GDPR – Personal Info

1. What types of Personal Information are held within the MRI systems and who are the data subjects of that Personal Information?
Product CategoryProductType of DataData Subjects Impacted
RAM Non-Real EstateFM5000Personal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance InformationCustomers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts, Suppliers
RAM Non-Real EstateWork500sContact Details, Files, Images, or VideosCustomers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts
RAM Non-Real EstatePortalContact Details, Employment Information, Files, Images, or Videos, Contractor Insurance InformationCustomers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts
MRI Property ManagementVersion XPersonal Details, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance InformationClient’s customers (tenants/residents), Children (13 or under) as residents, Client’s contractors and suppliers
MRI Property ManagementWorkspeedPersonal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance InformationCustomers and clients of the Client, Client’s employees and staff, Client’s consultants or other professional experts, Suppliers
MRI Property ManagementConnect PortalsPersonal Details, Contact Details, Employment Information, Files, Images, or VideosClient’s customers (tenants/residents), Children (13 or under) as residents, Client’s contractors and suppliers
Investment ModelingPersonal Details (title, name, company), Contact Details (phone, email), Financial Details – Investor (contributions and distributions, units, JV waterfall parameters, stated and economic ownership), Financial Details (lender/borrower, share of loan)Individual investor, Debt lender/borrower, Client employee, Property/portfolio-level associated third parties (e.g. Property Manager, Appraiser)
Qube HorizonProperty Management, CRE Management, IFRS16Personal Details, Contact Details, Financial or Payment Details, Files, Images, Videos, Contractor Insurance Information, Contractor CIS Information, VAT InformationCustomers and clients of the Client, Client’s contractors and suppliers, Client’s employees and staff
Qube PlanetFacility ManagementPersonal Details, Contact Details, Financial or Payment Details, Files, Images or VideosCustomers and clients of the Client, Client’s contractors and suppliers, Client’s employees
Qube PMProperty ManagementPersonal Information, Contact Details, Financial or Payment Details, Files, Images, or Videos, Contractor Insurance Information, Contractor CIS Information, VAT InformationCustomers (owners/companies), Client’s customers (tenants/residents), Client’s employees and staff, Suppliers
2. Does MRI use third-party data centres for holding Personal Information?

MRI utilises state-of-the-art data centres for its cloud-based offerings. As of April 2018, MRI utilises data centres in London, Ireland, Chicago, Virginia, Georgia, Singapore, Hong Kong, Netherlands and Sydney for its production and backup environments. MRI is certified under the US-UK Privacy Shield Scheme.

The current data centres are as follows:

Product CategoryLocation of primary data centreLocation of secondary (disaster recovery) data centreIdentity of sub-contractor operating data centre
Property Management – UKMicrosoft Azure, North Europe, IrelandMicrosoft Azure, West Europe, NetherlandsMicrosoft Corporation
Property Management – UK, Qube Horizon UK, Qube PM, Qube PlanetGlobal Switch 2
3 Nutmeg Lane, London, E14 2AX
Or
Level 3
260–266 Goswell Road, London, EC1V 7EB
Global Switch 2
3 Nutmeg Lane, London, E14 2AX
Or
Level 3
260–266 Goswell Road, London, EC1V 7EB
Datapipe Europe Limited
Property Management – AmericasCH3, Cyxtera Technologies, 2425 Busse Road, Elk Grove Village, IL 60007AT3 Peak 10, 12655 Edison Drive, Alpharetta, GA 30005N/A for CH3, AT3 – Peak10 and MRI Software co-manage
Property Management – APACSG8 Cyxtera Technologies, 9 Tai Seng Drive, 05-01 Geo-Tele Centre, Singapore 535227CH3 Cyxtera Technologies, 2425 Busse Road, Elk Grove Village, IL 60007N/A
Qube Horizon APACHong Kong 02, SoftLayer Technologies Hong Kong, 33 Chun Choi, Street, Yan Hing
Industrial Building, Tseung Kwan O Industrial Estate, Hong Kong
Singapore 01, SoftLayer Asia PVT. LTD., 29A International Business Park, S180, Jurong East, Singapore 609934SoftLayer Dutch Holdings B.V.
Qube SLM4D Gatwick, 17-19 Kelvin Lane, Crawley, West Sussex RH10 9EY4D Surrey, 122 Oyster Lane, Byfleet, West Byfleet, KT14 7JUSire Technology Ltd
RAMIomart, 16-22 Epworth Street, London, EC2A 4DLMaidenhead DC5, Spectrum House, Clivemont Road, Maidenhead, SL6 7FWNone – owned and run by Iomart.
RAMRaging Wire, 44664 Guilford Drive, Ashburn, Virginia, 20147If disaster recovery is purchased by the client: Ragingwire 1157, 1200 Striker Ave, Sacramento, CA 95834Raging Wire
RAMEquinix SG2, 15 Pioneer Walk, Singapore 627753If disaster recovery is purchased by the client: Nottingham DC3, 2-6 Fishergate, Nottingham, NG1 1FYEquinix
RAMCoresite, VA1 12100 Sunrise Valley Dr, Reston, VA 20191If disaster recovery is purchased by the client: Equinix – DC10, 21551 Beaumeade Cir, Ashburn, Virginia 20147Coresite, Equinox
RAMEquinix Australia Pty Limited – SY3, 47 Bourke Road, Alexandria, Sydney, NSW 2015If disaster recovery is purchased by the client: SAU Wyong Data Center, 4 Amy Close, Wyong, NSW 2259Servers Australia
3. What organisational measures does MRI have in place to protect our personal information?

