Security & Trust
CampOne handles sensitive data: bookings, payments, guest registration records (Meldeschein) including passport and ID numbers, and your guests’ email addresses. This page summarises how we protect that data — readable enough for a board meeting, precise enough for an IT audit.
Three companion pages go deeper:
- Architecture & Controls — the technical safeguards (encryption, authentication, multi-tenancy).
- Data Protection & nDSG — how we implement Switzerland’s revised Data Protection Act, including retention windows, data-subject rights, and sub-processors.
- Audit Trail — what we record and for how long.
The four pillars
Section titled “The four pillars”CampOne is multi-tenant by design. Each campsite gets its own isolated data space — no operator ever sees another operator’s data.
- Tenant isolation by default. Every database query is filtered by the logged-in tenant. It is technically impossible for staff at Camping A to accidentally retrieve a booking from Camping B.
- Encrypted transport, short sessions. All connections use TLS (HTTPS). Access tokens live 30 minutes, refresh tokens 7 days and rotate on every use. A stolen token loses validity quickly.
- Privacy-respecting retention. Guest data is automatically anonymised after 730 days. Financial records are retained 10 years per Swiss commercial-code requirements — separated from personal content.
- Complete audit trail. Every login, every booking change, every CampOne support access is recorded with timestamp and IP address.
What to take from this
Section titled “What to take from this”If your IT lead or your accountant asks whether CampOne meets nDSG requirements, the short answer is: Yes — EU/CH data residency, encryption in transit, automated retention windows, complete audit logs, documented record of processing. The data-protection page provides the supporting evidence.
To report a security issue, contact security@campone.ch.
Frequently asked
Section titled “Frequently asked”Where is my data stored? On a Supabase PostgreSQL cluster in the EU (AWS Frankfurt region, eu-west-1, Ireland). Daily backups, point-in-time recovery, EU-equivalent data-protection regime.
Who at CampOne can see my bookings? In normal operation, no one. When you contact our support and grant access, we can — with your explicit consent — enter your tenant in one of three modes: Mock (synthetic sample data), Redacted (your data with PII masked), Real (full access, only after your approval, max. 30 minutes). Every access is audited and visible to you.
What happens when a guest requests deletion? Guests can delete their own account — the API endpoint is live; the “Delete account” button is being rolled out per tenant guest portal. Until then, you can initiate deletion through CampOne support. Mandatory financial records (e.g. invoices) are retained for the legally required 10 years (Swiss Code of Obligations Art. 958f) — but the personal-data fields (passport number, birth date, address, …) are anonymised on retention.
What if CampOne goes down? We run separate staging and production environments, automated daily backups via Supabase, and a documented disaster-recovery procedure. Planned maintenance windows are announced in advance.
What about Stripe keys and SMTP passwords? These live per-tenant on your tenant record — not in shared configuration. A compromise of one operator’s credentials cannot pivot to another operator.
Contact
Section titled “Contact”- General: support@campone.ch
- Security disclosures: security@campone.ch
- Privacy / data-subject requests: privacy@campone.ch
Response within 5 working days, within 24 hours for urgent security issues.