Data Processing Agreement

Last updated: 13 June 2026

This agreement governs how MyNewClinic (operated by OsteoRise Limited, the "Processor") processes personal data on behalf of the clinic using it (the "Controller") under UK GDPR and the Data Protection Act 2018. It is incorporated into the Terms of Service a clinic accepts at signup. A countersigned copy is available on request at hello@mynewclinic.com.

1. Roles

The clinic is the data controller and determines the purposes and means of processing its patients' data. MyNewClinic is the data processor and processes that data only to provide the service, on the clinic's documented instructions.

2. Subject matter, nature & duration

Provision of practice-management software, scheduling, charting, billing, payments, communications and related tools, for the term of the subscription and any retention period thereafter.

3. Categories of data & data subjects

Data subjects: the clinic's patients and staff. Personal data: identity and contact details, dates of birth, appointment history, clinical/health records (special-category data), and financial/payment metadata.

4. Controller obligations

The clinic warrants it has a lawful basis (and, for health data, an Article 9 condition, typically the provision of health care) and the necessary privacy information and consents in place.

5. Processor obligations

MyNewClinic shall: process only on documented instructions; ensure personnel are bound by confidentiality; implement the security measures in Section 8; engage sub-processors only under equivalent terms and maintain a current sub-processor list; assist the clinic with data-subject requests, DPIAs and breach notification; and, on termination, delete or return personal data at the clinic's choice, subject to retention obligations.

6. Sub-processors

The clinic authorises the sub-processors listed on the Security & GDPR page. MyNewClinic gives prior notice of changes and remains liable for their acts.

7. International transfers

Patient data is stored in the UK. Where a sub-processor processes data outside the UK, transfers are covered by the UK International Data Transfer Addendum or equivalent safeguards.

8. Security measures

Encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access control; tenant isolation; record-access logging; optional staff two-factor authentication; least-privilege service credentials; and regular backups.

9. Data-subject rights & assistance

MyNewClinic provides built-in tools so the clinic can fulfil access (one-click patient data export), erasure (anonymisation respecting retention), rectification and the record-access log, and will otherwise assist on request.

10. Personal data breach

MyNewClinic will notify the clinic without undue delay on becoming aware of a personal data breach affecting the clinic's data, with the information needed to meet the clinic's 72-hour ICO notification duty.

11. Audit

MyNewClinic will make available the information necessary to demonstrate compliance and allow for reasonable audits. Contact hello@mynewclinic.com.