MRI has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to the Personal Information, which are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. In doing so, MRI maintains a documented information security plan, which it complies with and reviews at least annually. MRI’s Information Security Program covers many security items, including appropriate controls and measures in relation to: (1) physical security at all MRI locations involved in the provision of the Services; (2) technical security with respect to the Personal Information in MRI’s possession; (3) organisational security arrangements regarding the employees and other representatives of MRI, its Affiliates, and its subcontractors, including training and awareness, staff vetting procedures and other security measures (e.g. use of passwords and security credentials); (4) encryption of Personal Information contained within the SaaS Services; (5) Disaster Recovery and Business Continuity; (6) Vulnerability Testing and Security Audit; and (7) Data Breach Procedures. MRI’s Information Security Program complies with all laws applicable to MRI related to its security programs. Please note that while some of these policies may be available to clients, some are confidential of MRI and the policies may not be distributable.

More specifically, some of the measures that MRI currently takes are as follows:

Qube Horizon:
Data in transit is encrypted with https. Qube Horizon is ISO 27001:2013 certified and includes procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery (“DR”), backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.

Qube PM:
Data in transit is encrypted with https Qube PM is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.

Qube Planet:
Data in transit is encrypted with https. Qube Planet is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.

Qube SLM:
Data in transit is encrypted with https. Qube SLM contains firewalls, anti-virus, backups, Disaster Recovery, hardware storage resilience, staff recruitment, staff training and departure policies and practices. In the unlikely event of a physical or technical incident, all data can be restored from daily backup. Restore time is subject to type of contract.

4. How do I ensure the security of Personal Information?

You can protect the Personal Information of your data subjects by establishing suitable controls and policies with respect to this information within your organisation which are aimed at preventing unauthorised access to the software and infrastructure where the data will be stored. Your controls may include education and training to users about the importance of protecting the data, user authentication policies, user roles, privileges, security rights, segregation of duties and access management.

In addition to policies and formal training of its own employees, MRI also provides its customers with tools which enable you, as the data controller, to set security controls to protect the Personal Information within your company.

Qube Horizon:
Qube Horizon is ISO 27001:2013 certified and includes procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.

Qube PM:
Qube PM is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.

Qube Planet:
Qube Planet is managed to ISO 27001 procedures and processes covering firewalls, IDS, AV, management responsibility, incident management, Disaster Recovery, backups, security awareness training, staff recruitment, staff departure, segregation of duties, reviews and audits.

Qube SLM:
Qube SLM contains firewalls, anti-virus, backups, Disaster Recovery, hardware storage resilience, staff recruitment, staff training and departure policies and practices.

