Camper BMS

Data Processing Addendum

Last Updated: 20 April 2026
Effective Date: The date Customer accepts the Camper BMS SaaS Agreement

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Camper BMS SaaS Agreement (the "Agreement") between Pillarbit Software Pty Ltd (ABN 65 692 373 505) trading as Camper BMS ("Camper BMS", "Processor", "we", "us") and the customer entity entering into the Agreement ("Customer", "Controller", "you").

If there is a conflict between this DPA and the Agreement regarding Personal Data processing, this DPA controls to the extent of that conflict.

1. Purpose and Scope

This DPA applies where Camper BMS Processes Personal Data on behalf of Customer in connection with providing the Services.

This DPA does not apply to Personal Data processed by Camper BMS as an independent controller, including account administration, billing, Camper BMS support account communications, security monitoring, marketing activities, and website analytics.

This DPA is intended to satisfy Article 28 GDPR and equivalent requirements under UK GDPR.

Personal Data will be processed solely for the purpose of providing the Services and in accordance with Customer's documented instructions.

2. Definitions

Capitalised terms not defined in this DPA have the meaning in the Agreement.

"Data Protection Laws" means all laws and regulations applicable to Personal Data processing under this DPA, including as applicable: GDPR, UK GDPR, the UK Data Protection Act 2018, and binding guidance or orders of competent supervisory authorities.

"GDPR" means Regulation (EU) 2016/679.

"Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given under applicable Data Protection Laws.

"Restricted Transfer" means a transfer of Personal Data to a country outside the EEA, UK, or other jurisdiction requiring a recognised transfer safeguard under applicable Data Protection Laws.

3. Roles of the Parties

The parties acknowledge and agree that:

Customer is the Controller (or a Processor acting on behalf of a controller) of Personal Data described in Annex 1.

Camper BMS is a Processor of such Personal Data.

Where Customer is itself a Processor, Customer warrants it is authorised by the relevant controller to appoint Camper BMS as a sub-processor and to enter into this DPA.

To the extent Camper BMS processes irreversibly anonymised or aggregated data derived from Customer Data for its own purposes (including analytics, benchmarking, product improvement, and security), such data will not identify Customer or any Data Subject.

Once data has been irreversibly anonymised such that it no longer relates to an identified or identifiable individual, it is no longer considered Personal Data and is not subject to this DPA.

Camper BMS does not determine the purposes or means of processing Personal Data processed on behalf of Customer.

4. Customer Instructions

Camper BMS will process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law to which Camper BMS is subject.

Where Camper BMS is required by applicable law to process Personal Data other than on Customer instructions, Camper BMS will inform Customer of that legal requirement before processing unless such law prohibits such notification on important grounds of public interest.

The Agreement, this DPA, Customer configuration choices within the Services, and written support or administrative requests constitute Customer's documented instructions.

Customer is responsible for:

  • maintaining the confidentiality of account credentials;
  • managing user access permissions;
  • ensuring secure configuration of the Services; and
  • ensuring that Personal Data uploaded to the Services complies with Data Protection Laws.

If Camper BMS believes an instruction infringes Data Protection Laws, Camper BMS will inform Customer without undue delay.

Customer represents and warrants that:

  • it has a lawful basis for Processing Personal Data and instructing Camper BMS to Process such data; and
  • it has provided all required privacy notices to Data Subjects in accordance with applicable Data Protection Laws.

5. Confidentiality

Camper BMS will ensure that persons authorised to Process Personal Data are subject to appropriate confidentiality obligations.

6. Security of Processing

Taking into account the state of the art, implementation costs, nature, scope, context, and purposes of Processing, and the risk to Data Subjects, Camper BMS will implement appropriate technical and organisational measures in accordance with Article 32 GDPR.

Core measures are described in Annex 2.

Camper BMS processes only the Personal Data necessary to provide the Services and limits access to authorised personnel with a legitimate operational need.

7. Sub-processors

Customer grants general written authorisation for Camper BMS to use sub-processors listed in Annex 3.

Camper BMS will:

  • impose data protection obligations on sub-processors that are materially no less protective than those in this DPA for the relevant processing;
  • remain responsible for sub-processor performance to the extent required by Data Protection Laws;
  • notify Customer of intended sub-processor changes by email, in-app notification, or by posting an updated sub-processor list on Camper BMS's website;
  • allow Customer to object on reasonable data protection grounds within 15 days of notice.

If Customer objects reasonably and the parties cannot resolve the issue, Customer may terminate the affected Services by written notice.

Camper BMS may suspend or replace a sub-processor without prior notice where reasonably necessary to protect the security or integrity of the Services. Camper BMS will notify Customer as soon as reasonably practicable following such replacement.

Annex 3 provides the sub-processors in use as of the Effective Date. The authoritative and continuously updated list of sub-processors is maintained at https://camperbms.com/legal/subprocessors.

