LEGAL

Data Processing Agreement

Pursuant to Article 28 UK GDPR

1. Parties

1.1 This Data Processing Agreement ("DPA") is entered into between:

  • (a) the Subscriber (the therapist, practice, or organisation that has registered for a My-Therapy-Suite account and accepted the Terms of Service) as the data controller ("Controller"); and
  • (b) My-Therapy-Suite Ltd (company number 15892346, registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, ICO registration ZB738497) as the data processor ("Processor"),

together the "Parties".

1.2 This DPA forms part of and is incorporated into the Terms of Service. By accepting the Terms of Service, the Controller enters into this DPA. No separate signature is required.

1.3 In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in relation to data protection matters.

2. Definitions

2.1 In this DPA, unless the context requires otherwise:

  • "Applicable Data Protection Law" means the UK GDPR (the retained EU GDPR as defined in the Data Protection Act 2018) and the Data Protection Act 2018, together with any subordinate legislation, guidance, or codes of practice issued by the Information Commissioner;
  • "Personal Data" means any personal data (as defined in Applicable Data Protection Law) processed by the Processor on behalf of the Controller in connection with the Service;
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data;
  • "Service" means the My-Therapy-Suite platform and all related services as described in the Terms of Service;
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller;
  • "Terms of Service" means the terms and conditions governing use of the Service, as published at mytherapysuite.com and as amended from time to time.

3. Scope and purpose of processing

3.1 The Processor shall process Personal Data only on the documented instructions of the Controller, unless required to do so by law. The Terms of Service and this DPA constitute the Controller's documented instructions for the purposes of Article 28(3)(a) UK GDPR.

3.2 The details of the processing are set out in Schedule 1 to this DPA.

3.3 If the Processor considers that an instruction from the Controller infringes Applicable Data Protection Law, the Processor shall promptly inform the Controller.

4. Processor obligations

Confidentiality

4.1 The Processor shall ensure that any person authorised to process Personal Data is subject to a binding obligation of confidentiality.

Security

4.2 The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

4.3 A summary of the Processor's current security measures is available on request.

Sub-processors

4.4 The Controller provides a general authorisation for the engagement of Sub-processors. The Processor's current Sub-processors are listed in the Privacy Policy.

4.5 The Processor shall update the Sub-processor list in the Privacy Policy when a Sub-processor is added or replaced.

4.6 If the Controller objects to a new Sub-processor, the Controller may terminate the Service in accordance with the Terms of Service.

4.7 The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA. The Processor shall remain liable for the acts and omissions of its Sub-processors.

Assistance to the Controller

4.8 Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to data subject requests.

4.9 The Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 UK GDPR (security, breach notification, impact assessments, and prior consultation), taking into account the nature of the processing and the information available to the Processor.

5. Personal Data Breach

5.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

5.2 The notification shall include, to the extent available: a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and records concerned); the likely consequences; and the measures taken or proposed to address it.

5.3 Where it is not possible to provide all information at the same time, the Processor shall provide information in phases without undue further delay.

6. International transfers

6.1 The Processor shall not transfer Personal Data outside the United Kingdom unless appropriate safeguards are in place in accordance with Chapter V of the UK GDPR.

6.2 Details of any international transfers, including the safeguards relied upon, are set out in the Privacy Policy.

7. Audit

7.1 The Processor shall make available to the Controller, on reasonable written request, information reasonably necessary to demonstrate compliance with this DPA. The Processor may satisfy this obligation by providing a written summary of its technical and organisational measures, relevant certifications, or the results of any third-party security audit or penetration test.

8. Return and deletion of Personal Data

8.1 On termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller and delete existing copies, unless Applicable Data Protection Law requires continued storage.

8.2 The Processor shall provide the Controller with a reasonable period (not less than 30 days following termination) to export Personal Data before deletion.

8.3 The Processor shall certify deletion to the Controller on request.

9. Duration and termination

9.1 This DPA shall remain in force for the duration of the Controller's use of the Service and shall automatically terminate when all Personal Data has been deleted or returned in accordance with clause 8.

9.2 The obligations in clauses 4.1 (confidentiality), 5 (breach notification), 7 (audit), and 8 (return and deletion) shall survive termination of this DPA.

10. Governing law

10.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales.

10.2 Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1: Description of processing

Subject matter
Processing of Personal Data as necessary to provide the Service to the Controller.
Duration
For the term of the Controller's subscription to the Service, plus any retention period required to return or delete data under clause 8.
Nature and purpose
Storage, organisation, retrieval, and presentation of Personal Data through the platform; provision of video and audio session hosting; AI-assisted transcription and clinical summarisation; appointment scheduling; secure messaging; document management; payment processing.
Categories of data subjects
Clients/patients of the Controller; the Controller's staff and associates (where applicable).
Categories of Personal Data
Contact details (name, email, phone, address); appointment and session details; clinical and session notes; communications (secure messages); documents uploaded by the Controller; session recordings and transcriptions; assessment data; payment and billing information.
Special category data
Health data, including mental health information, clinical notes, session recordings, transcriptions, assessment results, and treatment plans. The lawful basis for processing special category data is the responsibility of the Controller.