5. Does MRI have a process in place for notification, containment and remediation in the event of a data breach?

Yes. MRI will take industry-standard steps to protect the security of such Personal Information provided to MRI. If MRI becomes aware that a data breach involving Personal Information has occurred, MRI will without undue delay: (i) investigate the cause of the data breach; (ii) notify you of the data breach and provide sufficient information to allow you to inform your data subjects about the data breach; (iii) contain and remedy the data breach; (iv) take reasonable steps to mitigate the effects of and to minimise any damage resulting from the data breach; (v) assist in remediating or mitigating any potential damage from a data breach; and (vi) take reasonable steps to restore the security and integrity of any Systems used by MRI and/or its subcontractors to provide the Services.

6. If we receive a request for Personal Information that is currently being held in the SaaS System, how can we get that information from MRI?

You will need to identify through your record management policies where that Personal Information is held (for example in structured and unstructured data fields) and then use the reporting features of the software to provide this, which could be a mixture of screen copies, spreadsheet exports or reports. Please see the below information on how to extract data based upon the product you are utilising. Please contact MRI Global Client Support if you are having trouble extracting this information. MRI Global Client Support will be provided in accordance with your governing agreement in place with MRI.

Qube Horizon:
Horizon data can be extracted by reports, screen extracts and SSIS in a variety of formats, for example Excel, PDF, XML.

Qube PM:
Qube PM data can be extracted by reports and screen extracts.

Qube Planet:
Qube Planet data can be extracted by reports and table exports in a variety of formats, for example Excel, PDF, CSV.

Qube SLM:
Qube SLM data can be extracted by reports. For any other data extracts required, contact MRI Global Client Support.

7. How do we permanently delete Personal Information after the end of its retention period, or on a right to be forgotten request?

Qube Horizon:
In its 10.2.7 release, Qube Horizon will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be necessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.

For instances where Personal Information cannot be manually removed, Qube will be releasing, as an enhancement to its 10.2.7 release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.

The 10.2.7 enhancement is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.

Qube Planet:
In its 10.74.1 release, Qube Planet will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.

For instances where Personal Information cannot be manually removed, Qube will be releasing, as an enhancement to its 10.74.1 release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.

The 10.74.1 release is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.

Qube PM:
In its next release, Qube PM will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.

For instances where Personal Information that cannot be manually removed, Qube will be releasing, in its next release, a routine that will allow Personal Information to be automatically removed and made unrecoverable. More information on how to utilise this routine will be made available in the version release notes.

The next release is anticipated for May 2018. For prior versions, please contact MRI’s Global Client Support for assistance in removing data through the back end.

Qube SLM:
In its next release, Qube SLM will be providing clients with the ability to permanently remove Personal Information and make it unrecoverable through the user interface. If the record contains non-personal information that is to be retained, it may be neccessary to replace the deleted personal information with generic keyboard characters, such as ‘****’.

For instances where Personal Information cannot be manually removed, Qube will be releasing, in its next release, an administration utility to enable removal of such Personal Information in an automated manner. Additionally, Qube SLM will be providing additional tools which enable clients to track consents of their data subjects. More information on how to utilise this routine and manage consent will be made available in the version release notes.

8. How long does MRI hold our data within its system and its backups?

MRI does not proactively delete Personal Information while you are still a client of MRI’s. While you are a still a client of MRI’s, MRI will make regular backups of the database for backup and data restoration purposes as described in the table below.

Product CategoryFrequency of backupLength that each backup is held
Qube HorizonDailyOne month
Qube PMDailyOne month
Qube PlanetDailyOne month
Qube SLMDailyOne month

Once you are no longer an active client and your contractual term has expired, MRI will remove your database, including all data, from its active environment and the database will not be included in periodic backup logs that are captured in the future. The time period for this deletion is outlined in the table below.

Product CategoryWhen is the client data deleted/database removed following termination?
Qube HorizonUp to one month following the termination date
Qube PMUp to one month following the termination date
Qube PlanetUp to one month following the termination date
Qube SLMUp to one month following the termination date
Version XUp to one month following the termination date

Once a backup is created, it will be held in storage until it is deleted or it becomes permanently overwritten. The time period for this deletion is outlined in the table below.

Product CategoryWhen is the client data deleted/database removed following termination?
Qube HorizonUp to one month following the termination date
Qube PMUp to one month following the termination date
Qube PlanetUp to one month following the termination date
Qube SLMUp to one month following the termination date

Select your region

17000+

clients

10m

units

2.3m

leases

140+

partners

170+

countries