Security that earns trust
Camp2Find is built with security and privacy at its foundation, not bolted on as an afterthought. Every feature is designed to protect your guests' data and keep your campground compliant.
Encryption at rest and in transit
All personal guest data is encrypted with AES-256-GCM -- the same encryption standard used by banks, military systems, and government agencies. Data is encrypted before it hits the database and decrypted only when authorized staff access it. Every decryption event is logged.
Multi-layer protection
Multiple layers of defense protect your campground and guest data from every angle.
Rate Limiting
16 rate-limiting strategies protect against brute-force, API abuse, and DDoS attacks.
Bot Protection
hCaptcha verification on all public booking forms prevents automated abuse.
Input Sanitization
Multi-layer XSS, SQL injection, and command injection protection on every endpoint.
Content Security
Strict Content Security Policy headers enforced via Helmet.js middleware.
Transport Security
HTTP Strict Transport Security (HSTS) enforced on all connections with preload.
Attack Detection
Real-time attack pattern detection with Sentry alerting and PII leak prevention.
Access control
Granular role-based access ensures the right people see the right data.
Role Hierarchy
Four-tier system: Super Admin, Admin, Manager, Employee -- each with distinct permissions.
Row-Level Security
PostgreSQL RLS policies enforce data isolation at the database level.
JWT Authentication
Token-based auth with automatic refresh and secure session management.
Email Whitelist
Authorized email list controls who can register as staff for your campground.
GDPR Compliance Matrix
Camp2Find implements every relevant GDPR article with automated compliance workflows.
| GDPR Article | Requirement | Status |
|---|---|---|
| Art. 15 | Right of Access -- complete data export on request | Automated |
| Art. 16 | Right to Rectification -- data correction with audit logging | Automated |
| Art. 17 | Right to Erasure -- deletion after 30-day grace period | Automated |
| Art. 20 | Right to Portability -- JSON/CSV structured data export | Automated |
| Art. 25 | Privacy by Design -- encryption by default, minimal data collection | Built-in |
| Art. 28 | Data Processing Agreement -- documented processor relationships | Available |
| Art. 30 | Records of Processing -- complete audit trail for every action | Automated |
| Art. 32 | Security of Processing -- AES-256-GCM with role-based access | Built-in |