Information Security & Compliance Officer

smallpdf

1d•Hybrid

About The Position

Pdftools is seeking an Information Security & Compliance Officer to build and manage its compliance and security framework. This role is crucial for ensuring the company meets growing regulatory demands (GDPR, Swiss FADP, AI Act, DORA, NIS2) and maintains a strong security posture. The officer will own the end-to-end compliance program, moving it from reactive gap-closing to a proactive, professional program. This includes managing privacy governance, data protection, vendor risk, security measures, and regulatory readiness. The role requires collaboration with various internal teams (Engineering, Product, Legal, IT/DevOps) and external partners, while also serving as the primary point of contact for customer compliance inquiries and assessments.

Requirements

3–5+ years of experience in information security, data protection, or compliance roles, ideally in a B2B software or SaaS environment.
Working knowledge of GDPR and Swiss FADP, including hands-on experience with ROPAs, DPAs, DSR handling, and data transfer mechanisms (SCCs, adequacy decisions).
Familiarity with security frameworks and controls: ISO 27001, SOC 2, or similar.
Ability to build and maintain a risk register and drive risk mitigation across teams.
Strong written and verbal communication in English.
Pragmatic and structured approach to prioritizing in a mid-sized company.
Comfortable working independently.

Nice To Haves

German language skills.
Experience with OSS license compliance (SBOM generation, license scanning tools).
Exposure to AI Act, DORA, or NIS2 requirements.
Background in software development or engineering.
Experience in an M&A or due diligence context.
Relevant certifications: CIPP/E, CIPM, CISM, ISO 27001 Lead Implementer, or similar.

Responsibilities

Own and maintain the Register of Processing Activities (ROPA), ensuring compliance with GDPR, Swiss FADP, and CCPA.
Manage data subject request (DSR) workflows and ensure timely, compliant responses.
Own and enforce the retention and deletion policy for data lifecycle management.
Maintain and improve company privacy policies.
Manage the processor register and DPA repository, ensuring all vendors have reviewed DPAs with appropriate safeguards.
Establish and run an annual vendor review cadence.
Map and document international data transfers and safeguards.
Own the company's Technical and Organizational Measures (TOMs) documentation and drive periodic testing of security controls.
Coordinate penetration testing with external partners.
Build toward a security monitoring and incident response capability.
Own the risk register, drive risk mitigation, and report to leadership.
Evaluate and recommend security tooling.
Track emerging regulatory requirements and assess applicability.
Prepare the company for potential ISO 27001 or SOC 2 certification.
Coordinate with external legal counsel on regulatory assessments and policy drafting.
Respond to customer compliance questionnaires and security assessments.
Support sales and pre-sales with compliance documentation and security posture materials.
Ensure product-level compliance considerations are integrated into engineering workflows.

Benefits

Impact on how over 30 million people get work done monthly.
Opportunity to push boundaries and learn from failures.
30 vacation days.
Flexible working hours.
Sabbatical leave for employees with over two years of tenure.
16 weeks parental leave at 100% salary for all new parents.
Pet-friendly office in Zurich.
Well-being budget of up to 2,000 CHF annually for training, development, and physical/mental well-being.
Possibility of a Phantom stock option plan (PSOP).
Hack days for team challenges and building.
Supportive environment with deep technical expertise and kind colleagues.
Opportunity to build something meaningful.