You Don't Own Your Data
You think you do. You log into your property management platform, you see your units, your leases, your tenant records, your financials. It feels like ownership.
But read the terms of service carefully. What you own is access. The data sits on infrastructure you don't control, in a jurisdiction you may never have thought about, processed by systems and staff you've never met. If the platform shuts down tomorrow — or suspends your account for any reason — how long would it take you to recover everything you need?
If the answer is anything other than "immediately," you're renting access to your own data. And the landlord isn't you.
Where the Real Risk Lives
Most operators think about data risk the wrong way. They worry about external attackers: hackers, breaches, ransomware. That risk is real, but it isn't the primary one for property operators in emerging markets.
The structural risk is in the tools themselves.
Most SaaS property management platforms are built on shared infrastructure. Your data sits alongside thousands of other operators' data, processed by the same systems, often accessible to the same support teams. The privacy policy permits this — buried under language about "service improvement" and "authorised personnel."
This creates three categories of exposure that most operators have never mapped:
Jurisdictional risk. Data stored in a foreign jurisdiction is subject to that jurisdiction's laws. A government request, court order, or regulatory inquiry in another country can compel your vendor to disclose your tenant data — without notifying you. You agreed to this when you clicked accept on the terms of service.
Access risk. Platform staff, sub-processors, and third-party integrations may have broader access to your data than you realise or than you've disclosed to your tenants. "We may share data with service providers" is the polite version of "we can't tell you exactly who sees this."
Portability risk. If your vendor raises prices, gets acquired, or simply sunsets the product, can you export everything in a format you can actually use? Many platforms make import easy and export deliberately painful. That asymmetry is a business model.
Sovereignty Isn't What You Think It Is
Data sovereignty doesn't mean running your own servers. For most property operators, on-premise infrastructure is neither practical nor necessary.
It means something more specific: you know exactly where your data is, you can get it out at any time in a usable format, and no one accesses it without a record you can inspect.
In practice, that means:
- Jurisdiction transparency. Your vendor should be able to tell you, precisely, which country and which infrastructure provider holds your data at any given time.
- Unconditional export. Full data export — leases, tenants, financials, audit logs — available at any time, in a structured format, without a support ticket or a negotiation.
- Granular access controls. Not just role-based permissions, but a logged record of every access event: who read what, when, from where.
- AI with boundaries. If your platform uses AI to analyse your portfolio, you need to know whether your tenant data is being routed through third-party AI APIs — and whether those APIs are training on it.
Why It Matters More Than You Think
This isn't an abstract privacy concern. It's a competitive and commercial one.
Enterprise tenants — multinational companies, institutional occupiers, government agencies — are increasingly asking property operators about data governance before signing leases. Institutional investors conducting due diligence want to know that portfolio data is clean, controlled, and uncontested. Fund managers need to verify that AI-generated insights are derived from your data, not averaged against an industry pool that includes your competitors.
Operators who can answer these questions clearly have a material advantage over those who can't. And in a market where most competitors are still running on spreadsheets, "we know where your data is and we can prove it" is a differentiated position — not just a compliance checkbox.
The operators building serious portfolios in the next decade won't be the ones who moved fastest. They'll be the ones who moved with the most control.