8. Assistance to Customer

Taking into account the nature of Processing and information available to Camper BMS, Camper BMS will provide reasonable assistance to Customer for:

  • responding to Data Subject requests under Chapter III GDPR;
  • deletion or restriction of Personal Data where required by applicable law;
  • compliance with Article 32 security obligations;
  • personal data breach notifications under Articles 33 and 34 GDPR;
  • DPIAs and prior consultations under Articles 35 and 36 GDPR.

9. Personal Data Breach Notification

Camper BMS will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer.

Such notice will include, to the extent available:

  • the nature of the breach;
  • likely consequences;
  • measures taken or proposed;
  • a contact point for follow-up.

Camper BMS will provide timely updates as additional information becomes available.

10. Deletion and Return of Data

Upon termination or expiry of the Agreement, Camper BMS will, at Customer's choice, delete or return Personal Data processed on behalf of Customer.

Customer may export Personal Data for a period of 30 days following termination. After this period, Personal Data may be deleted in accordance with the Agreement and applicable retention requirements, unless retention is required by applicable law.

Where deletion is selected, deletion may occur through secure deletion, anonymisation, or irreversible de-identification routines used by the Services, including deletion during standard backup lifecycle rotation.

11. Information Rights and Audits

Camper BMS will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to the conditions set out in this Section.

Camper BMS may satisfy audit obligations by providing relevant third-party audit reports, certifications, or security assessments where appropriate.

If such information is insufficient, Customer or its mandated auditor may request an audit no more than once annually (except where required by law or following a confirmed security incident), subject to:

  • at least 30 days' prior written notice;
  • scope limited to processing relevant to Customer;
  • confidentiality obligations;
  • no disruption to other customers or systems;
  • Customer bearing its own audit costs and Camper BMS's reasonable costs for extensive on-site or third-party audits.

Customer audits must not access systems, environments, or data belonging to other Camper BMS customers.

12. International Transfers

If Camper BMS makes a Restricted Transfer:

EU Transfers

The EU Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914) ("EU SCCs") are incorporated by reference.

  • Module 2 (Controller-to-Processor) applies where Customer is Controller.
  • Module 3 (Processor-to-Processor) applies where Customer is Processor.
  • Clause 7 (Docking) is enabled.
  • Clause 9 (Sub-processors): Option 2 (general written authorisation).
  • Clause 11 (Redress): Optional language not selected.
  • Clause 17 (Governing Law): Ireland.
  • Clause 18 (Forum): Courts of Ireland.
  • Annexes I, II, and III of the SCCs are satisfied by Annexes 1, 2, and 3 of this DPA.

UK Transfers

The UK International Data Transfer Addendum to the EU SCCs (ICO Addendum, as amended) is incorporated by reference for Restricted Transfers under UK GDPR.

The parties will cooperate in good faith to complete any additional transfer documentation required for enforceability.

The parties acknowledge that they have considered the circumstances of Restricted Transfers, including the nature of the Personal Data, the purposes of processing, and the technical and organisational measures implemented by Camper BMS.

Camper BMS will implement supplementary measures where reasonably necessary to ensure that transferred Personal Data receives a level of protection essentially equivalent to that required under applicable Data Protection Laws.

13. Liability

Liability under this DPA is subject to the liability framework, exclusions, and caps set out in the Agreement, except where prohibited by Data Protection Laws.

14. Term

This DPA remains in force for as long as Camper BMS Processes Personal Data on behalf of Customer under the Agreement.

15. Governing Law

This DPA is governed by the governing law and jurisdiction provisions in the Agreement, except to the extent otherwise required for enforceability of incorporated transfer mechanisms.

Annex 1 — Details of Processing

A. Subject Matter

Provision of Camper BMS software services for campground operations, including bookings, customer management, invoicing, messaging, payments orchestration, reporting, and integrations.

B. Duration

For the term of the Agreement plus any retention period required by law or reasonably required for security, dispute, accounting, and compliance purposes.

C. Nature and Purpose of Processing

  • account provisioning and authentication;
  • storing and organising campground operational records;
  • customer communications initiated or configured by Customer;
  • invoice and payment workflow orchestration with third-party processors;
  • API processing and integrations requested by Customer;
  • support, diagnostics, abuse prevention, security logging, and system reliability;
  • processing primarily occurs in cloud infrastructure located in Australia (Sydney region), with certain subprocessors operating in the United States and European Union as described in Annex 3;
  • limited access to Personal Data by authorised support personnel where necessary to provide technical support requested by Customer;
  • customer support communications processed through support and helpdesk providers where Customer or Customer users initiate support requests;
  • automated analysis of operator-configured communications for abuse prevention, fraud detection, or service integrity monitoring;
  • processing of uploaded images and documents using machine learning services for classification, text extraction, validation, or operational analysis where configured by Customer.

