Making IoT Data Trustworthy, Compliant, and Scalable

In this field report, we're going to explore how to ensure your IoT data is not only reliable but also compliant and budget-friendly, so you can really take things to the next level. We'll be diving into a combination of device attestation, which includes RATS and EAT, along with EPCIS 2.
There are no event models right now, and we’ve got some Ethereum Layer 2 data blobs thanks to EIP-4844. This message is specifically for enterprise leaders out there who are juggling industrial IoT, supply chains, and those tightly regulated operations. Hey there! If you’re looking for SOC 2-ready controls, a solid return on investment, and a straightforward procurement process, you’ve come to the right spot!

7Block Labs’ Research on Blockchain and the Internet of Things

Feeling stuck? It's totally normal to experience frustration when you're searching for answers. But don’t worry, there’s usually evidence out there that can help clear things up! Keep digging, and you'll find what you need.

Pain: “Our devices report thousands of readings, but none of it survives audit.”

You've got gateways all set up with MQTT brokers, you've introduced OPC UA in your facilities, and you've even rolled out EPC tags with a bunch of different suppliers. But then the QA team shows up and asks you to "trace who dealt with pallet X, check the cold chain, and make sure the devices were secure." Suddenly, you're left trying to juggle data from five different systems, and it feels like you're stuck in a maze with no clear way out. Dealing with EPC scans and keeping everything in sync with your partners is a real headache, isn't it? Plus, those MQTT retain settings you’ve got don’t quite capture the whole story when it comes to provenance. And let’s not even get started on your ERP; it seems to struggle with telling whether that “data” is from a trustworthy device or if it’s been compromised. What a hassle! Oh, and we can’t overlook the fact that those storage fees and L1 gas costs have really made it tough for previous on-chain projects to make sense financially. It's been a bit of a dealbreaker, to be honest.

Specific Blockers We're Seeing in the Field:

• Device Identity Issues: Honestly, device identity isn’t great at the moment. It’s a bit flimsy, to be honest. So, we’re dealing with some shared TLS credentials and generic keys, which kind of complicates things. Basically, there’s no real way to prove that your reading is tied to a specific firmware or build. It's like trying to find a needle in a haystack!
• Inconsistent Event Models: You know, it's interesting how event modeling really differs from one vendor to another. It can be pretty inconsistent! For example, EPCIS 1. So, you know how x messages don’t really do a great job of capturing sensor context? Well, it turns out that OPC UA data models also have a tough time maintaining consistency when you’re trying to work across different clouds.
• Compliance Timelines: So, when it comes to compliance stuff, we’re looking at requirements like the DSCSA in the U.S. The EU Battery Passport and related regulations are pushing for better traceability at the unit level and making sure that data exchange is trustworthy. Let’s chat about how we really need more than just CSV files and screenshots to get the job done. If you want to dive deeper into this topic, you can find more info here. It’s definitely worth a look!
• Challenges with Blockchain PoCs: We've run into some bumps with earlier blockchain proof-of-concepts, mainly because they were storing raw data directly on Layer 1 or as calldata. As a result, costs have shot up, and there's a real risk of personal information getting leaked.

Agitation: the risk is not “technical debt”; it’s missed revenue and enforcement

So, the DSCSA is finally getting into full swing with its phased enforcement. That basically means it's time to focus on having reliable, electronic tracing for packages at the individual level. The FDA has approved a few specific exemptions for different groups. For instance, manufacturers are getting a little leeway until May 27, 2025. Wholesalers have until August 27, 2025, to catch up, while larger dispensers have a bit longer, with a deadline of November 27, 2025. And for the smaller dispensers, they have until November 27, 2026. It's definitely good news for those folks! Just a heads up - when we say “exemption,” it doesn’t mean “delay.” “If you’re not prepared, your product flow might just come to a screeching halt. And if you can’t show that you’re following the rules, brace yourself for potential write-offs and the headache of dealing with investigations.” Take a look at this link: (fda.gov). It’s got some pretty useful info!

