// Trust & Security Report

    Smallpdf AG logo

    Smallpdf AG

    Web-based PDF productivity suite (compress, convert, merge, edit, e-sign) with an added AI PDF Assistant (chat with PDF, summarize, translate, question generation) and Sign.com for e-signature workflows. Consumer, Pro, and Team pricing tiers on the same platform.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2013
    HELD

    We comply with the globally accepted ISO/IEC accreditation for applying an information security management system (ISO 27001:2013).

    Verify on smallpdf.com
    GDPR
    HELD

    Smallpdf is ISO/IEC 27001 certified and GDPR, CCPA, and nFADP compliant.

    Verify on smallpdf.com
    CCPA
    HELD

    Smallpdf is ISO/IEC 27001 certified and GDPR, CCPA, and nFADP compliant.

    Verify on smallpdf.com
    nFADP (Swiss Federal Act on Data Protection)
    HELD

    Smallpdf is ISO/IEC 27001 certified and GDPR, CCPA, and nFADP compliant.

    Verify on smallpdf.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    No public evidence of a SOC 2 report on vendor domain; trust center and homepage list ISO 27001, GDPR, CCPA, and nFADP only, with no mention of SOC 2.

    source: smallpdf.com
    HIPAA / BAA
    NOT CONFIRMED

    No public evidence of a HIPAA Business Associate Agreement offering on vendor domain; independent reviews note Smallpdf's standard tiers do not provide a BAA and PHI should not be uploaded.

    source: smallpdf.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor domain (payment processing is not a described product feature).

    source: smallpdf.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of ISO 27017, 27018, or 27701 on vendor domain; only ISO 27001:2013 is referenced.

    source: smallpdf.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of AI governance certification on vendor domain, despite Smallpdf offering an AI PDF Assistant product.

    source: smallpdf.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence of CSA STAR registration or CSA STAR AI attestation found on vendor domain.

    source: smallpdf.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on vendor domain; not relevant to this consumer/SMB product's stated market.

    source: smallpdf.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU (Ireland) for file processing infrastructure, per vendor blog: server infrastructure falls under EU data protection law.

    Vendor homepage and blog make no reference to AI training at all. Treat as probable but not fully vendor-quote-verified; re-check the live privacy notice before using this as a hard claim.

    // Security controls

    Encryption in transit

    256-bit TLS encryption for file transfer, described by the vendor as 'the same encryption used by banks'.

    smallpdf.com

    File retention / deletion

    Files uploaded to free tools are deleted from servers after 1 hour of processing; files saved to account storage are kept until the user deletes them, removed within 1 hour of a deletion request.

    smallpdf.com

    Access control

    Vendor states only the account owner can view, edit, or access uploaded files unless explicit permission is granted to others.

    smallpdf.com

    Data residency

    Server infrastructure located in Ireland, under EU data protection law.

    smallpdf.com

    Vulnerability disclosure

    Vendor publishes a security.txt contact for reporting security issues (security@smallpdf.com).

    smallpdf.com

    // Products & data scope

    Smallpdf Free / Pro (consumer)PDF conversion, compression, merge, edit, e-sign

    data: User-uploaded PDFs and derived files, processed transiently and deleted within 1 hour unless saved to account storage.

    Same infrastructure and compliance posture as Team tier; no separate hardened offering documented.

    Smallpdf TeamPDF productivity for small/medium teams

    data: Same as consumer tier, plus shared team file storage and admin controls.

    No evidence of a distinct enterprise-grade compliance tier (e.g. dedicated BAA, SOC 2 report) beyond the standard ISO 27001 / GDPR posture.

    AI PDF AssistantAI features: chat with PDF, summarize, translate, question generation

    data: Uploaded document content is processed by AI to generate summaries/answers; vendor-adjacent sources state files are not retained for AI training or manual review, but this could not be independently re-confirmed with a first-hand vendor quote in this session (see privacy.ai_training_note).

    No AI-governance certification (ISO 42001, CSA STAR AI) found despite this being an AI-driven product line.

    Sign.comStandalone e-signature product, linked from Smallpdf's Sign PDF tool

    data: Signature requests and signed documents.

    // What to watch

    • No SOC 2 report found on vendor domain; only ISO 27001 is documented, which is common for a growth-stage consumer/SMB tool but should be disclosed as a gap, not assumed absent by omission alone.
    • No HIPAA/BAA offering found; independent reviews explicitly warn against uploading PHI. AIFOXX should not list this vendor as HIPAA-suitable.
    • AI PDF Assistant is a meaningful product line with no AI-specific governance certification (ISO 42001, CSA STAR AI) - flag as a gap given growing scrutiny of AI data handling.

    // At a glance

    Pricing model

    Freemium: free tools with limits, Pro (~EUR 7.50/mo/user annual) and Team (~EUR 6.00/mo/user annual, 2-100 seats) subscriptions.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Smallpdf AG's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    smallpdf.com

    > Browse all vendor trust reports