The company behind NextPDF

Spec: ISO/IEC 27001:2022 Evidence: Mixed evidence

At a glance

NextPDF is built and maintained by PATEON Network Technology, an independent software-technology company based in Taipei, Taiwan. Before any of its code was open source, the engine spent years as a production product inside that company — used for B2B document workflows where security and compliance were central.

The open-source core is that proven engine, released to the community under Apache-2.0. The Pro and Enterprise editions remain PATEON’s proprietary product. This page explains who stands behind the engine, the security discipline it is built under, and why that provenance is worth knowing before you adopt it.

Why this matters

When you choose a PDF engine, you choose a dependency that sits close to sensitive material: contracts, invoices, signed agreements, and the private keys that sign them. For an open-source library that touches cryptography and legal artifacts, “who maintains this, and under what discipline?” is not a sentimental question. It is a supply-chain question.

A visible steward gives you something concrete to evaluate: who owns the code, who is accountable for maintaining it, and what governance they work under. NextPDF answers those questions plainly. It is the open core of a commercial product — the work of a staffed company, born in production, still owned and actively maintained by the team that built it, and governed by an independently certified information-security management system. The provenance is verifiable, and this page shows you how to verify it yourself.

The short version

The maker. PATEON Network Technology (trading as pnt.) is a Taipei, Taiwan company that provides integrated network-technology and security services to B2B customers.
The team. Around 25 people, structured into an independent R&D team, a dedicated security-research team, and a network operations center (NOC) — not a side project, but a staffed engineering organization.
The origin. NextPDF Core began as PATEON’s internal engine and was hardened over years of commercial production use before it was opened.
The discipline. PATEON runs an ISO/IEC 27001:2022-certified information-security management system, independently audited and under active surveillance.
The split. Core is open source (Apache-2.0) and community-available; Pro and Enterprise stay proprietary, and their revenue funds the open core’s continued maintenance.

How NextPDF approaches it

NextPDF did not start life as a marketing exercise. It started as a tool a security company needed for its own customers, and it still carries the marks of that origin: an API that refuses to guess, typed failures, and a refusal to silently degrade. Those are the habits of software written by people who had to operate it for paying clients, not demo it once and move on.

The path from an internal product to an open-source engine ran in deliberate stages.

Built for clients NextPDF began as PATEON's internal engine for regulated B2B document, signing, and validation work.
Proven in production Years of commercial use under real compliance and security obligations exposed the edge cases and fixed them.
Security-governed Maintained under an ISO/IEC 27001:2022-certified ISMS, with a dedicated security-research team owning the cryptographic surface.
Opened to the community The mature core engine was released as Apache-2.0 open source, with the original team continuing to maintain it.
Premium stays specialised Pro and Enterprise remain PATEON's proprietary product, and fund the open core they build on.

How NextPDF travelled from an internal product to an open-source engine — each stage hardened the code that the next one inherited.

This is what commercially validated means in practice. The core engine is not a hopeful 1.0 release waiting for its first real workload — it was exercised for years in production, against audit-relevant documents and signing workflows with real obligations attached. Opening it was a decision to share a product that had already done the work, not to crowdsource an unfinished one.

The same discipline explains why information security and standards compliance are not bolted-on features. They are the spine of the project. A company whose business is security services does not treat a signing pipeline casually. That posture is reflected in how the documentation is written: behavioural claims state their boundary, and standards are named by their exact identifier. The reasoning behind the engine’s fail-closed stance is set out, with its evidence, on the design philosophy page — this page only points at it.

The company, in verifiable facts

PATEON Network Technology is a registered Taiwanese corporation. The identifiers below are public and independently checkable. The section on verifying the provenance yourself shows how.

Attribute	Value
Registered name (English)	PATEON NETWORK TECHNOLOGY INCORPORATED
Trading name	PATEON NETWORK TECHNOLOGY (pnt.)
Registered name (Chinese)	拓宇網路資訊股份有限公司
Jurisdiction	Taiwan (R.O.C.)
Registrar	Taipei City Government
Headquarters	5F, No. 92, Section 3 Jianguo North Road, Zhongshan Dist., 104069 Taipei City, Taiwan
Registered capital	TWD 20,000,000 (approximately USD 650,000)
Business ID / VAT	TW-83211678
D-U-N-S Number	657718207
Organization identifier	LEIXG-984500C5F04C2EF6C128
Governing law	Taiwan / R.O.C.

What the evidence says

This page is Evidence: Mixed evidence : an editorial account of the project’s origin, corroborated by an artifact-backed certification and a set of public corporate registrations. It does not ask you to take the story on faith. The maker is a registered company with a real address, a staffed organization, and a security certification you can confirm in an independent registry.

ISO/IEC 27001:2022 — a certified information-security discipline

The central evidence on this page is that PATEON’s information-security management system (ISMS) is certified to Spec: ISO/IEC 27001:2022 .

