GDPR – Personal Info

1. What types of Personal Information are held within the MRI systems and who are the data subjects of that Personal Information?
Product Category Product Type of Data Data Subjects Impacted
RAM Non-Real Estate FM5000 Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts, Suppliers
RAM Non-Real Estate Work500s Contact Details, Files, Images, or Videos Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts
RAM Non-Real Estate Portal Contact Details, Employment Information, Files, Images, or Videos, Contractor Insurance Information Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts
MRI Property Management Version X Personal Details, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information Client’s customers (tenants/residents), Children (13 or under) as residents, Client’s contractors and suppliers
MRI Property Management Workspeed Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts, Suppliers
MRI Property Management Connect Portals Personal Details, Contact Details, Employment Information, Files, Images, or Videos Client’s customers (tenants/residents), Children (13 or under) as residents, Client’s contractors and suppliers
Investment Modeling Personal Details (title, name, company), Contact Details (phone, email), Financial Details – Investor (contributions and distributions, units, JV waterfall parameters, stated and economic ownership), Financial Details (lender/borrower, share of loan) Individual investor, Debt lender/borrower, Client employee, Property/portfolio-level associated third parties (e.g. Property Manager, Appraiser)
Qube Horizon Property Management, CRE Management, IFRS16 Personal Details, Contact Details, Financial or Payment Details, Files, Images, Videos, Contractor Insurance Information, Contractor CIS Information, VAT Information Customers and clients of the Client, Client’s contractors and suppliers, Client’s employees and staff
Qube Planet Facility Management Personal Details, Contact Details, Financial or Payment Details, Files, Images or Videos Customers and clients of the Client, Client’s contractors and suppliers, Client’s employees
Qube PM Property Management Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information, Contractor CIS Information, VAT Information Customers (owners/companies), Client’s customers (tenants/residents), Client’s employees and staff, Suppliers
MDA Property Manager, PropAcc, Nicor Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos Customers and clients of the Client (tenants/residents/owners), Client’s contractors and suppliers, Client’s employees and staff
2. Does MRI use third-party data centres for holding Personal Information?

MRI utilises state-of-the-art data centres for its cloud-based offerings. As of April 2018, MRI utilises data centres in London, Ireland, Chicago, Virginia, Georgia, Singapore, Hong Kong, Netherlands and Sydney for its production and backup environments. MRI is certified under the US-UK Privacy Shield Scheme.
The current data centres are as follows:

Product Category Location of primary data centre Location of secondary (disaster recovery) data centre Identity of sub-contractor operating data centre
Property Management – UK Microsoft Azure, North Europe, Ireland Microsoft Azure, West Europe, Netherlands Microsoft Corporation
Property Management – UK, Qube Horizon UK, Qube PM, Qube Planet Global Switch 2
3 Nutmeg Lane, London, E14 2AX
Or
Level 3
260–266 Goswell Road, London, EC1V 7EB
Global Switch 2
3 Nutmeg Lane, London, E14 2AX
Or
Level 3
260–266 Goswell Road, London, EC1V 7EB
Datapipe Europe Limited
Property Management – Americas CH3, Cyxtera Technologies, 2425 Busse Road, Elk Grove Village, IL 60007 AT3 Peak 10, 12655 Edison Drive, Alpharetta, GA 30005 N/A for CH3, AT3 – Peak10 and MRI Software co-manage
Property Management – APAC SG8 Cyxtera Technologies, 9 Tai Seng Drive, 05-01 Geo-Tele Centre, Singapore 535227 CH3 Cyxtera Technologies, 2425 Busse Road, Elk Grove Village, IL 60007 N/A
Qube Horizon APAC Hong Kong 02, SoftLayer Technologies Hong Kong, 33 Chun Choi, Street, Yan Hing
Industrial Building, Tseung Kwan O Industrial Estate, Hong Kong
Singapore 01, SoftLayer Asia PVT. LTD., 29A International Business Park, S180, Jurong East, Singapore 609934 SoftLayer Dutch Holdings B.V.
Qube SLM 4D Gatwick, 17-19 Kelvin Lane, Crawley, West Sussex RH10 9EY 4D Surrey, 122 Oyster Lane, Byfleet, West Byfleet, KT14 7JU Sire Technology Ltd
RAM Iomart, 16-22 Epworth Street, London, EC2A 4DL Maidenhead DC5, Spectrum House, Clivemont Road, Maidenhead, SL6 7FW None – owned and run by Iomart.
RAM Raging Wire, 44664 Guilford Drive, Ashburn, Virginia, 20147 If disaster recovery is purchased by the client: Ragingwire 1157, 1200 Striker Ave, Sacramento, CA 95834 Raging Wire
RAM Equinix SG2, 15 Pioneer Walk, Singapore 627753 If disaster recovery is purchased by the client: Nottingham DC3, 2-6 Fishergate, Nottingham, NG1 1FY Equinix
RAM Coresite, VA1 12100 Sunrise Valley Dr, Reston, VA 20191 If disaster recovery is purchased by the client: Equinix – DC10, 21551 Beaumeade Cir, Ashburn, Virginia 20147 Coresite, Equinox
RAM Equinix Australia Pty Limited – SY3, 47 Bourke Road, Alexandria, Sydney, NSW 2015 If disaster recovery is purchased by the client: SAU Wyong Data Center, 4 Amy Close, Wyong, NSW 2259 Servers Australia
MDA Property Manager, PropAcc, Nicor Vodacom Business, 82 Vodacom Boulevard, Midrand, South Africa Teraco JB1 Campus, 5 Brewery Street, Isando, Johannesburg, Gauteng, South Africa EOH Cloud Services
3. What organisational measures does MRI have in place to protect our personal information?

