# Security & privacy ### Connection security All data sent to or from SETLS is protected by [TLS 1.2](https://en.wikipedia.org/wiki/Transport_Layer_Security) or above. This provides the same level of security as online banking, government and other sites. ### Authentication & password management SETLS uses form-based authentication where the password is sent as a POST parameter. The password is transmitted securely using TLS. Passwords are stored in the database as a [salted hash](https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/), and cannot be retrieved by the SETLS team. Passwords can be reset by any user with administrative permissions by - sending a password reset email to the member, or - manually entering the new password After checking the password, SETLS creates a cryptographically-secure session cookie. This is used to identify the user when they return to SETLS using the same device, so they do not need to log in again. A user with administrative permissions can remove a logged-in session, or reset the user's password. Both actions will require the user to enter their password the next time they access SETLS. ### Email configuration SETLS sends emails to members or toy library staff for a variety of reasons, including: - reminders to return items or attend volunteer sessions - notifications that a held item is available or membership fees are due A full list of the automatic emails can be found in the [demonstration system](https://sampletoylibrary.setls.com.au/automatic_emails). Emails are sent with a "from" address of [noreply@<toylibrary>.setls.com.au.](mailto:noreply@.setls.com.au,) The "reply to" address can be set from the [settings page](https://sampletoylibrary.setls.com.au/toy_library_settings). Emails from SETLS are sent via Amazon Simple Email Services (SES). You do not need to provide SETLS with access to your mail server or a relay. ### Sensitive information SETLS can be used to record information about members that may be considered sensitive. This information includes:
**Member details***Name* *Required*
Email Optional, required for online access
Mobile phone Optional, required for SMS
**Home address**Street, suburb and phone Optional
**Alternate contact**Name, address and phone Optional
**Identity**Drivers license numberOptional
The following additional fields can be enabled from the settings page.
**Member details**Date of birth Healthcare card (checkbox) Ethnicity Language Disability
**Children**Name Date of birth Gender
**Organisations (schools)**Name
Additional information related to library operations, such as membership type, are also recorded. These can be seen in the [demonstration system.](https://sampletoylibrary.setls.com.au/signup) ### Financial transactions SETLS can be used to manually record member charges and payments, including membership fees and penalties. SETLS also supports online payment of membership fees using PayPal. This requires creation of a PayPal account. The SETLS team are currently investigating integration with Square for online and in-person payments. ### Data validation SETLS uses model-driven design and all input fields are: - Type-checked against the database - Protected from SQL injection using parameterised queries Many scenarios for business rule checking are covered by workflow operations rather than manual data entry. For example, when loaning an item, the loan and due dates are derived automatically instead of being entered manually. Model-driven design allows business rules to be centralised in the model rather than being distributed throughout the user interface. Examples include: - When changing an item location, only valid destinations are available for selection - When manually updating a loan record, the return date must be on or before the loan date ### SETLS servers The following service providers are used by SETLS:
**Feature****Provider****Location**
Web applicationAmazonSydney, Australia
DatabaseAmazonSydney, Australia
EmailAmazonSydney, Australia
SMSAmazonSydney, Australia
The list of IP address ranges currently used by the Amazon is available from [AWS IP address ranges - AWS General Reference (amazon.com)](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) The SETLS database is not currently protected by encryption at rest. This is scheduled to be resolved in 2024.