Data Backup and Recovery Checklist

List every system holding tenant or owner data: the PMS (AppFolio, Buildium, Yardi, Rent Manager), accounting exports, the screening provider's report archive, e-sign records, the inspection app's photo library, and the shared drive holding leases and disclosures. Don't forget Section 8 / HQS files and lead-paint disclosures, which carry their own retention obligations.

The PMS database typically needs the tightest RPO (one business day or less) because rent posting and work-order activity is continuous. Inspection photos and document archives can tolerate a longer RPO. Document the targets so the backup schedule is justified, not arbitrary.

Run the job after end-of-day batch posting so the snapshot includes the day's rent receipts and work-order activity. Stagger jobs if multiple systems share a backup window.

Tenant files contain SSNs, bank account numbers from ACH setup, and screening reports — all PII subject to state breach-notification laws and FCRA safeguards. Confirm encryption keys are not stored alongside the encrypted data.

A successful job log is not the same as a verifiable backup. Pull a sample tenant ledger or lease PDF from the backup and compare against production. Common silent failure: a vendor API export that completes with an empty payload because credentials rotated.

Pick a region geographically distant from the office and from any owned property concentration. A firm with all properties in Houston should not store the only backup in a Houston data center — a single hurricane event takes both offline.

Use S3 Object Lock, Azure immutable blob storage, or the equivalent so a ransomware actor with admin credentials cannot delete the off-site copy. Set retention to cover the longest tenant-file requirement in your operating states (commonly 3-7 years post-move-out).

Include vendor support phone numbers (AppFolio / Buildium / Yardi escalation paths), the order of system recovery (PMS first, then accounting, then document archive), and the manual workaround for collecting rent if the PMS is offline for more than 48 hours.

Walk the leasing manager and accounting lead through the runbook with a simulated PMS outage. The first drill almost always exposes a gap — a vendor portal that requires MFA from a phone that's now offline, or a runbook that lists a staffer who left last year.

Check the alerting channel daily during business days. Most backup tools email failures, which get filtered or ignored — route alerts to a Slack or Teams channel the operations lead actually watches.

When the firm adopts a new tool — a self-show vendor like Tenant Turner, a maintenance dispatcher like Latchel, a new e-sign provider — add its data to the backup scope. New tools without backup are the most common gap surfaced after an incident.

Reflect any changes to systems, vendors, RTO/RPO, or retention windows. The procedure document is what an auditor or owner asks for after an incident — it needs to match what the firm actually does.

Confirm screening reports are restricted to authorized staff in the backup the same way they're restricted in production, and that adverse-action records are retained for the FCRA period. Cross-check with the state breach-notification statute that applies in each operating state.