Hey there! Just wanted to give you a heads up about something happening in the EU. They've got this Battery Regulation in the works, and they're planning to introduce a Digital Battery Passport by February 18, 2027. Exciting times ahead! You’ll be able to access this with a QR code, and they’re stepping up their game with some new due diligence and labeling rules that will kick in between 2026 and 2028. If you let this slip by, you might find yourself missing out on the EU market -- and that’s a big deal, especially if you're involved in the EV or industrial sectors. More info here: (airdbase.io).

• Simply telling someone to "log it" for data lakes isn’t going to fly when legal issues come into play. So, without having signed device attestation right at the edge and some kind of standardized event vocabularies--like, you know, EPCIS 2--it’s a bit tough to keep things running smoothly. If you find yourself in a situation where you need to prove custody, location, or condition with rock-solid confidence, it can really feel like you're in a bind. Check this out: (gs1.org).
• You know, costs can sneak up on you without you even realizing it. Before the Dencun update rolled out, Layer 2s were covering a hefty chunk--between 73% to 90%--of the costs for calldata data availability. But after EIP-4844 came into play, we've seen fees drop dramatically, plummeting by as much as 96% to 98% on the larger Layer 2 networks. Quite a game changer, right? Just remember to organize your data into blobs, and make sure to keep those raw payloads off-chain! If you don’t take the time to redesign your pipeline, you might be spending way more than you need to on every device event. Want the inside info? Check it out here: (thedefiant.io).

To sum it all up: we’ve got missed deadlines, shipments getting stuck, and expensive rework piling up. This isn’t just a lab problem; it really hits the wallet hard.

Solution: 7Block Labs’ “Attested Events + Cheap Commitments” architecture

We're all about providing top-notch regulatory-grade provenance without breaking the bank, especially when it comes to Layer 2 costs. "We've got a pretty cool approach that mixes verified device identities with standardized events, and we're doing it all without breaking the bank when it comes to on-chain commitments." Plus, it’s built to easily tackle SOC 2 and procurement reviews, so you won’t have to worry about getting stuck with a vendor.

Core Principles:

• **Rely on the device (RATS/EAT), not just the connection. We're looking to build on the IETF RATS architecture (you know, RFC 9334) and incorporate Entity Attestation Tokens (RFC 9711) to ensure that every reading is backed up by hardware and firmware claims, all signed right at the source. If you want to learn more about it, check it out here.
• Make the event consistent (EPCIS 2.0). 0 + CBV). Let’s nail down the basics: the “what, when, where, why, and how.” We can do this by using JSON-LD, adding some sensor extensions, and setting up REST APIs for capturing and querying data. It's really about keeping track of devices, lots, and certifications in a way that’s consistent for everyone involved. You know, making sure all our partners are on the same page. If you want to dive deeper into the specifics, just click here to check it out!
• Make affordable commitments and check them quickly (EIP-4844). Hey, how about we toss those hashes and Merkle roots into the L2 blob space? We can keep the evidence off-chain in some secure storage. Sounds like a solid plan, right? This approach lets us make sure everything’s secure without sharing any personal details or accumulating extra costs. If you want more details, you can check out the info here.

Reference stack (battle-tested components)

Edge and Gateway

• Attestation: So, we’re diving into EAT (that’s CBOR/COSE for those in the know) and discussing things like device claims. We’ll cover stuff like UEID, boot measurements, and the different software versions. It's all about getting in sync with the RATS roles: you've got the Attester, the Verifier, and the Relying Party. If you want to get into the nitty-gritty, check it out here.
• Industrial Connectivity: Picture this: you've got OPC UA PubSub cruising along on MQTT v5, and it’s all secured with TLS. We're talking about those sweet ports--mqtts on 8883 and wss on 443. We've set up shared subscriptions to help balance the load, and when necessary, we’ve got end-to-end user authentication security measures in place to ensure everything stays secure. If you want to dive into the details, you can check them out here.