D. Categories of Data Subjects

  • Customer users (owners, staff, team members);
  • Customer end-customers, guests, and prospective guests;
  • invoice and billing contacts;
  • campground contacts and related service recipients.

E. Categories of Personal Data

  • identity and contact data;
  • booking and occupancy data;
  • invoicing and billing profile data;
  • transaction references, payment status indicators, and partial payment identifiers;
  • communication content and delivery metadata;
  • customer account identifiers and activity logs;
  • device, session, IP, and API audit metadata;
  • user-generated files uploaded by Customer;
  • Customer may configure custom data fields within the Services. Customer is solely responsible for determining the categories of Personal Data collected through such fields and for ensuring a lawful basis for such Processing.

Camper BMS does not intentionally collect or process special category data. Customer must not upload or submit special category data or criminal offence data unless expressly agreed in writing and legally authorised. Customer is solely responsible for any such data uploaded in breach of this restriction.

F. Frequency

Continuous and event-driven, based on Customer and end-user activity.

Annex 2 — Technical and Organisational Measures

Camper BMS maintains commercially reasonable security controls, including:

  • authenticated user accounts, role-based access controls, and access limited to authorised personnel with a legitimate business need;
  • transport encryption (HTTPS/TLS) for data in transit;
  • encryption at rest for stored Personal Data;
  • cloud infrastructure controls for hosted storage and service components;
  • application-level controls to reduce sensitive data exposure;
  • audit and usage logging for API access and administrative events;
  • vulnerability and patch management;
  • backup and disaster recovery practices;
  • personnel confidentiality obligations and least-privilege access;
  • incident response procedures for detection, triage, and notification.

Camper BMS may update technical and organisational measures from time to time, provided security is not materially decreased.

Annex 3 — Sub-processors and Locations

Infrastructure Providers

  • Laravel Forge (Laravel LLC)
    Server provisioning and deployment management platform used to manage application infrastructure hosted on AWS.
    Processing location: United States (management interface only; no primary data hosting).
  • Amazon Web Services (AWS)
    Infrastructure and storage services including S3, Lambda, ECR, CloudFront, Route53, and related cloud infrastructure components.
    Processing locations: Australia (Sydney) primary; global infrastructure and United States regions where required by specific services.
  • Amazon CloudFront (Amazon Web Services)
    Content delivery network (CDN) and edge caching for application traffic. Processes visitor IP addresses and request metadata for performance optimisation and security.
    Processing locations: Global edge network (nearest point of presence to visitor).
  • Microsoft Azure
    Blob storage used for encrypted backup copies of uploaded files.
    Processing locations: Australia East (Sydney).
  • Laravel Nightwatch (Laravel LLC)
    Application monitoring, uptime monitoring, error diagnostics, and performance monitoring for the Services.
    Processing location: United States.

Communication Providers

  • Postmark
    Transactional email delivery including booking confirmations and operational messages.
    Processing location: United States.
  • Amazon SES
    Bulk email delivery and email address validation.
    Processing locations: Australia and United States.
  • Twilio
    SMS delivery, phone number validation, and messaging services.
    Processing location: United States.
  • Intercom R&D Unlimited Company
    Customer support messaging platform, support ticket management, and website chat widget infrastructure.
    Processing locations: United States and European Union.
  • Fin AI (Intercom AI functionality)
    Automated assistance for customer support responses within the Intercom platform. Processes support conversation content to generate suggested responses for support agents.
    Processing location: United States.

Payment Providers

  • Connected Payment Providers (Square, eWAY, Pin Payments, Westpac OnlinePay, ANZ Worldline)
    Engaged directly by Customer. Camper BMS transmits limited transaction information solely at Customer's instruction. Providers act as independent controllers or processors under their own terms. Customer is responsible for reviewing their data processing practices, locations, and transfer safeguards.

AI and Data Processing Providers

  • OpenAI API
    Limited automated analysis of operator-configured communications and map data for abuse prevention and operational features.
    Processing location: United States.
  • Google Cloud (Vision API)
    Automated image processing for campground map analysis and hotspot detection.
    Processing location: United States and global infrastructure.
  • Amazon Web Services (Rekognition and Textract)
    Automated image analysis and document text extraction for operational features configured by Customer.
    Processing locations: Australia (Sydney) primary; United States where required by specific services.

Other Service Providers

  • Google Maps Platform (Maps and Places APIs)
    Address autocomplete and geolocation services.
    Processing location: United States and global infrastructure.
  • Google Workspace (Gmail, Drive, Docs, Sheets)
    Business email, document storage, and internal collaboration tools used for customer support, operational administration, and limited processing of Customer Data where necessary to provide the Services.
    Processing locations: United States and global infrastructure.
  • Australian Business Register (ABR)
    Business number validation during account registration.
    Processing location: Australia.

Customer-authorised third-party integrations configured by Customer are treated as Customer-authorised recipients or sub-processors as applicable.