GDPR – Personal Info
| Product Category | Product | Type of Data | Data Subjects Impacted |
|---|---|---|---|
| RAM Non-Real Estate | FM5000 | Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information | Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts, Suppliers |
| RAM Non-Real Estate | Work500s | Contact Details, Files, Images, or Videos | Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts |
| RAM Non-Real Estate | Portal | Contact Details, Employment Information, Files, Images, or Videos, Contractor Insurance Information | Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts |
| MRI Property Management | Version X | Personal Details, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information | Client’s customers (tenants/residents), Children (13 or under) as residents, Client’s contractors and suppliers |
| MRI Property Management | Workspeed | Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information | Customers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts, Suppliers |
| MRI Property Management | Connect Portals | Personal Details, Contact Details, Employment Information, Files, Images, or Videos | Client’s customers (tenants/residents), Children (13 or under) as residents, Client’s contractors and suppliers |
| Investment Modeling | Personal Details (title, name, company), Contact Details (phone, email), Financial Details – Investor (contributions and distributions, units, JV waterfall parameters, stated and economic ownership), Financial Details (lender/borrower, share of loan) | Individual investor, Debt lender/borrower, Client employee, Property/portfolio-level associated third parties (e.g. Property Manager, Appraiser) | |
| Qube Horizon | Property Management, CRE Management, IFRS16 | Personal Details, Contact Details, Financial or Payment Details, Files, Images, Videos, Contractor Insurance Information, Contractor CIS Information, VAT Information | Customers and clients of the Client, Client’s contractors and suppliers, Client’s employees and staff |
| Qube Planet | Facility Management | Personal Details, Contact Details, Financial or Payment Details, Files, Images or Videos | Customers and clients of the Client, Client’s contractors and suppliers, Client’s employees |
| Qube PM | Property Management | Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information, Contractor CIS Information, VAT Information | Customers (owners/companies), Client’s customers (tenants/residents), Client’s employees and staff, Suppliers |
| MDA Property Manager, PropAcc, Nicor | Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos | Customers and clients of the Client (tenants/residents/owners), Client’s contractors and suppliers, Client’s employees and staff |
MRI utilises state-of-the-art data centres for its cloud-based offerings. As of April 2018, MRI utilises data centres in London, Ireland, Chicago, Virginia, Georgia, Singapore, Hong Kong, Netherlands and Sydney for its production and backup environments. MRI is certified under the US-UK Privacy Shield Scheme.
The current data centres are as follows:
| Product Category | Location of primary data centre | Location of secondary (disaster recovery) data centre | Identity of sub-contractor operating data centre |
|---|---|---|---|
| Property Management – UK | Microsoft Azure, North Europe, Ireland | Microsoft Azure, West Europe, Netherlands | Microsoft Corporation |
| Property Management – UK, Qube Horizon UK, Qube PM, Qube Planet | Global Switch 2 3 Nutmeg Lane, London, E14 2AX Or Level 3 260–266 Goswell Road, London, EC1V 7EB |
Global Switch 2 3 Nutmeg Lane, London, E14 2AX Or Level 3 260–266 Goswell Road, London, EC1V 7EB |
Datapipe Europe Limited |
| Property Management – Americas | CH3, Cyxtera Technologies, 2425 Busse Road, Elk Grove Village, IL 60007 | AT3 Peak 10, 12655 Edison Drive, Alpharetta, GA 30005 | N/A for CH3, AT3 – Peak10 and MRI Software co-manage |
| Property Management – APAC | SG8 Cyxtera Technologies, 9 Tai Seng Drive, 05-01 Geo-Tele Centre, Singapore 535227 | CH3 Cyxtera Technologies, 2425 Busse Road, Elk Grove Village, IL 60007 | N/A |
| Qube Horizon APAC | Hong Kong 02, SoftLayer Technologies Hong Kong, 33 Chun Choi, Street, Yan Hing Industrial Building, Tseung Kwan O Industrial Estate, Hong Kong |
Singapore 01, SoftLayer Asia PVT. LTD., 29A International Business Park, S180, Jurong East, Singapore 609934 | SoftLayer Dutch Holdings B.V. |
| Qube SLM | 4D Gatwick, 17-19 Kelvin Lane, Crawley, West Sussex RH10 9EY | 4D Surrey, 122 Oyster Lane, Byfleet, West Byfleet, KT14 7JU | Sire Technology Ltd |