Data Modeling and Exchange

• **EPCIS 2. 0 Event Services: So, here’s the deal-- we’re using REST to grab and look up data, and we’ve got JSON-LD in the mix, which features those cool sensor and certification fields. Everything’s connected through Digital Link URIs, making it all work seamlessly together! Here’s a thought: it’s way better for downstream ERP and WMS systems to hook up using established standards rather than relying on those awkward custom CSVs. Take a look at it over at gs1.org!
• Pharma Profile: This one's focused on unit-level serials, ensuring our exchanges are right on track with what the DSCSA expects. We can totally take advantage of those exemption windows to make sure everything keeps running smoothly, even when we're working at a large scale. If you want to dive deeper into this, check out the guidelines available on fda.gov. There’s a lot of useful info there!

On-Chain Attestation and Commitments

• Ethereum L2 + EIP‑4844 Blobs: So, these blobs are pretty cool. They work by regularly posting commitments (you can think of them like Merkle roots) for batches of EPCIS events and the outcomes of EAT verifications. So, with this multi-dimensional fee market going on, blob pricing ends up being pretty well separated. Plus, since blobs get pruned after about 18 days, this whole setup really vibes with the “commitment not content” idea. If you want to explore the nitty-gritty details, just click here. Enjoy the read!
• Attestation Registry: If you're looking to manage device and certificate schemas and deal with revocation signals--both on-chain and off-chain--be sure to check out the Ethereum Attestation Service (EAS). It's a solid resource for all that stuff! It's a super helpful tool for staying organized! If you want to dig deeper, just head over to attest.org for more details.

Compliance and Audit

• SOC 2 Type II alignment: This involves a whole bunch of stuff, including how we manage changes to our smart contracts, the way we control access, and how we respond to incidents. Plus, we make sure our record-keeping is tight for attestation and verification purposes. Don’t forget to match up your device capabilities with NISTIR 8259A/B. And if you’re in the market for some new gear, be sure to double-check procurement against SP 800-213/213A, particularly if you’re a federal buyer. It's super important! If you want to dig deeper into the topic, check it out here: nist.gov. There's some great info waiting for you!

Where 7Block Fits In:

We’ve got you covered with our all-in-one delivery approach! Check out our custom blockchain development services and web3 development services to see how we can help bring your ideas to life.

• We can easily link up your event pipelines with ERP, WMS, and PLM systems through our blockchain integration. It’s super smooth and hassle-free! We offer some cool on-chain solutions, including L2 options and EAS schemas. You can check out our work in smart contract development and cross-chain solutions development. We’ve got you covered when it comes to your security and compliance needs with our security audit services.

How the data flows (step-by-step)

1) Device Boot and Attestation

Alright, so the device starts off by checking its boot state and firmware. In the meantime, the gateway collects the EAT using COSE. They gather a bunch of details, like the UEID, software versions, info on the security lifecycle, and timestamps. If you want to dive deeper into it, you can find more information right here. Happy exploring!

So, once that’s done, the gateway jumps in to check the EAT with a Verifier, in line with RATS. It holds onto the Attestation Results for a bit, but just for a short while. Only the devices we trust are allowed to share their operational data. If you want to dive deeper into the details, just check it out here.

2) Operational Events

So, the OPC UA PubSub publisher is busy sending out all that sensor data, and then the gateway swoops in and works its magic by turning it into EPCIS 2. Pretty cool, right? Zero events, but we've got all the sensor extensions you could need, including ones for temperature and shock. If you want to dive deeper into EPCIS, just click here for more info!

To keep everything running smoothly, we’re using MQTT v5 with shared subscriptions. This setup really helps spread out the workload among our gateway consumers. Scaling just got so much easier! If you want more details, check them out here. Trust me, it’s worth a look!

3) Provenance and Commitments

For every batch we handle, we whip up a Merkle tree by combining the EAT result hash with the EPCIS event hash. It's a pretty efficient process! Next, we take the Merkle root and upload it into an EIP-4844 blob on our chosen Layer 2 solution. We pick this Layer 2 based on factors like cost and how well it meets our service level agreement (SLA). We also make it a point to register the device identities and their certification details in EAS. So, by doing this, we can say, “Hey, device firmware X was checked out at time T.” This little note comes in super handy for when we need to do those cross-app authorization checks later on. (attest.org).

