Skip to main content

Security Overview

The MRI Qube integration implements enterprise-grade security measures to protect your data throughout the synchronisation process.
All security measures comply with UK GDPR, the Data Protection Act 2018, and RICS best practices.

Credential Security

Vault Encryption

API credentials are encrypted at rest using Supabase Vault:
  • Encryption: AES-256-GCM
  • Key Management: Automatic key rotation
  • Access: Row-level security policies
-- Credentials are never stored in plain text
SELECT store_mri_credentials_secure(
  building_id,
  client_id,
  encrypted_client_secret,  -- AES-256 encrypted
  api_base_url,
  environment
);

Credential Rotation

Rotate your MRI API credentials every 90 days as a security best practice.
The system tracks credential age and alerts directors when rotation is due:
AgeStatusAction
0-60 days🟢 CurrentNo action needed
60-90 days🟡 Due SoonPlan rotation
90+ days🔴 OverdueRotate immediately

Data Protection

Data in Transit

  • All API calls use TLS 1.3 encryption
  • Certificate pinning for the Vaultre API
  • No sensitive data in URL parameters

Data at Rest

  • Database encrypted with AES-256
  • Backups encrypted with separate keys
  • Point-in-time recovery enabled

Data Minimisation

Only essential data is synchronised:
  • Property and unit details
  • Tenancy information
  • Financial transactions
  • Contact business details
  • Maintenance records
  • Compliance documents
  • Personal bank account numbers
  • National Insurance numbers
  • Passport/ID copies
  • Medical information
  • Criminal records

Access Control

Role-Based Access

Only authorised users can configure or access MRI integration:
RolePermissions
Building DirectorFull access to configuration and data
Property ManagerView sync status, trigger manual syncs
HomeownerView own synced data only
Super AdminFull access across all buildings

Row-Level Security

Supabase RLS policies ensure users only access their authorised buildings: 
-- Users can only access MRI data for their buildings
CREATE POLICY "mri_data_access" ON mri_properties
  FOR SELECT USING (
    building_id IN (
      SELECT building_id FROM building_users
      WHERE user_id = auth.uid()
    )
  );

Audit Logging

What’s Logged

All integration activities are logged for compliance:
  • Credential access and changes
  • Sync operations (start, complete, errors)
  • Data modifications from sync
  • Configuration changes
  • Manual overrides

Log Retention

Log TypeRetention
Sync logs90 days
Audit logs7 years
Error logs1 year

Compliance

GDPR Compliance

Data processing agreement with MRI Software/Vaultre
Standard Contractual Clauses for Australia data transfer
Data subject access request support
Right to erasure implementation

Data Processing Agreement

MRI Qube/Vaultre operates from Australia. We have:
  1. DPA in place with MRI Software
  2. SCCs (Standard Contractual Clauses) for international transfer
  3. Data breach notification procedures agreed

Security Checklist

Weekly

  • Review sync error logs
  • Check for failed authentications

Monthly

  • Audit user access permissions
  • Review credential access logs
  • Check sync performance metrics

Quarterly

  • Rotate MRI credentials
  • Security assessment
  • Review DPA with MRI

Incident Response

If you suspect a security issue:
  1. Immediately disable the MRI integration in Settings
  2. Contact security@manage.management
  3. Document what you observed
  4. Preserve any relevant logs
For urgent security incidents, call our security hotline: +44 (0) 1onal number here