Information Security Officer – Compliance

This is a fully remote position, open to applicants in Switzerland.

📋 Description

• Take ownership and manage the Register of Processing Activities (ROPA) — established but requires continuous expansion and evaluation.

• Ensure adherence to GDPR, Swiss FADP (revDSG), and CCPA regulations across all organizational operations.

• Oversee data subject request (DSR) processes and guarantee prompt, compliant responses.

• Manage the retention and deletion policy — define, implement, and enforce rules for data lifecycle management.

• Enhance and uphold the company's privacy policies (website, HR, product-level).

• Maintain the processor register and Data Processing Agreement (DPA) repository.

• Ensure all active vendors/processors have reviewed DPAs with suitable safeguards (SCCs, Swiss addenda).

• Establish and execute an annual review schedule for vendors.

• Map and document international data transfers and related safeguards.

• Take charge of the company's Technical and Organizational Measures (TOMs) documentation.

• Propel the formalization and routine testing of security controls.

• Organize penetration testing with external partners.

• Develop a security monitoring and incident response capability.

• Manage the risk register — keep it updated, motivate risk owners to resolve issues, and report to leadership.

• Assess and suggest security tools (e.g., CVE scanning, static analysis integration, SIEM).

• Monitor emerging regulatory requirements (AI Act, DORA, NIS2) and evaluate their relevance.

• Prepare the organization for potential ISO 27001 or SOC 2 certification when strategically beneficial.

• Collaborate with external legal counsel (currently MLL) on regulatory evaluations and policy development.

• Address customer compliance questionnaires and security assessments.

• Assist sales and pre-sales teams with compliance documentation, certifications overview, and security posture materials.

• Ensure product-level compliance considerations (e.g., OSS license management, SBOM generation) are incorporated into engineering workflows.

⛳️ Requirements

• 3–5+ years of experience in information security, data protection, or compliance roles — preferably in a B2B software or SaaS setting.

• Practical knowledge of GDPR and Swiss FADP, including direct experience with ROPAs, DPAs, DSR management, and data transfer mechanisms (SCCs, adequacy decisions).

• Familiarity with security frameworks and controls: ISO 27001, SOC 2, or equivalent — leadership in certification is not required, but understanding the requirements is essential.

• Capability to develop and maintain a risk register and facilitate risk mitigation across teams.

• Strong written and verbal communication skills in English (working language). Proficiency in German is a significant advantage for Swiss regulatory matters and local vendor engagements.

• Pragmatic and organized: able to prioritize effectively in a 50-person company, avoiding unnecessarily complex processes suitable for a larger organization.

• Comfortable working autonomously — this is a solo role supported by leadership, rather than a part of a large team.

🏝️ Benefits

• 30 vacation days - indeed, you read that correctly - take them whenever you need.

• Flexibility: we offer flexible working hours.

• Need an extended break? We provide sabbatical leave for employees with over two years of service.

• 16 weeks of parental leave - 100% of your salary - for all new parents.

• Don’t leave your furry friends at home; our Zurich office welcomes pets.

• A well-being budget of up to 2,000 CHF each year for training and development (plus days off for courses or training) and for physical and mental wellness initiatives.

• Potential for a Phantom stock option plan - PSOP (conditions apply).

• Hack days to inspire you and your team, plus the opportunity to create remarkable projects.