1. Query and Audit

• Auditors and partners are diving into the EPCIS 2. We’ve got this cool API that lets you check things out! It shows that certain unit events are included by using Merkle proofs that connect to on-chain roots. Pretty neat, right? No need to stress--your personal info never actually gets recorded on the chain.

Cost math (why blobs matter)

Alright, so here’s the deal: a single blob is roughly 128 KiB, and its price comes from a different market that deals with what's called “blob gas.” Ethereum's aiming for about 3 blobs per block, but it can go up to 6 if needed. It's using an adjustment process that's kind of like what we saw with EIP-1559. Lately, it’s been pretty interesting to see that the cost of submitting a blob has been hanging around zero bucks. 10 and $3. Sure thing! It really all comes down to how much demand there is. (eips.ethereum.org). So, if you've got a normalized event that’s around 200 bytes (that covers the CBOR and hash references), you can actually fit around 640 of those events into one single blob. Pretty neat, right? So, it looks like the blobs are hanging out at a cool $0. So, if you break it down, 25 each comes to about 0 bucks. It's roughly $0.00039 for each event, or you could say it's about four-tenths of a cent. That's 39 events happening for every 1,000. When we batch things up and compress them, we usually manage to bring the cost down to less than zero. 20 for 1,000 events. Wow, after the Dencun upgrade, it’s amazing to see that user fees on Layer 2 just plummeted by about 96-98% across the big rollups. That's a huge drop! So, if you’re using blobs correctly, data availability (DA) isn’t going to be your biggest expense anymore. Pretty cool, right? (thedefiant.io).

Pragmatic patterns we recommend (and implement)

• Device identity: Instead of using those random JWTs, let's switch to EAT (RFC 9711) mapped to RATS (RFC 9334). It makes way more sense! We should also package the EAT evidence into profiles that are super easy to understand (think NISTIR 8259A/B). This way, when we're evaluating vendor devices during the RFP process, we can do it more efficiently and effectively. (ietf.org).

When it comes to industrial transport, go for OPC UA PubSub over MQTT v5 with TLS (mqtts) for those longer stretches across WAN or the cloud. This setup helps maintain the end-to-end security of OPC UA where it really matters. Plus, don’t forget about shared subscriptions--they're a great way to scale things out horizontally! (reference.opcfoundation.org).

• Event model: Let’s go with EPCIS 2. Hey, let's streamline things a bit! Instead of making new schemas for every vendor, why don't we just use 0 and CBV to capture sensor metadata, certifications, and Digital Link URIs in JSON-LD? It’ll save us a lot of hassle! (gs1.org).
• On-chain policy: Make sure to use EAS schemas for things like "allowed publishers," "verified firmware," and "calibration certificates." "Instead of relying on fixed allowlists, go ahead and authorize things based on attestations." (attest.org).
• Data Minimization: Keep those commit hashes and Merkle roots on the blockchain, but for the actual evidence, let’s stash it away off-chain in secure locations where only the right people can access it. This approach really fits well with SOC 2 and takes privacy into account right from the start.
• EU market: When it comes to batteries, we need to whip up some QR codes that link to a controlled registry. This registry should include signed content hashes and specific fields that we can choose to share. It's all about gearing up for those Battery Passport requirements coming in 2027! (airdbase.io).
• Pharma: Don’t forget to implement those unit-level DSCSA trace semantics in EPCIS! It’s a great time to test how well your partners are connecting, especially with those DSCSA exchange volumes. Make the most of those FDA enforcement windows we've got right now! (tracelink.com).

Example: Cold‑chain pharma (DSCSA)

Objective

So, what we really want to prove is that this particular vial kept its temperature between 2 and 8°C from the time it was filled all the way until it was handed out. Oh, and let's just double-check that all the temperature readings came from trustworthy devices. We want to make sure we're working with solid info!

