Security

1. Home
2. We protect your data

UK GDPR & healthcare compliance

Smilenotes is designed for UK healthcare professionals and operates in line with the UK General Data Protection Regulation (UK GDPR). We act as a data processor on behalf of clinics, with appropriate technical and organisational measures in place to protect patient data.

• Data protection by design and by default (UK GDPR Article 25)
• Confidentiality, integrity and availability safeguards (Article 32)
• Data minimisation and access control (Article 5)

Your data is sent using HTTPS

All information transferred between your computer and our data centre is sent using an encrypted format. This prevents anybody reading your patient data whilst the data travels between your computer and our server.

We encrypt your patient data at rest

All sensitive patient data stored within Smilenotes — including clinical notes, personal details and uploaded files — is encrypted at rest using industry-standard AES-256 encryption. Encryption keys are managed securely and access is strictly limited.

Robust physical security

Smilenotes is hosted on secure infrastructure located within the UK and European Union. Our cloud providers maintain certified physical and environmental security controls, including controlled access, monitoring and redundancy.

Access controls & accountability

Access to patient data within Smilenotes is restricted using role-based permissions. Only authorised users within a clinic can view or update patient records, based on their assigned role.

Clinical notes and uploaded files are user-attributed, meaning the author of each entry is clearly recorded. This supports accountability and professional record-keeping within the practice.

For security monitoring purposes, Smilenotes records user login activity, including the date and time of the most recent access.

Two-factor authentication

Smilenotes supports two-factor authentication (2FA) to provide an additional layer of protection for user accounts. When enabled, users are required to verify their identity using a second factor in addition to their password.

This helps protect accounts against unauthorised access, even if login credentials are compromised.

Regularly updated

Our software infrastructure is protected by firewalls and is regularly updated with security patches. We monitor systems for unusual activity and apply updates in line with industry best practice.

Security monitoring & incident response

Our systems are continuously monitored for suspicious activity. In the unlikely event of a data security incident, we follow a documented incident response process aligned with UK GDPR requirements, including timely notification where required.

Your billing information is in safe hands

Subscription payments are managed by our partner, Stripe.com who are the industry leader in secure online payments. Stripe is PCI Level 1 compliant (the highest level of online card payment security you can get).

Visit Stripe.com for more information about payments

Backups

Encrypted backups are taken daily and stored in geographically separate locations within the UK and EU. Backups are tested periodically to ensure data can be restored if required.

Want to know more?

Learn more about how we handle data responsibly:

• Privacy policy
• Terms of use
• Security & data handling guides

If you have specific questions about security or data protection, please contact our customer support