Security & privacy

Web protocols

All data sent to or from SETLS is protected by TLS 1.2 or above.

Authentication & password management

SETLS uses a form-based authentication ~~scheme.~~where ~~The~~the password is sent as a POST ~~parameter over the secure HTTPS connection.~~parameter.

Passwords are stored hashed in the database, and cannot be retrieved by the SETLS team. Passwords can be reset by any user with administrative permissions:

by sending a password reset email to the member, or
manually entering the new password

Email configuration

-SETLS ~~Forms~~sends ~~authentication~~
○emails ~~Password~~to asmembers or toy library staff for a ~~POST~~variety ~~parameter~~of ~~over~~reasons, ~~TLS~~including:

~~channel~~
-

~~Passwords~~

reminders to return items or attend volunteer sessions

notifications that a held item is available or membership fees are ~~stored~~due

~~hashed~~

~~Password~~

A ~~resets~~full bylist ~~email~~of the automatic emails can be found in the demonstration system.

Emails are sent with a ~~one-time~~"from" ~~token~~
○address ~~From:~~of ~~Darebin Toy Library~~ noreply@<~~noreply@darebintoylibrary.~~toylibrary>.setls.com.~~au>~~
○au. ~~Reply~~The ~~to:~~"reply ~~xxx@xxx.com~~
§to" ~~configurable~~
-address can be set from the settings page.

Emails from SETLS are sent via ~~AWS~~Amazon Simple ~~Notification~~Email Services (~~SNS)~~
○SES). ~~Bounce/complaint~~You ~~handling~~do asnot ~~per~~need ~~AWS~~to ~~guidelines~~
Noprovide ~~customer~~SETLS with access to your mail ~~relay~~server or a relay.

Sensitive data

SETLS can be used to record information about members that may be considered sensitive. This information includes:

Member details	Name	Required
	Email	Optional, required for online access
	Mobile phone	Optional, required for SMS
Home address	Street, suburb and phone	Optional
Alternate contact	Name, address and phone	Optional
Identity	Drivers license number	Optional

The following additional fields can be enabled from the settings page.

Member details

Date of birth
Healthcare card (checkbox)

Ethnicity

Language

Disability

Children

Name

Date of birth

Gender

Organisations (schools)

Name

Financial transactions

SETLS can be used to manually record member charges and payments, including membership fees and penalties.

SETLS also supports online payment of membership fees using PayPal. This requires creation of a PayPal account.

The SETLS team are currently investigating integration with Square for online and in-person payments.

SETLS servers

The following service providers are used by SETLS:

Feature	Provider	Location
Web application	Amazon	Sydney, Australia
Database	Amazon	Sydney, Australia
Email	Amazon	Sydney, Australia
SMS	Amazon	Oregon, USA