| RAM | Iomart, 16-22 Epworth Street, London, EC2A 4DL | Maidenhead DC5, Spectrum House, Clivemont Road, Maidenhead, SL6 7FW | None – owned and run by Iomart. |
| RAM | Raging Wire, 44664 Guilford Drive, Ashburn, Virginia, 20147 | If disaster recovery is purchased by the client: Ragingwire 1157, 1200 Striker Ave, Sacramento, CA 95834 | Raging Wire |
| RAM | Equinix SG2, 15 Pioneer Walk, Singapore 627753 | If disaster recovery is purchased by the client: Nottingham DC3, 2-6 Fishergate, Nottingham, NG1 1FY | Equinix |
| RAM | Coresite, VA1 12100 Sunrise Valley Dr, Reston, VA 20191 | If disaster recovery is purchased by the client: Equinix – DC10, 21551 Beaumeade Cir, Ashburn, Virginia 20147 | Coresite, Equinox |
| RAM | Equinix Australia Pty Limited – SY3, 47 Bourke Road, Alexandria, Sydney, NSW 2015 | If disaster recovery is purchased by the client: SAU Wyong Data Center, 4 Amy Close, Wyong, NSW 2259 | Servers Australia |
| MDA Property Manager, PropAcc, Nicor | Vodacom Business, 82 Vodacom Boulevard, Midrand, South Africa | Teraco JB1 Campus, 5 Brewery Street, Isando, Johannesburg, Gauteng, South Africa | EOH Cloud Services |
MRI has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to the Personal Information, which are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. In doing so, MRI maintains a documented information security plan, which it complies with and reviews at least annually. MRI’s Information Security Program covers many security items, including appropriate controls and measures in relation to: (1) physical security at all MRI locations involved in the provision of the Services; (2) technical security with respect to the Personal Information in MRI’s possession; (3) organisational security arrangements regarding the employees and other representatives of MRI, its Affiliates, and its subcontractors, including training and awareness, staff vetting procedures and other security measures (e.g. use of passwords and security credentials); (4) encryption of Personal Information contained within the SaaS Services; (5) Disaster Recovery and Business Continuity; (6) Vulnerability Testing and Security Audit; and (7) Data Breach Procedures. MRI’s Information Security Program complies with all laws applicable to MRI related to its security programs. Please note that while some of these policies may be available to clients, some are confidential of MRI and the policies may not be distributable.
More specifically, some of the measures that MRI currently takes are as follows:
Qube Horizon:
Data in transit is encrypted with https. Qube Horizon is ISO 27001:2013 certified and includes procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery (“DR”), backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.
Qube PM:
Data in transit is encrypted with https Qube PM is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.
Qube Planet:
Data in transit is encrypted with https. Qube Planet is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.
Qube SLM:
Data in transit is encrypted with https. Qube SLM contains firewalls, anti-virus, backups, Disaster Recovery, hardware storage resilience, staff recruitment, staff training and departure policies and practices. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.
You can protect the Personal Information of your data subjects by establishing suitable controls and policies with respect to this information within your organisation which are aimed at preventing unauthorised access to the software and infrastructure where the data will be stored. Your controls may include education and training to users about the importance of protecting the data, user authentication policies, user roles, privileges, security rights, segregation of duties and access management.
In addition to policies and formal training of its own employees, MRI also provides its customers with tools which enable you, as the data controller, to set security controls to protect the Personal Information within your company.
Qube Horizon:
Qube Horizon is ISO 27001:2013 certified and includes procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.
Qube PM:
Qube PM is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.
Qube Planet:
Qube Planet is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.
Qube SLM:
Qube SLM contains firewalls, anti-virus, backups, Disaster Recovery, hardware storage resilience, staff recruitment, staff training and departure policies and practices.