• Edge: The sensors are pretty active, sending out readings every minute. The gateway takes a look at the device's EAT and keeps track of the Attestation Results. (ietf.org).
• Events: Whenever there's a handoff or a change in temperature, we make sure to record those moments as EPCIS 2. There haven't been any events with sensor extensions so far. Our partner WMS gets this info via REST. (gs1.org).
• Commitment: So, every five minutes, we whip up a Merkle root by combining the Attestation Result with the EPCIS event hashes. Then, we anchor that root in an L2 blob. Pretty neat, right? (eips.ethereum.org).
• Audit: If a dispenser focuses on pallet XYZ, we’ll gladly supply the Merkle proofs and EAT verification logs. DSCSA auditors have the ability to cross-reference all the details with EPCIS data from different manufacturers and wholesalers. Since the FDA is taking a phased approach to enforcement, you can start implementing this right away and grow your network over the next few years, up until 2025-2026. (fda.gov).

What We're Aiming For:

You can expect lot investigations to be super quick now--like, we're talking ten times faster! Instead of taking days, we're getting it done in just minutes, and that's all thanks to deterministic proofs. How cool is that?

• We’re making sure to keep our on-chain commitment costs at zero dollars. That's 50 out of every 1,000 events.
• We're working on creating solid evidence trails that meet SOC2 standards. This should really help make GxP audits a whole lot easier.

Example: EU Battery Passport (2027)

Objective

How about we whip up a digital passport that's a breeze to access? Just imagine scanning a QR code that instantly pulls up all the info you need, showing a verified history and the current condition of the item. Sounds pretty convenient, right?

• Identity: Let's give organizations and different device types their own unique DIDs. When it comes to things like attestations--like manufacturing details, materials certification, or even tracking carbon footprints--we can use EAS for that. (w3.org).
• Events: Now featuring EPCIS 2! Sure thing! You can easily track things like serialization, packing, bundling, shipping, and maintenance. Plus, you can keep tabs on what happens when a product reaches the end of its life. Plus, you can easily connect your certifications using Digital Link URIs. (gs1.org).
• Commitment: We'll stash away some Merkle roots in L2 blobs every now and then. So, when you scan a QR code, it'll lead you to a registry that verifies proofs against the on-chain root. So, those passport fields? They can be customized depending on the role you’re in--whether you’re looking at public info, working with authorities, or just dealing with folks who have a genuine reason to know. (batteryregulation.eu).

Outcome We Aim For:

• We're working on getting into the EU market by making sure our data aligns with the article requirements. It needs to be well-structured, easy to update, and accessible through QR codes, all by the deadline of February 18, 2027.
• We've made sure that costs are easy to predict for each pack because on-chain storage only keeps the commitments and not the actual content. If you want to dive deeper into this topic, check it out here.

Developer view: two code snippets we actually use

1. Solidity: Think of it as a straightforward "commit-and-verify" Merkle registry that leverages EIP-4844 blobs for making sure data is available (DA). This contract keeps an eye on batch roots and individual batch salts to make sure we don’t fall victim to those sneaky cross-batch replay attacks.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;

contract AttestedBatchRegistry {
    event BatchCommitted(uint256 indexed batchId, bytes32 merkleRoot, bytes32 salt, address indexed committer);

    struct Batch {
        bytes32 root;
        bytes32 salt;
        uint64  ts;
        address committer;
    }

    mapping(uint256 => Batch) public batches;

    function commitBatch(uint256 batchId, bytes32 merkleRoot, bytes32 salt) external {
        require(batches[batchId].ts == 0, "batch exists");
        batches[batchId] = Batch({
            root: merkleRoot,
            salt: salt,
            ts: uint64(block.timestamp),
            committer: msg.sender
        });
        emit BatchCommitted(batchId, merkleRoot, salt, msg.sender);
    }

