Auftragsverarbeitungsvertrag (AVV) gemäß Art. 28 DSGVO
Stand: 30. April 2026
Präambel
Welcome to Campcruisers GmbH! We are delighted that you have chosen Campsite OS and trust us to support the digital management of your campsite. Data protection and data security are central quality features of our software.
This Data Processing Agreement (DPA) forms the transparent and fair legal basis for the processing of personal data on your behalf.
Contracting Parties
Controller (Customer): Your company data is derived from the main contract (subscription for Campsite OS).
Processor: Campcruisers GmbH, Berliner Str. 21B, 14612 Falkensee, Germany. Daniel Bosch (CEO), Philipp André Marschall (Authorized Officer). Local Court Potsdam, HRB 40180 P. VAT ID: DE368000447.
Data Protection Officer: Not appointed (§ 38 BDSG not fulfilled).
§ 1 Subject, Duration and Specification
1.1
This contract regulates the processing of personal data within the scope of providing Campsite OS. Supplement to GTC and main contract.
1.2
Duration is based on the main contract. Confidentiality and deletion obligations continue to apply.
1.3
Processing includes: Collection, storage, modification, retrieval, transmission (e.g., to Channel Manager), deletion. Server: Netherlands (IP: 34.91.84.25).
§ 2 Responsibility
2.1
You are the controller (Art. 4 No. 7 DSGVO). You decide on purposes and means.
2.2
We are the processor (Art. 4 No. 8 DSGVO). Processing only according to your instructions. No own use, no sale.
§ 3 Type and Purpose of Processing
Purpose: Provision of Campsite OS. Includes: Booking & reservation, guest management (including registration form § 29 BMG), accounting (ZUGFeRD), channel management, email dispatch, IoT & Smart Camp.
§ 4 Type of Personal Data
4.1 Data Categories
Master data (name, date of birth, nationality) | Contact data (address, email, telephone) | Booking data (period, category, extras) | KYC/registration data (ID numbers) | Vehicle data (license plates) | Payment data (tokenized via Stripe) | Communication data (tickets, emails) | System data (IP, log files, sessions)
4.2 Data Subjects
Guests/end customers and their fellow travelers | Your employees (software users) | Service providers/suppliers
§ 5 Obligations of the Processor
5.1 Compliance with DSGVO, BDSG, TDDDG. | 5.2 Purpose limitation and instruction-bound processing. | 5.3 Information in case of unlawful instructions. | 5.4 Processing in the EU (Netherlands). Third country only with Art. 44 ff. DSGVO.
§ 6 Right to Issue Instructions
6.1 Instructions defined by contract and main contract. | 6.2 Text form (email to support@campsite-os.de) or software configuration. | 6.3 Documentation of all instructions.
§ 7 Confidentiality and Personnel
7.1 Confidentiality obligation for all employees (Art. 28 Para. 3 lit. b DSGVO). | 7.2 Regular training. | 7.3 Need-to-know principle.
§ 8 Technical and Organizational Measures (TOMs)
8.1 Measures according to Art. 32 DSGVO. | 8.2 Encryption (TLS, AES-256), MFA, RBAC, logging, 99% SLA, backups, DDoS protection. | 8.3 Adjustment in case of technical progress. Details in Annex 1.
§ 9 Subprocessing Relationships
9.1 General authorization (Art. 28 Para. 2 DSGVO). | 9.2 Current subprocessors in Annex 2. | 9.3 Information 14 days before change. Right to object. | 9.4 Same obligations for subprocessors.
§ 10 Rights of Data Subjects
10.1 Support for Art. 15-22 DSGVO (self-service in Campsite OS). | 10.2 Direct inquiries are referred to you.
§ 11 Reporting Obligations
11.1 Reporting of data breaches within 48 hours. | 11.2 Content: Type of breach, affected persons, consequences, measures taken. | 11.3 Support for DPIA (Art. 35/36 DSGVO).
§ 12 Control Rights and Audits
12.1 Right to review. | 12.2 Documentation/certificates first; on-site audit with 30 days' notice. | 12.3 Costs borne by customer (except in case of breach).
§ 13 Deletion and Return
13.1 Data portability: 30-day export period (CSV, XML, JSON). | 13.2 Final deletion after 30 days. | 13.3 Confirmation upon request.
§ 14 Liability
14.1 Liability according to Art. 82 DSGVO. In the internal relationship only in case of breach of DSGVO obligations or instructions. | 14.2 Limitation to annual fee in case of slight negligence.
§ 15 Final Provisions
15.1 Text form for amendments. | 15.2 Severability clause. | 15.3 German law, jurisdiction Falkensee.
Annex 1: Technical and Organizational Measures (TOMs)
1. Confidentiality
Access Control: Servers in data centers Netherlands (IP: 34.91.84.25). 24/7 security service, biometric access controls, video surveillance.
Access Control: Complex passwords, MFA, brute-force protection, VPN.
Authorization Control: RBAC in Campsite OS, need-to-know principle, DIN 66399 document destruction.
Separation Control: Logical tenant separation. Separation of development/test/production.
2. Integrity
Transmission Control: TLS 1.2/1.3, AES-256 at rest, API keys and token authentication.
Input Control: Audit trail in Campsite OS, central server logging.
3. Availability
Daily backups (geo-redundant, encrypted), UPS, DDoS protection, WAF, 99% SLA.
4. Evaluation
Regular audits, vulnerability scans, incident response plan (48h reporting), privacy by default.
Annex 2: Approved Subprocessors
| Service Provider | Location | Purpose | Third-Country Transfer |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Ireland (EU) | Payment processing | EU; SCC if internal USA transfer |
| Resend, Inc. | USA | Transactional email dispatch | EU Standard Contractual Clauses (SCC) |
| Google Ireland Limited | Ireland (EU) | Analytics & Ads | Primarily EU |
| Biscotti CMP | Germany (EU) | Cookie/consent management | Exclusively EU |
| Hosting Provider | Netherlands (EU) | Server infrastructure (IP: 34.91.84.25) | Exclusively EU |