MRI has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to the Personal Information, which are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. In doing so, MRI maintains a documented information security plan, which it complies with and reviews at least annually. MRI’s Information Security Program covers many security items, including appropriate controls and measures in relation to: (1) physical security at all MRI locations involved in the provision of the Services; (2) technical security with respect to the Personal Information in MRI’s possession; (3) organisational security arrangements regarding the employees and other representatives of MRI, its Affiliates, and its subcontractors, including training and awareness, staff vetting procedures and other security measures (e.g. use of passwords and security credentials); (4) encryption of Personal Information contained within the SaaS Services; (5) Disaster Recovery and Business Continuity; (6) Vulnerability Testing and Security Audit; and (7) Data Breach Procedures. MRI’s Information Security Program complies with all laws applicable to MRI related to its security programs. Please note that while some of these policies may be available to clients, some are confidential of MRI and the policies may not be distributable.
More specifically, some of the measures that MRI currently takes are as follows:
Qube Horizon:
Data in transit is encrypted with https. Qube Horizon is ISO 27001:2013 certified and includes procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery (“DR”), backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.
Qube PM:
Data in transit is encrypted with https Qube PM is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.
Qube Planet:
Data in transit is encrypted with https. Qube Planet is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.
Qube SLM:
Data in transit is encrypted with https. Qube SLM contains firewalls, anti-virus, backups, Disaster Recovery, hardware storage resilience, staff recruitment, staff training and departure policies and practices. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.

4. How do I ensure the security of Personal Information?

You can protect the Personal Information of your data subjects by establishing suitable controls and policies with respect to this information within your organisation which are aimed at preventing unauthorised access to the software and infrastructure where the data will be stored. Your controls may include education and training to users about the importance of protecting the data, user authentication policies, user roles, privileges, security rights, segregation of duties and access management.
In addition to policies and formal training of its own employees, MRI also provides its customers with tools which enable you, as the data controller, to set security controls to protect the Personal Information within your company.
Qube Horizon:
Qube Horizon is ISO 27001:2013 certified and includes procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.
Qube PM:
Qube PM is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.
Qube Planet:
Qube Planet is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.
Qube SLM:
Qube SLM contains firewalls, anti-virus, backups, Disaster Recovery, hardware storage resilience, staff recruitment, staff training and departure policies and practices.

