Audit trail
The audit trail is the gap-free log of every relevant change in your CampOne tenant. It is the basis for proving at any time who changed what on a booking, an invoice, or a guest record — a requirement under the revised Swiss Data Protection Act (nDSG), the GDPR, and Swiss VAT law.
What is logged
Section titled “What is logged”CampOne automatically captures every change to:
- Bookings: creation, pitch swap, date change, cancellation, party size
- Invoices: creation, sending, payment, credit note, void
- Guest data: address, ID data, date of birth, marketing consent, deletion
- Tourist tax and HESTA: rate changes, exemptions, corrections
- Pitches and types: creation, rename, price change, blocking
- Users: sign-in, login attempts, role change
Each entry stores:
| Field | Content |
|---|---|
| Timestamp | UTC and local time |
| User | Name, role, IP address |
| Action | Create, change, delete |
| Previous value | if change |
| New value | if change |
| Reason | optional, supplied by user |
Who can see the audit trail
Section titled “Who can see the audit trail”By default only the Owner role has access to the full trail. Managers see the trail for their area (e.g. invoices only, not user logins). Staff only see history of bookings they worked on themselves.
Permissions are configurable under Users → Roles — you can, for example, give a fiduciary read-only access to invoice logs.
Filters and search
Section titled “Filters and search”The trail browser supports:
- Time range (free, max 5 years at once)
- User (which person made the change)
- Data type (booking, invoice, guest …)
- Action (creates only, deletes only)
- Full-text search (e.g. by booking number or guest name)
Results can be exported as PDF or CSV — both with a cryptographic checksum so tampering would show.
Retention
Section titled “Retention”Each data type has a legally defined retention:
| Data type | Retention |
|---|---|
| Booking log | 10 years |
| Invoice log | 10 years (VAT law) |
| Guest data log | 10 years for registration data, 12 months for ID scans |
| Login log | 24 months |
| HESTA correction log | unlimited (append-only, no deletion) |
After the period, entries are anonymised automatically. The action remains in the log; the personal link is removed.
Tamper resistance
Section titled “Tamper resistance”Audit entries are:
- Append-only: no edit, no delete possible by users
- Hash-chained: each entry contains the hash of the previous — a later change would break the chain
- Time-synchronised: NTP-based, with a stratum-2 server in Switzerland
For an authority export, CampOne creates a signed PDF whose authenticity can be verified at any time via the hash chain in the metadata.
Authority requests
Section titled “Authority requests”When the police, the tax office, or the Federal Statistical Office requests data, you produce a filtered report under Compliance → Authority export. The export contains:
- the requested data
- the related audit entries
- a PDF statement on content and context
- a cryptographic signature
The export itself is logged — you always know what was given to whom.
- Capture reasons. For sensitive actions (voiding a paid invoice, deleting a guest record) CampOne forces you to enter a reason. The discipline pays off — at a later audit you save yourself the search.
- Review login logs monthly. Suspicious sign-in attempts from unexpected countries are an early indicator of compromised credentials.
- Read-only access for fiduciaries. Don’t give external accountants write rights — the audit trail is cleaner if all corrections come from your team.