// Trust & Security Report
Smallpdf AG
Web-based PDF productivity suite (compress, convert, merge, edit, e-sign) with an added AI PDF Assistant (chat with PDF, summarize, translate, question generation) and Sign.com for e-signature workflows. Consumer, Pro, and Team pricing tiers on the same platform.
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on smallpdf.com“We comply with the globally accepted ISO/IEC accreditation for applying an information security management system (ISO 27001:2013).”
Verify on smallpdf.com“Smallpdf is ISO/IEC 27001 certified and GDPR, CCPA, and nFADP compliant.”
Verify on smallpdf.com“Smallpdf is ISO/IEC 27001 certified and GDPR, CCPA, and nFADP compliant.”
Verify on smallpdf.com“Smallpdf is ISO/IEC 27001 certified and GDPR, CCPA, and nFADP compliant.”
> Show 7 unconfirmed / not-held certifications
source: smallpdf.comNo public evidence of a SOC 2 report on vendor domain; trust center and homepage list ISO 27001, GDPR, CCPA, and nFADP only, with no mention of SOC 2.
source: smallpdf.comNo public evidence of a HIPAA Business Associate Agreement offering on vendor domain; independent reviews note Smallpdf's standard tiers do not provide a BAA and PHI should not be uploaded.
source: smallpdf.comNo public evidence of PCI DSS certification found on vendor domain (payment processing is not a described product feature).
source: smallpdf.comNo public evidence of ISO 27017, 27018, or 27701 on vendor domain; only ISO 27001:2013 is referenced.
source: smallpdf.comNo public evidence of AI governance certification on vendor domain, despite Smallpdf offering an AI PDF Assistant product.
source: smallpdf.comNo public evidence of CSA STAR registration or CSA STAR AI attestation found on vendor domain.
source: smallpdf.comNo public evidence of FedRAMP authorization on vendor domain; not relevant to this consumer/SMB product's stated market.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU (Ireland) for file processing infrastructure, per vendor blog: server infrastructure falls under EU data protection law.
Vendor homepage and blog make no reference to AI training at all. Treat as probable but not fully vendor-quote-verified; re-check the live privacy notice before using this as a hard claim.
// Security controls
Encryption in transit
256-bit TLS encryption for file transfer, described by the vendor as 'the same encryption used by banks'.
smallpdf.comFile retention / deletion
Files uploaded to free tools are deleted from servers after 1 hour of processing; files saved to account storage are kept until the user deletes them, removed within 1 hour of a deletion request.
smallpdf.comAccess control
Vendor states only the account owner can view, edit, or access uploaded files unless explicit permission is granted to others.
smallpdf.comVulnerability disclosure
Vendor publishes a security.txt contact for reporting security issues (security@smallpdf.com).
smallpdf.com// Products & data scope
data: User-uploaded PDFs and derived files, processed transiently and deleted within 1 hour unless saved to account storage.
Same infrastructure and compliance posture as Team tier; no separate hardened offering documented.
data: Same as consumer tier, plus shared team file storage and admin controls.
No evidence of a distinct enterprise-grade compliance tier (e.g. dedicated BAA, SOC 2 report) beyond the standard ISO 27001 / GDPR posture.
data: Uploaded document content is processed by AI to generate summaries/answers; vendor-adjacent sources state files are not retained for AI training or manual review, but this could not be independently re-confirmed with a first-hand vendor quote in this session (see privacy.ai_training_note).
No AI-governance certification (ISO 42001, CSA STAR AI) found despite this being an AI-driven product line.
data: Signature requests and signed documents.
// What to watch
- No SOC 2 report found on vendor domain; only ISO 27001 is documented, which is common for a growth-stage consumer/SMB tool but should be disclosed as a gap, not assumed absent by omission alone.
- No HIPAA/BAA offering found; independent reviews explicitly warn against uploading PHI. AIFOXX should not list this vendor as HIPAA-suitable.
- AI PDF Assistant is a meaningful product line with no AI-specific governance certification (ISO 42001, CSA STAR AI) - flag as a gap given growing scrutiny of AI data handling.
// At a glance
Pricing model
Freemium: free tools with limits, Pro (~EUR 7.50/mo/user annual) and Team (~EUR 6.00/mo/user annual, 2-100 seats) subscriptions.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Smallpdf AG's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
smallpdf.com