Clouded Oversight: Real Estate Operator Faces Data Residency Fallout

The Challenge

In early 2025, Horizon Lease Corporation, a major real estate operator with a growing portfolio of commercial and residential properties, faced a regulatory crisis that revealed critical flaws in its data governance practices. The issue began with a tenant inquiry about how personal data was stored and processed on the company’s new digital leasing platform. The question was escalated to IT, which triggered a deeper investigation. It was discovered that tenant files, including lease agreements and identification documents, were being stored on cloud servers located in the United States.

This finding directly contradicted Horizon’s internal privacy commitments and raised red flags under the Personal Information Protection and Electronic Documents Act (PIPEDA). Worse, the digital platform had been implemented in a rush to modernize services, with no formal review by the company’s governance committee. The third-party vendor had subcontracted data storage to a U.S.-based provider without disclosing this to Horizon. The contract contained no clauses addressing data residency, jurisdiction, or breach notification protocols.

The Office of the Privacy Commissioner was notified, and Horizon’s executive team faced significant pressure to explain how such a major compliance oversight had occurred. Internally, there was no record of a privacy impact assessment being conducted, and procurement staff had not been trained on evaluating cross-border data risks. The incident highlighted a systemic governance gap in how technology decisions were being made.

Our Solution

Our team was retained to perform a comprehensive audit of Horizon’s third-party platforms and data storage practices. We began by cataloging all vendor-hosted systems and verifying where personal data was stored and processed. We assisted the legal team in rewriting vendor contracts to include data residency clauses, breach reporting timelines, and encryption requirements.

We also introduced a board-level review protocol for any technology system that handles tenant or customer information. Procurement and IT teams were trained on privacy-by-design principles and risk assessment procedures. To prevent future surprises, we established a vendor management program that includes quarterly reviews, compliance scorecards, and escalation protocols for nonconformance.

The Value

Horizon was able to demonstrate transparency and accountability to regulators and tenants. The new governance framework improved decision-making, reduced legal exposure, and reassured stakeholders that data privacy was now a top priority. The incident became a turning point that strengthened Horizon’s internal culture and raised the bar for technology adoption.

Implementation Roadmap

1. Audit all third-party systems to identify data residency risks

2. Redraft vendor agreements to include privacy and jurisdictional controls

3. Introduce board oversight for all systems involving tenant information

4. Train procurement and IT teams on privacy-by-design

5. Establish a vendor governance program with ongoing compliance reviews

Info Sheet

Industry Sector: Real Estate and Rental and Leasing

Applicable Legislation:

  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Office of the Privacy Commissioner of Canada guidance on cross-border data flows
  • Provincial landlord and tenant data handling laws

Necessary Action Type: Governance Review and Cloud Data Residency Compliance

Steps to Be Taken:

  • Conduct a full audit of all platforms storing tenant or customer data
  • Amend vendor agreements to include data residency, breach notification, and subcontractor obligations
  • Establish board-level review for all systems that handle personal information
  • Implement a vendor risk management program with periodic reviews
  • Train procurement and leadership staff on privacy-by-design principles

Involved Third Parties:

  • Cloud-based property management platform vendor
  • Subcontracted US-based cloud infrastructure provider
  • External privacy and cybersecurity advisory consultants