Security

Service Boundary

PatronPath is an automated access verification service for library e-resources. It simulates an off-campus patron's login journey through proxy servers, SSO portals, and vendor authentication to confirm that approved databases are reachable through the institution's authorized access route.

PatronPath stops at the vendor's authenticated landing/access page. It does not search, open records, download PDFs, stream media, or browse licensed content. This boundary is a product guardrail designed to avoid COUNTER-relevant usage events and to respect publisher terms and conditions. Pilot frequency is agreed with the library because vendor-side logging can vary.

Credential Handling

• Credential type: One or more dedicated institutional test accounts provided by the library. These accounts may use student, faculty, staff, or other access profiles selected by the library, but they are not tied to a real user who also uses the account to access resources.
• Transmission: Shared through a secure channel selected by the library, such as encrypted email, secure file share, or password-manager share link.
• Storage: Stored in a configuration file on an encrypted server volume on the dedicated PatronPath server.
• Access: Administrative access to the dedicated PatronPath server is limited to the PatronPath operator and protected with strong authentication. No shared accounts or third-party user access are used for test execution.
• Use: Used only to authenticate during automated access checks. PatronPath verifies the authenticated landing/access page and stops.
• Rotation: The library is encouraged to require password rotation on its chosen schedule. Expiration or password change acts as an automatic revocation mechanism.
• Revocation: The library retains full control of the test account and can revoke or disable it at any time, immediately terminating PatronPath's access.

Infrastructure

Test execution runs from a dedicated physical server under PatronPath's direct administrative control and used exclusively for PatronPath operations. Test execution does not use third-party cloud compute or contractor-operated infrastructure. Tests run over standard HTTPS, the same encrypted connection patrons use.

For approved remote-access routes such as EZproxy or OpenAthens, the pilot generally does not require library-hosted software, browser extensions, VPN access, API integrations, firewall changes, or IP allow-listing. Onsite-only or IP-authenticated-only resources are skipped during testing.

• Dedicated physical server under PatronPath's direct administrative control.
• Encrypted server volume for stored configuration and test-result data.
• Strong authentication and least-privilege access for administration.
• No shared server users or third-party access for test execution.
• Operating system, browser, and dependency updates are applied regularly.
• Run-level history is maintained so recurring failures can be distinguished from first-time failures.

Data Practices

PatronPath collects no patron data. It interacts only with the test account and does not intercept, monitor, or store real patron activity.

Library-facing HTML reports contain pass/fail status, screenshots of the authentication/access journey, redirect and URL evidence, timestamps, error classifications, reproduce steps, and technical diagnostics. Reports are designed to avoid patron personal data and licensed content.

Reports do not include test-account passwords or PINs. Library-facing reports may include the dedicated non-patron test account identifier or barcode when needed for troubleshooting. Vendor-ready sections are designed to minimize sensitive details, including masking credential-like URL parameters where practical, unless the library chooses to share them.

Reports are delivered as HTML files by email to designated library contacts. Where requested, PatronPath can use a library-selected secure delivery method.

Retention And Deletion

Upon pilot completion, cancellation, or written library request, PatronPath deletes the institution's active test credentials and test-result data within 48 hours, unless the library requests retention. Written confirmation is provided with a timestamp. PatronPath does not maintain backup copies of credentials or pilot test-result data. Copies already delivered to the library, vendor, or their email systems are outside PatronPath's control.

Incident Response

In the event of suspected credential compromise or unauthorized access, PatronPath disables or deletes the affected credential from PatronPath and notifies the library within 24 hours with a description of the incident. PatronPath cooperates with the library's IT security team on follow-up, and the library can independently revoke the test account at any time.

Sub-processors And Delivery Tools

Test execution runs on the dedicated PatronPath server. No third-party execution provider or contractor is used to run tests. Standard business tools, including email, may be used for communication, report delivery, secure file sharing, or contract administration. Current providers are listed at /legal/subprocessors.

Business Contact Data And Privacy

PatronPath is operated by Pantomath Consultation Inc., a Canadian company based in British Columbia. PatronPath does not require or expect patron personal data for access verification. Institutional test credentials, access-verification reports, screenshots, URLs, timestamps, and diagnostics may be processed using PatronPath-controlled infrastructure and standard business tools for pilot delivery. Business contact data for participating staff may be processed through standard business tools for communication and engagement administration. If a customer later instructs PatronPath to process personal data beyond this operating model, the applicable Data Processing Addendum governs that processing. See the Privacy Policy for details.

Responsible Disclosure

We appreciate good-faith security research. Report issues to security@patronpath.io.

• Do: avoid privacy violations or service disruption; use your own test accounts; give us reasonable time to remediate.
• Out of scope: DDoS, rate-limit abuse, physical attacks, social engineering, and automated scanning without throttle or consent.