    // Verify a leaf = keccak256(EAT_result_hash || EPCIS_event_hash || salt)
    function verifyLeaf(
        uint256 batchId,
        bytes32 leaf,
        bytes32[] calldata proof
    ) external view returns (bool ok) {
        Batch memory b = batches[batchId];
        require(b.ts != 0, "no batch");
        bytes32 computed = leaf;
        for (uint i = 0; i < proof.length; i++) {
            computed = computed <= proof[i]
                ? keccak256(abi.encodePacked(computed, proof[i]))
                : keccak256(abi.encodePacked(proof[i], computed));
        }
        return computed == b.root;
    }
}

EPCIS 2.0 Capture (JSON‑LD) Fragment for a Temperature Excursion Event

Check out this useful JSON-LD snippet that records a temperature excursion event. It even includes all the sensor details you need for your audit trail!

{
  "@context": "http://www.w3.org/ns/ldp",
  "@type": "TemperatureExcursionEvent",
  "eventTime": "2023-10-15T14:30:00Z",
  "eventTimeZone": "UTC",
  "eventID": "event12345",
  "sensor": {
    "@type": "TemperatureSensor",
    "sensorID": "sensor67890",
    "sensorLocation": "Warehouse A",
    "temperature": {
      "value": -5,
      "unit": "Celsius"
    },
    "timestamp": "2023-10-15T14:00:00Z"
  }
}

Go ahead and make any changes you think are necessary!

{
  "@context": ["https://gs1.github.io/EPCIS/epcis-context.jsonld"],
  "type": "ObjectEvent",
  "action": "OBSERVE",
  "eventTime": "2026-01-27T13:23:54Z",
  "epcList": ["urn:epc:id:sgtin:0037000.123456.400"],
  "readPoint": {"id": "urn:epc:id:sgln:0037000.00729.0"},
  "bizStep": "shipping",
  "disposition": "damaged",
  "sensorElementList": [{
    "sensorMetadata": {
      "time": "2026-01-27T13:23:54Z",
      "deviceID": "did:example:gw-0083",
      "rawData": "hash://sha256/3a...fd"  // pointer to EAT evidence bundle
    },
    "sensorReport": [{
      "type": "gs1:Temperature",
      "value": 9.2,
      "uom": "CEL",
      "minValue": 2.0,
      "maxValue": 8.0
    }]
  }]
}

EPCIS 2. 0 is all about simplifying things by supporting JSON/JSON-LD syntax and incorporating sensor data fields. This really helps things run smoothly when it comes to capturing data, and it definitely makes collaborating with partners a whole lot easier! Take a look at this link: (gs1.org). You’ll find some interesting stuff there!

Why this “just works” in production

• First Things First: We start with some key guidelines: EAT (RFC 9711) and RATS (RFC 9334). These really focus on keeping things simple and avoiding any custom attestation. Also, there's EPCIS 2. 0 sets the stage for how we understand the semantics of supply chain events. Oh, and we can’t overlook OPC UA PubSub over MQTT! It's such a game-changer for connecting your shop floor to the cloud, and it does a fantastic job of keeping everything secure. It really makes managing data a breeze! (ietf.org).
• Affordable and Predictable Costs: With EIP-4844 introducing the blob market, we now have a cool split between data availability and execution gas. This makes budgeting a lot easier! After the Dencun upgrade, there was a significant decrease in L2 fees when people started using blob-based DA.
  It's a win-win! (eips.ethereum.org).
• Solid Governance for Big Businesses: We focus on aligning your device and data requirements with NISTIR 8259A/B and SP 800-213A. It’s all about making sure everything fits together smoothly! And we've got those audit trails and change management processes in place that really keep the SOC2 reviewers and vendor risk teams satisfied. (nist.gov).

How we run a 90‑day pilot (with procurement in mind)

We're really honing in on specific areas for our pilot projects, like a cold-chain SKU, a battery pack line, or even a specific plant cell. It’s all about zeroing in on those key lanes to see how we can make the biggest impact! What you get out of this are products that are ready for real-world use, not just some fancy lab experiments.

