Data Processing Agreement
Last updated: 13 June 2026
This agreement governs how MyNewClinic (operated by OsteoRise Limited, the "Processor") processes personal data on behalf of the clinic using it (the "Controller") under UK GDPR and the Data Protection Act 2018. It is incorporated into the Terms of Service a clinic accepts at signup. A countersigned copy is available on request at hello@mynewclinic.com.
1. Roles
The clinic is the data controller and determines the purposes and means of processing its patients' data. MyNewClinic is the data processor and processes that data only to provide the service, on the clinic's documented instructions.
2. Subject matter, nature & duration
Provision of practice-management software, scheduling, charting, billing, payments, communications and related tools, for the term of the subscription and any retention period thereafter.
3. Categories of data & data subjects
Data subjects: the clinic's patients and staff. Personal data: identity and contact details, dates of birth, appointment history, clinical/health records (special-category data), and financial/payment metadata.
4. Controller obligations
The clinic warrants it has a lawful basis (and, for health data, an Article 9 condition, typically the provision of health care) and the necessary privacy information and consents in place.
5. Processor obligations
MyNewClinic shall: process only on documented instructions; ensure personnel are bound by confidentiality; implement the security measures in Section 8; engage sub-processors only under equivalent terms and maintain a current sub-processor list; assist the clinic with data-subject requests, DPIAs and breach notification; and, on termination, delete or return personal data at the clinic's choice, subject to retention obligations.
6. Sub-processors
The clinic authorises the sub-processors listed on the Security & GDPR page. MyNewClinic gives prior notice of changes and remains liable for their acts.
7. International transfers
Patient data is stored in the UK. Where a sub-processor processes data outside the UK, transfers are covered by the UK International Data Transfer Addendum or equivalent safeguards.
8. Security measures
Encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access control; tenant isolation; record-access logging; optional staff two-factor authentication; least-privilege service credentials; and regular backups.
9. Data-subject rights & assistance
MyNewClinic provides built-in tools so the clinic can fulfil access (one-click patient data export), erasure (anonymisation respecting retention), rectification and the record-access log, and will otherwise assist on request.
10. Personal data breach
MyNewClinic will notify the clinic without undue delay on becoming aware of a personal data breach affecting the clinic's data, with the information needed to meet the clinic's 72-hour ICO notification duty.
11. Audit
MyNewClinic will make available the information necessary to demonstrate compliance and allow for reasonable audits. Contact hello@mynewclinic.com.