes designed for 5,000.
• Comfortable working independently — this is a one-person function with leadership support, not a large team.

Nice-to-Have

• Experience with OSS license compliance (SBOM generation, license scanning tools like BlackDuck, FOSSA, or similar).
• Exposure to AI Act, DORA, or NIS2 requirements.
• Background in software development or engineering — enough to understand CI/CD pipelines, cloud infrastructure, and product architecture at a conceptual level.
• Experience in an M&A or due diligence context where compliance posture was a factor.
• Relevant certifications: CIPP/E, CIPM, CISM, ISO 27001 Lead Implementer, or similar.

Why you'll love working at Pdftools

Pdftools is a place where people genuinely care about doing things well.

We believe in precision, empathy, collaboration, and continuous improvement - and we live those values every day.

You'll be supported by deep technical expertise, surrounded by kind people, and given the space to build something meaningful. With a strong, trusted product behind you and a team committed to solving real problems together, your work will matter far beyond marketing.

Because our technology touches essential workflows around the world, your impact will reach people and organizations who rely on us when trust and integrity matter most.

If you want to help shape the way the world shares information with trust and integrity - we'd love to meet you.

Our benefits

You get to impact how over 30 million people get work done monthly.

Push boundaries and dare to fail - that's how we learn!

30 vacation days - yep, you read that right - you can take them whenever you need them.

Flexibility: we have flexible working hours.

Need a long break? We offer sabbatical leave to employees who've been with us for over two years.

16 weeks parental leave - 100% of your salary - for all new parents.

Don't leave your four-legged friends at home; our Zurich office is pet-friendly.

A well-being budget of up to 2,000 CHF every year that can be used for training and development (plus days off for courses or training) and for physical and mental well-being purposes.

Possibility of a Phantom stock option plan - PSOP (Conditions apply).

‍ Hack days to challenge you and your team, plus build amazing things.

How to Apply

Please apply using the form below and upload your CV - in English, as it's the standard working language at Pdftools. A PDF format is preferred.

Compensation philosophy

At Pdftools, we believe compensation should be fair, transparent, and thoughtfully aligned with the value each person brings to our team. Our approach balances several key factors - current market trends, role expectations, seniority, experience, and geographic location - to ensure every offer is both competitive and equitable.

We review our salary ranges regularly to stay in step