Yes. MRI will take industry-standard steps to protect the security of such Personal Information provided to MRI. If MRI becomes aware that a data breach involving Personal Information has occurred, MRI will without undue delay: (i) investigate the cause of the data breach; (ii) notify you of the data breach and provide sufficient information to allow you to inform your data subjects about the data breach; (iii) contain and remedy the data breach; (iv) take reasonable steps to mitigate the effects of and to minimise any damage resulting from the data breach; (v) assist in remediating or mitigating any potential damage from a data breach; and (vi) take reasonable steps to restore the security and integrity of any Systems used by MRI and/or its subcontractors to provide the Services.
You will need to identify through your record management policies where that Personal Information is held (for example in structured and unstructured data fields) and then use the reporting features of the software to provide this, which could be a mixture of screen copies, spreadsheet exports or reports. Please see the below information on how to extract data based upon the product you are utilising. Please contact MRI Global Client Support if you are having trouble extracting this information. MRI Global Client Support will be provided in accordance with your governing agreement in place with MRI.
Qube Horizon:
Horizon data can be extracted by reports, screen extracts and SSIS in a variety of formats, for example Excel, PDF, XML.
Qube PM:
Qube PM data can be extracted by reports and screen extracts.
Qube Planet:
Qube Planet data can be extracted by reports and table exports in a variety of formats, for example Excel, PDF, CSV.
Qube SLM:
Qube SLM data can be extracted by reports. For any other data extracts required, contact MRI Global Client Support.
Qube Horizon:
In its 10.2.7 release, Qube Horizon will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be necessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information cannot be manually removed, Qube will be releasing, as an enhancement to its 10.2.7 release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.
The 10.2.7 enhancement is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.
Qube Planet:
In its 10.74.1 release, Qube Planet will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information cannot be manually removed, Qube will be releasing, as an enhancement to its 10.74.1 release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.
The 10.74.1 release is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.
Qube PM:
In its next release, Qube PM will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information that cannot be manually removed, Qube will be releasing, in its next release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.
The next release is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.
Qube SLM:
In its next release, Qube SLM will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.
For instances where Personal Information cannot be manually removed, Qube will be releasing, in its next release, an administration utility to enable removal of such Personal Information in an automated manner. Additionally, Qube SLM will be providing additional tools which enable clients to track consents of their data subjects. More information on how to utilise this routine and manage consent will be made available in the version release notes.
MRI does not proactively delete Personal Information while you are still a client of MRI’s. While you are a still a client of MRI’s, MRI will make regular backups of the database for backup and data restoration purposes as described in the table below.
| Product Category | Frequency of backup | Length that each backup is held |
|---|---|---|
| Qube Horizon | Daily | One month |
| Qube PM | Daily | One month |
| Qube Planet | Daily | One month |
| Qube SLM | Daily | One month |
| MDA Property Manager, PropAcc, Nicor | Daily | 30 days |
| MDA Property Manager, PropAcc, Nicor | Weekly | 4 Weeks |
| MDA Property Manager, PropAcc, Nicor | Monthly | 12 months |
| MDA Property Manager, PropAcc, Nicor | Annually | 2 Years |
Once you are no longer an active client and your contractual term has expired, MRI will remove your database, including all data, from its active environment and the database will not be included in periodic backup logs that are captured in the future. The time period for this deletion is outlined in the table below.
| Product Category | When is the client data deleted/database removed following termination? |
|---|---|
| Qube Horizon | Up to one month following the termination date |
| Qube PM | Up to one month following the termination date |
| Qube Planet | Up to one month following the termination date |
| Qube SLM | Up to one month following the termination date |
| Version X | Up to one month following the termination date |
| MDA Property Manager, PropAcc, Nicor | Up to one month following the termination date. Thereafter the backup is compressed for archiving and is detached from Production. The archived backup is held in secure storage unless otherwise requested. |
Once a backup is created, it will be held in storage until it is deleted or it becomes permanently overwritten. The time period for this deletion is outlined in the table below.
| Product Category | When is the client data deleted/database removed following termination? |
|---|---|
| Qube Horizon | Up to one month following the termination date |
| Qube PM | Up to one month following the termination date |
| Qube Planet | Up to one month following the termination date |
| Qube SLM | Up to one month following the termination date |
