Data Protection Addendum

This Data Protection Addendum (DPA) is a crucial document for MyOpNotes as it outlines the obligations, responsibilities, and rights concerning the processing and protection of personal data. It ensures compliance with applicable data protection laws, establishes the roles of the controller and processor, and safeguards the privacy and security of patient data, building trust with users and demonstrating a commitment to data protection.


Last revision: September 22, 2023

Data Protection Addendum for users of MyOpNotes’ 'Single' and 'Clinic' service packages.

The conditions within this data protection addendum ("DPA") are immediately effective, and your sustained use of our services denotes your approval of these terms and the linked Service Terms. Previous editions of our data protection supplement can be provided upon request.

If you have an independent data processing agreement with MyOpNotes, the conditions within this data protection supplement do not apply to you (e.g., use by a large healthcare organisation).

This DPA enhances the Service Terms (see Terms of Service for individual clinician and clinic users)


  • The words “you”, “your”, or “Client” refer to you. If you are setting up an account to use the Services on behalf of an organisation, then you are agreeing to these terms for that organisation and assuring us that you have the power to bind that organisation to these terms (and, in this case, the terms “you”, “your”, or “Client” refer to that organisation).
  • The terms “we”, “us,” “our”, “MyOpNotes” or “Opnote” denote Opnote Ltd, a firm registered in England and Wales, with the registered office at Opnote Ltd, 19 Clowbridge Drive, Loughborough, Leicestershire, LE11 4SU, and the registered number 14438750.
  • “Service Terms” denotes the agreement between us and you, outlining the conditions for the Services to be delivered by us.
  • “Applicable Data Protection Law” refers to all legislation and regulations relevant to our processing of personal data under the Service Terms, including but not limited to, the General Data Protection Regulation (EU 2016/679) (“GDPR”).
  • The terms “controller”, “processor”, “data subject”, “personal data”, and “processing” (and “process”) possess the definitions accorded in line with Applicable Data Protection Law.
  • A “Data Subject” refers to an individual who is the subject of personal data.
  • “Personal Data” denotes data that relates to a living individual who can be identified from that data or from that data and other information which is or is likely to be in the possession of the data controller or data processor.
  • A “Security Incident” means an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data that has been confirmed or is reasonably suspected.
  • When we reference the “Services” in this DPA, we mean all products and services delivered by us that are used by you.
  • Any term capitalised but not defined in this DPA has the meaning assigned to it in the Service Terms.

Term alterations

We might update this DPA from time to time. We will provide you with a notification of any substantial updates at least thirty (30) days before the effective date.

Notifications for substantial updates to this DPA will be given in line with the Notices section of the Service Terms. Except as otherwise outlined by us, updates will be effective and binding from the date indicated at the top of this DPA. The updated version of this DPA will supersede all prior versions.

After such notice, your continued use of the Services on or after the date the updated version of the DPA is effective binds you and constitutes your acceptance of such updated terms. If you do not agree to the updated version of the DPA, you must cease using the Services immediately.

Controller and processor

The parties recognise and agree that with regard to the processing of Personal Data, we act as a processor and you are a data controller.

We will process Personal Data to deliver the Services as per the Service Terms and following your instructions as outlined in Controller's instructions. This DPA further details the duration, nature, and purpose of the processing, and the types of personal data and categories of data subjects.

You are responsible for ensuring compliance with Applicable Data Protection Law in your use of the Services and have the right to transfer, or provide access to, the Personal Data to us for processing in line with the terms of the Service Terms and this DPA.

You acknowledge that we are not responsible for deciding which laws are applicable to your business nor whether our provision of the Services meets or will meet the requirements of such laws. You will ensure that our processing of Personal Data, when done in accordance with the Controller’s instructions, will not cause us to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. You are responsible for ensuring that our processing aligns with your functions as a data controller (e.g., under Art.6(1)(b) and Art.9(2)(h) of the GDPR).

You will inform us if you become aware, or reasonably believe, that your data processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law.

Controller’s instructions

You appoint us as a processor to process Patient Data on your behalf as stated in this DPA, the Service Terms, and as otherwise necessary to provide the Services and as necessary to comply with applicable law.

We are to maintain comprehensive records of consent episodes for 25 years, according to best practice for medical records, and convert to summary records - including the patient name, procedure, responsible clinician, and consent form PDF - at 25 years.


In case any request, correspondence, query, or complaint from a data subject, regulatory authority, or third party is made directly to us concerning our processing of Patient Data, we will promptly inform you and provide details of the same, as far as legally allowed. Unless legally obligated to do so, we will not respond to any such request, inquiry, or complaint without your prior consent.

We will ensure that any individual we authorise to process Patient Data has committed to protect the data in line with our confidentiality obligations under the Service Terms.


You agree that we may utilise sub-processors to fulfil our contractual responsibilities under the Service Terms.

Where we authorise any sub-processor, we pledge to impose data protection conditions on the sub-processor that demand it to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, especially providing sufficient guarantees to implement suitable technical and organisational measures in such a way that the processing will meet the requirements of the GDPR.

You provide general consent for us to engage onward sub-processors, conditional on the following requirements:

  • Any onward sub-processor must agree to process data only in a country that the European Commission has declared to have an “adequate” level of protection.
  • We will limit the onward sub-processor’s access to personal data only to what is strictly necessary to provide the Services, and will prohibit the sub-processor from processing the personal data for any other purpose.

The sub-processors used by Opnote Ltd in the provision of the services are:

  • AWS Cloud Platform for the provision of cloud hosting.
  • Postmark for the provision of sending patient and clinician emails.
  • Twilio for the provision of sending patient SMS messages.

We will remain liable for any breach of this DPA that is caused by an act, error or omission of our sub-processors.

Data subject rights

Upon your request and at no additional cost, we will provide reasonable and timely assistance to assist you in complying with your data protection obligations with respect to data subject rights under Applicable Data Protection Law.

Security and audits

We have implemented and will maintain the technical and organisational measures outlined in the technical information to protect personal data.

You acknowledge and accept that the security measures are appropriate considering the risk of varying likelihood and severity to the rights and freedoms of individuals presented by our processing of personal data.

Following a security incident, we will notify you promptly without undue delay but not later than 72 hours after we become aware of the security incident.

Data retention, return, and deletion

We will not store or process any personal data outside of the agreed upon services, unless required by law.

On the termination of your subscription to our services, we will delete all Personal Data in our possession or control, unless legally prohibited. We will complete this process within 60 days of the termination of your subscription.

Data protection impact assessments

Upon your reasonable request, we will assist you in ensuring compliance with your obligations under Articles 35 and 36 of the GDPR, with respect to data protection impact assessments and prior consultations with supervising authorities.

Indemnity and limitation of liability

Your indemnity and our limitation of liability are as specified in the Service Terms.

For the avoidance of doubt, nothing in this DPA relieves us of our own direct responsibilities and liabilities under the Applicable Data Protection Law.

Contact Information

For any inquiries about this DPA, please email

The Data Protection Officer can be contacted at

We may provide any required notices to you by email to the address you provided when setting up your account or by posting a notice on our website.

Didn’t get the answer you were looking for?