Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms part of the agreement between the clinician or organisation using the DocNotes service ("Controller") and DocNotes ("Processor") and applies to the processing of personal data under Regulation (EU) 2016/679 ("GDPR").
This DPA is effective from the date the Controller first accesses or uses the DocNotes service.
1. Roles of the Parties
1.1 The Controller is the clinician or organisation that determines the purposes and means of processing personal data entered into the DocNotes platform.
1.2 DocNotes acts as a Data Processor, processing personal data solely on documented instructions from the Controller and in accordance with this DPA.
1.3 DocNotes does not act as a joint controller.
2. Scope of Processing
2.1 Subject Matter
The processing concerns clinical documentation support, including drafting, reviewing, approving, storing, and exporting clinical notes.
2.2 Duration
Processing occurs for the duration of the Controller's use of the service and as necessary for backup, security, and legal compliance purposes, subject to Section 10 (Deletion and Return).
2.3 Nature and Purpose of Processing
DocNotes processes data for the following purposes only:
- Creating draft clinical documentation
- Rewriting clinician-provided text into structured formats
- Storing clinician-approved records
- Maintaining audit logs
- Enabling exports requested by the Controller
- Providing account, security, and support functionality
DocNotes does not determine clinical content, diagnoses, or treatment decisions.
2.4 Categories of Data Subjects
- Patients of the Controller
- Clinicians using the service
2.5 Types of Personal Data
Depending on use, the following categories may be processed:
- Clinician account data (email, authentication data)
- Patient identifiers (e.g. name, date of birth, sex — as entered by the Controller)
- Clinical notes and related metadata
- Audit and activity logs
Special category data (health data) may be processed only as instructed by the Controller.
3. Processor Obligations
DocNotes shall:
- a) Process personal data only on documented instructions from the Controller
- b) Ensure persons authorised to process data are bound by confidentiality
- c) Implement appropriate technical and organisational security measures
- d) Not use personal data for its own purposes
- e) Not sell, share, or train models on Controller data
- f) Assist the Controller in meeting GDPR obligations under Articles 15–36 where applicable
4. Security Measures
DocNotes implements appropriate technical and organisational measures, including but not limited to:
- Encryption in transit using TLS 1.2 or higher
- Encryption at rest using industry-standard encryption (e.g. AES-256) for sensitive data
- Role-based access controls and least-privilege access
- Segregation of draft and approved clinical records
- Immutable audit logs for sensitive actions
- Secure key and secrets management
- Regular dependency and infrastructure updates
Security measures are designed proportionate to the nature of the data processed and the risks involved.
5. Use of Subprocessors
The Controller authorises DocNotes to engage subprocessors necessary to provide the service.
5.1 Approved Subprocessors
As of the effective date, DocNotes uses the following categories of subprocessors:
| Purpose | Subprocessor |
|---|---|
| Hosting & deployment | Vercel (EU-compatible infrastructure) |
| Database & storage | Supabase (PostgreSQL, EU-hosted) |
| Caching / locks / tokens | Redis (managed Redis provider) |
| AI text rewriting | OpenAI |
| Email delivery | Resend |
DocNotes ensures that all subprocessors:
- Are subject to contractual data protection obligations
- Provide GDPR-compliant processing and security guarantees
- Process data only as instructed
An up-to-date list of subprocessors will be made available upon request.
6. International Transfers
Where subprocessors process data outside the EEA, DocNotes ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs)
- Equivalent GDPR transfer mechanisms
DocNotes does not knowingly transfer data to jurisdictions without adequate protection.
7. Confidentiality
All persons authorised by DocNotes to process personal data are subject to confidentiality obligations, whether contractual or statutory.
8. Data Subject Rights
Taking into account the nature of processing, DocNotes shall assist the Controller by appropriate technical and organisational measures to fulfil requests from data subjects, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
DocNotes does not respond directly to data subject requests unless instructed by the Controller.
9. Personal Data Breaches
In the event of a personal data breach, DocNotes shall:
- Notify the Controller without undue delay
- Provide available information required to support regulatory notification obligations
- Cooperate in remediation efforts
10. Data Deletion and Return
Upon termination of the Controller's account or upon written request:
- DocNotes will delete or return personal data within a reasonable timeframe
- Data may be retained temporarily in encrypted backups consistent with industry standards
- Backup data is securely deleted according to retention schedules
11. Audits and Compliance
DocNotes shall make available information reasonably necessary to demonstrate compliance with this DPA and GDPR.
Formal audits may be conducted only where required by law and subject to reasonable notice and scope.
12. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service, except where prohibited by applicable law.
13. Governing Law
This DPA is governed by the laws of Ireland and subject to the exclusive jurisdiction of the Irish courts.
14. Order of Precedence
In the event of conflict, this DPA prevails over the Terms of Service with respect to data protection matters.
15. Acceptance
By using the DocNotes service, the Controller acknowledges and agrees to this Data Processing Agreement.