5. Does MRI have a process in place for notification, containment and remediation in the event of a data breach?

Yes. MRI will take industry-standard steps to protect the security of such Personal Information provided to MRI. If MRI becomes aware that a data breach involving Personal Information has occurred, MRI will without undue delay: (i) investigate the cause of the data breach; (ii) notify you of the data breach and provide sufficient information to allow you to inform your data subjects about the data breach; (iii) contain and remedy the data breach; (iv) take reasonable steps to mitigate the effects of and to minimise any damage resulting from the data breach; (v) assist in remediating or mitigating any potential damage from a data breach; and (vi) take reasonable steps to restore the security and integrity of any Systems used by MRI and/or its subcontractors to provide the Services.

6. If we receive a request for Personal Information that is currently being held in the SaaS System, how can we get that information from MRI?

You will need to identify through your record management policies where that Personal Information is held (for example in structured and unstructured data fields) and then use the reporting features of the software to provide this, which could be a mixture of screen copies, spreadsheet exports or reports. Please see the below information on how to extract data based upon the product you are utilising. Please contact MRI Global Client Support if you are having trouble extracting this information. MRI Global Client Support will be provided in accordance with your governing agreement in place with MRI.
Qube Horizon:
Horizon data can be extracted by reports, screen extracts and SSIS in a variety of formats, for example Excel, PDF, XML.
Qube PM:
Qube PM data can be extracted by reports and screen extracts.
Qube Planet:
Qube Planet data can be extracted by reports and table exports in a variety of formats, for example Excel, PDF, CSV.
Qube SLM:
Qube SLM data can be extracted by reports. For any other data extracts required, contact MRI Global Client Support.

7. How do we permanently delete Personal Information after the end of its retention period, or on a right to be forgotten request?

Qube Horizon:
In its 10.2.7 release, Qube Horizon will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be necessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information cannot be manually removed, Qube will be releasing, as an enhancement to its 10.2.7 release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.
The 10.2.7 enhancement is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.
Qube Planet:
In its 10.74.1 release, Qube Planet will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information cannot be manually removed, Qube will be releasing, as an enhancement to its 10.74.1 release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.
The 10.74.1 release is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.
Qube PM:
In its next release, Qube PM will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information that cannot be manually removed, Qube will be releasing, in its next release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.
The next release is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.
Qube SLM:
In its next release, Qube SLM will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information cannot be manually removed, Qube will be releasing, in its next release, an administration utility to enable removal of such Personal Information in an automated manner. Additionally, Qube SLM will be providing additional tools which enable clients to track consents of their data subjects. More information on how to utilise this routine and manage consent will be made available in the version release notes.

8. How long does MRI hold our data within its system and its backups?

MRI does not proactively delete Personal Information while you are still a client of MRI’s. While you are a still a client of MRI’s, MRI will make regular backups of the database for backup and data restoration purposes as described in the table below.

Product Category Frequency of backup Length that each backup is held
Qube Horizon Daily One month
Qube PM Daily One month
Qube Planet Daily One month
Qube SLM Daily One month
MDA Property Manager, PropAcc, Nicor Daily 30 days
MDA Property Manager, PropAcc, Nicor Weekly 4 Weeks
MDA Property Manager, PropAcc, Nicor Monthly 12 months
MDA Property Manager, PropAcc, Nicor Annually 2 Years

Once you are no longer an active client and your contractual term has expired, MRI will remove your database, including all data, from its active environment and the database will not be included in periodic backup logs that are captured in the future. The time period for this deletion is outlined in the table below.

Product Category When is the client data deleted/database removed following termination?
Qube Horizon Up to one month following the termination date
Qube PM Up to one month following the termination date
Qube Planet Up to one month following the termination date
Qube SLM Up to one month following the termination date
Version X Up to one month following the termination date
MDA Property Manager, PropAcc, Nicor Up to one month following the termination date. Thereafter the backup is compressed for archiving and is detached from Production. The archived backup is held in secure storage unless otherwise requested.

Once a backup is created, it will be held in storage until it is deleted or it becomes permanently overwritten. The time period for this deletion is outlined in the table below.

Product Category When is the client data deleted/database removed following termination?
Qube Horizon Up to one month following the termination date
Qube PM Up to one month following the termination date
Qube Planet Up to one month following the termination date
Qube SLM Up to one month following the termination date