· NextPDF · Company · 2 min read

The company behind NextPDF

NextPDF is the open core of a commercial product, built by a Taipei security company under an ISO 27001-certified ISMS. Here is why that provenance is worth knowing before you adopt it.

When you choose a PDF engine, you choose a dependency that sits close to sensitive material: contracts, invoices, signed agreements, and the private keys that sign them. For an open-source library that touches cryptography and legal artifacts, “who maintains this, and under what discipline?” is not a sentimental question. It is a supply-chain question.

The open core of a commercial product

NextPDF is built and maintained by PATEON Network Technology, an independent security-and-network engineering company based in Taipei, Taiwan. Before any of its code was open source, the engine spent years as a production product inside that company — used for B2B document workflows where security and compliance were central.

The open-source Core is that proven engine, released to the community under Apache-2.0. The Pro and Enterprise editions remain PATEON’s proprietary product, and their revenue funds the open core’s continued maintenance. This is what commercially validated means in practice: the engine was exercised for years against audit-relevant documents and real signing obligations before it was opened.

Discipline you can verify

PATEON operates an ISO/IEC 27001:2022-certified information-security management system, independently audited and under active surveillance. That certification covers the company’s ISMS — it is strong evidence of organizational discipline, not a line-by-line conformance seal for any single release, and we are careful not to present it as one.

The same posture explains why standards compliance is the spine of the project, not a bolted-on feature. A company whose business is security services does not treat a signing pipeline casually. That habit shows up in the engine: an API that refuses to guess, typed failures, and a refusal to silently degrade.

What this means for you

The most common misreading of “open source” is “unsupported” — a library you adopt at your own risk, maintained by volunteers, with no one accountable when it matters. NextPDF has the opposite structure: the core is the open edition of a commercial product, maintained by the company that sells the editions built on it.

The provenance is verifiable, and the engine runs entirely in your own process — it has no dependency on PATEON’s services to do its work. The relationship is about who builds and governs the code, not where your documents go.

Share:
Back to Blog

Related Posts

View All Posts »

Welcome to the NextPDF blog

Engineering notes, standards deep-dives, and product updates from the team building NextPDF. More articles are on the way.

Why PDF 2.0, and why now

PDF 2.0 (ISO 32000-2) is not a cosmetic version bump. It is the foundation for accessible, signable, archival documents — and most PHP tooling never made the jump.

An engine that refuses to guess

The most useful thing a PDF engine can do is tell you the truth about what it cannot do. Here is the design philosophy behind NextPDF's typed failures and fail-closed defaults.