Define a chain-of-custody event schema including: event type (handoff, departure, arrival, temperature check, excursion, disposition), timestamp UTC, location (GPS or facility ID), actor (carrier SCAC or employee ID), shipment ID, and logger device IDs active at event time
On each handoff event, collect the outgoing party's digital signature (e.g. carrier driver scan or digital acceptance confirmation from carrier API); record as a Base64-encoded field alongside the event
Store each event as an immutable append-only record using Amazon QLDB or equivalent ledger database; reject any update or delete operations at the application layer; use QLDB's built-in document hash chain for tamper evidence
Compute a SHA-256 digest of the serialized event payload before writing; store the digest with the record so downstream consumers can verify payload integrity without relying solely on the database layer
At shipment completion, generate a chain-of-custody report by querying all events for the shipment in sequence order; include the MKT calculation result, all excursion events with duration, and all handoff signatures in the final report
Export the complete chain-of-custody package as a signed PDF or structured JSON document and store in a long-retention archive (minimum 7 years for GDP-regulated pharmaceutical shipments)
Known gotchas
QLDB tables do not natively enforce append-only semantics at the SQL layer; an application with IAM write permissions can still issue qldb:SendCommand to update documents; enforce immutability by granting the ingestion role only PartiQL INSERT permissions and auditing the IAM policy
Digital signatures from carrier driver apps are typically images (handwritten signature captures), not cryptographic signatures; these satisfy customer delivery confirmation requirements but are not equivalent to electronic signatures under 21 CFR Part 11 for regulated pharmaceutical use
Chain-of-custody gaps occur when a shipment is briefly in the custody of a drayage carrier or transloading facility that lacks a digital handoff workflow; always record an unverified-handoff event with the last known carrier at the gap boundary rather than silently omitting the gap
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp