Data Backup and Recovery Checklist

List every system holding tenant or owner data: the PMS (AppFolio, Buildium, Yardi, Rent Manager), accounting exports, the screening provider's report archive, e-sign records, the inspection app's photo library, and the shared drive holding leases and disclosures. Don't forget Section 8 / HQS files and lead-paint disclosures, which carry their own retention obligations.

The PMS database typically needs the tightest RPO (one business day or less) because rent posting and work-order activity is continuous. Inspection photos and document archives can tolerate a longer RPO. Document the targets so the backup schedule is justified, not arbitrary.

Most cloud PMS vendors (AppFolio, Buildium) handle their own backup but do not give you a portable export by default — confirm the vendor's RPO and whether you can pull a self-managed copy. For self-hosted Yardi or Rent Manager, plan for a dedicated tool such as Veeam, Acronis, or a managed backup service.

Run the job after end-of-day batch posting so the snapshot includes the day's rent receipts and work-order activity. Stagger jobs if multiple systems share a backup window.

Tenant files contain SSNs, bank account numbers from ACH setup, and screening reports — all PII subject to state breach-notification laws and FCRA safeguards. Confirm encryption keys are not stored alongside the encrypted data.

A successful job log is not the same as a verifiable backup. Pull a sample tenant ledger or lease PDF from the backup and compare against production. Common silent failure: a vendor API export that completes with an empty payload because credentials rotated.

Identify the failure root cause — credential rotation, storage quota, network ACL, vendor API change — and re-run before the next scheduled job. Open a ticket if the failure recurs across two cycles so the cause is tracked rather than papered over.

Pick a region geographically distant from the office and from any owned property concentration. A firm with all properties in Houston should not store the only backup in a Houston data center — a single hurricane event takes both offline.

Use S3 Object Lock, Azure immutable blob storage, or the equivalent so a ransomware actor with admin credentials cannot delete the off-site copy. Set retention to cover the longest tenant-file requirement in your operating states (commonly 3-7 years post-move-out).

Restore a single tenant file and a small accounting export to a sandbox environment and compare to production. Time the restore — if it exceeds the documented RTO, the off-site solution doesn't actually meet the recovery target you signed up for.

Include vendor support phone numbers (AppFolio / Buildium / Yardi escalation paths), the order of system recovery (PMS first, then accounting, then document archive), and the manual workaround for collecting rent if the PMS is offline for more than 48 hours.

Walk the leasing manager and accounting lead through the runbook with a simulated PMS outage. The first drill almost always exposes a gap — a vendor portal that requires MFA from a phone that's now offline, or a runbook that lists a staffer who left last year.

Capture each gap, assign an owner, and update the runbook before the next quarter's drill. Gaps that aren't written down repeat.

Check the alerting channel daily during business days. Most backup tools email failures, which get filtered or ignored — route alerts to a Slack or Teams channel the operations lead actually watches.

When the firm adopts a new tool — a self-show vendor like Tenant Turner, a maintenance dispatcher like Latchel, a new e-sign provider — add its data to the backup scope. New tools without backup are the most common gap surfaced after an incident.

State landlord-tenant retention rules vary (typically 3-7 years post-move-out for the tenant file). FCRA requires keeping screening-report disposition records for the period the agency specifies. Confirm retention windows match per-state rules across the portfolio.

Reflect any changes to systems, vendors, RTO/RPO, or retention windows. The procedure document is what an auditor or owner asks for after an incident — it needs to match what the firm actually does.

Confirm screening reports are restricted to authorized staff in the backup the same way they're restricted in production, and that adverse-action records are retained for the FCRA period. Cross-check with the state breach-notification statute that applies in each operating state.

Retain job logs, integrity checks, drill results, and remediation tickets for at least the longest tenant-file retention window in your operating states. These are the artifacts an owner or auditor will request after any incident.