An ISMS, in plain terms, is a governed framework for managing information- security risk: documented policies, an explicit risk-assessment and risk-treatment process, a defined set of controls, assigned ownership, and a cycle of internal audit and continual improvement. ISO/IEC 27001 is the international standard against which such a system is independently audited; this certification is to its 2022 revision.

Certification matters here for three concrete reasons:

It is independent, not self-asserted. A third-party certification body audited the management system against the standard. The claim is theirs, not a badge the company printed for itself.
It is ongoing, not a one-time stamp. ISO/IEC 27001 certification is maintained through periodic surveillance audits and a multi-year recertification cycle. A current certificate means the discipline is being re-checked, not that a box was ticked once.
It governs how risk is handled around your data. The same management system that the certificate covers is what disciplines how PATEON’s team treats keys, source, customer material, and the operational surface around the product.

The certification is independently verifiable:

Attribute	Value
Standard	ISO/IEC 27001:2022
Certificate number	QCC/B86F/1224
Certification body	Quality Control Certification
IAF-verifiable record	iafcertsearch.org

The IAF link resolves to the certificate’s entry in the IAF CertSearch database — the International Accreditation Forum’s registry of certifications issued under accredited bodies. That lookup separates a real certification from a claim: you can confirm it without taking anyone’s word for it.

Practical example

Verifying the provenance takes a few minutes and no special access. Everything you need is public:

Confirm the certification. Open the IAF CertSearch record and check that it names PATEON Network Technology and certificate QCC/B86F/1224 against ISO/IEC 27001:2022.
Confirm the company. Cross-check the D-U-N-S Number 657718207 and the Taiwan Business ID TW-83211678 against the public business registries. The organization identifier LEIXG-984500C5F04C2EF6C128 follows the ETSI EN 319 412-1 organization-identifier format: the LEIXG prefix denotes a Legal Entity Identifier and 984500C5F04C2EF6C128 is its 20-character LEI.
Confirm the code. The open-source core is Apache-2.0 licensed; its license, source, and release history are public. The licensing overview sets out exactly what the open core grants and where the proprietary editions begin.

Three independent sources — an accreditation registry, a corporate registry, and a public code license — agree on the same maker. That is what verifiable provenance looks like.

Common misconception

The most common misreading is that open source implies unsupported: a library you adopt at your own risk, maintained by volunteers in their spare time, with no one accountable when it matters. NextPDF has the opposite structure. The core is the open edition of a commercial product, maintained by the company that sells the Pro and Enterprise editions built on it. The commercial business is the reason the open core stays maintained, not a threat to it.

A second misreading is that a company-backed engine must therefore phone home or see your documents. It does not. NextPDF Core runs in your own process, on your own infrastructure; it has no dependency on PATEON’s services to do its work. The company relationship is about who builds and governs the code, not where your documents go. What the engine does and does not collect is documented in Data handling, on its own terms.

Limits and boundaries

This page is an editorial about page. It states the project’s origin and the maker’s credentials; it makes no new behavioural claim about the engine of its own. Every behavioural claim about NextPDF lives on the topic page that owns it, with that page’s evidence level.

A few boundaries are worth stating directly:

The certification covers the ISMS, not a per-release product seal. ISO/IEC 27001 certifies the company’s information-security management system. It is strong evidence of organizational discipline; it is not a line-by-line conformance certificate for any single NextPDF release, and this page does not present it as one.
Open core, proprietary premium. Apache-2.0 governs the core engine. The Pro and Enterprise editions are PATEON’s proprietary work and are not part of the open-source grant. Where the boundary sits is documented in the licensing overview.
Corporate facts can change. Capital, address, and registry details are current as of this page’s review date. The authoritative source is always the public registry, not this page.

The NextPDF design philosophy — the engineering principles that grew out of this commercial origin.
The standards landscape — the standards the engine tracks, and how a clause becomes behaviour.
Documentation as a product — the same discipline, applied to the docs you are reading.
Data handling — what the engine collects, and what it does not.

Glossary

PATEON Network Technology (pnt.) — the Taipei, Taiwan company that builds and maintains NextPDF; registered as PATEON NETWORK TECHNOLOGY INCORPORATED.
ISMS (Information-Security Management System) — a governed framework of policies, risk treatment, controls, and audit through which an organization manages information-security risk.
ISO/IEC 27001:2022 — the 2022 edition of the international standard against which an ISMS is independently audited and certified.
IAF CertSearch — the International Accreditation Forum’s public registry of certifications issued under accredited certification bodies; the place a certificate can be confirmed independently.
NOC (Network Operations Center) — a staffed function that monitors and operates network and service infrastructure.
Commercially validated — proven in real, paid production use under genuine obligations, as distinct from demonstrated only in a controlled example.