• Workstream A -- Device Identity and Policy.
• How about we start by weaving EAT into the gateway from the get-go? Let's get a Verifier up and running, and we’ll also need to finalize our enforcement policy: if there's no attestation, then there’s no publishing. ”. We'll dive into creating schemas in EAS for device, firmware, and certificate attestations. Plus, we’ll nail down some reliable revocation paths while we’re at it! Take a look at it over at attest.org!
• Workstream B - Event normalization and exchange. Alright, so the next thing on our list is to align our current telemetry data with EPCIS 2. Let's dive into that!

0. After that, we’ll get those capture and query endpoints up and running, and we’ll link them to our ERP and WMS systems. Alright, for our industrial lines, let's roll out OPC UA PubSub over MQTT v5 with TLS. We should also include shared subscriptions to make sure we can manage the consumer scale effectively. Sounds good? If you're looking for more details, you can check it out right here: docs.oasis-open.org. There’s a lot of helpful info waiting for you!

• Workstream C - Commitments and Proofs. We'll choose an L2 that fits our SLA and then dive into setting up blob-based batch commits. Plus, we'll make sure to roll out those Merkle proof APIs while we're at it. Just a quick reminder: we really value your privacy here! Only hashed info will make its way onto the chain, and all evidence bundles will be kept in secure, governed storage.

And that's a wrap! Let's go ahead and tie everything up with: We've got SOC2-aligned runbooks that dive into key areas like access control, key management, and incident response. You'll want to gather procurement packets that consist of the Statement of Work (SOW), the security posture, data flow diagrams, and the RACI chart. Hey, just so you know, you can totally check out our security audit services before we go ahead with any expansion plans. It's a great way to make sure everything's secure!

Proof: GTM metrics we track and commit to improve

We take those tricky cryptography ideas and break them down into CFO-friendly KPIs. We even provide baseline measurements and targets, so you can check in on your progress by week 12. It's all about making it easier for you to understand and track!

Operational and Compliance

• Unit-level traceability coverage: We're shooting for more than 99%. Out of all the units we shipped, only about 5% ended up having verified device events.
• DSCSA/EU passport readiness: We should definitely keep tabs on our partners, especially when it comes to the percentage of them successfully passing those EPCIS 2 requirements. We've got zero interop tests so far, and we’re also looking at the percentage of QR records that are actually resolving with valid proofs. Hey, just a quick reminder that we’ve got some important deadlines coming up. We need to keep in mind the FDA's phased schedule for 2025-2026, along with the EU's deadline set for February 18, 2027. Let’s make sure we stay on top of this! If you're interested in getting the full scoop, you can find more info right here.
• MTTR for lot investigations: We're aiming to reduce the average time it takes to resolve issues from days to under 30 minutes by using deterministic proofs.

Cost and Performance

• Cost per 1,000 events (on-chain): We're shooting for under $0. 50 using EIP-4844 blobs. We've got everything all documented, and we've even got live dashboards to keep everything transparent and easy to follow. Take a look at this link: datawallet.com. You'll find some interesting info there!
• Ingestion latency p95: We're aiming to keep it under 5 seconds--from the moment the data hits the field to when it gets confirmed on the chosen L2.
• Cloud egress and storage differences: We're taking a look at the difference between a commit-only chain setup and just having the raw data hanging out on-chain.

Security and Governance

Hey team! We’ve finished the SOC2 control mappings for change management, logical access, and key custodianship. We're shooting for over 95% completion by week 8. Let’s keep the momentum going!

• Monitoring device posture changes: We're keeping tabs on how many devices aren't passing their attestation checks, and we're making sure to block those at the gateway. What's the plan? We're aiming for a weekly trend that's headed right down to zero!

Commercial

• Procurement cycle time: By week 4, you’ll have everything you need to make a decision all set up in a handy packet. You’ll also get a master build of our blockchain integration artifacts, which you can easily reuse with different vendors.
• Partner onboarding lead time: Speed is key! With EPCIS 2, we're focusing on getting things done quickly. With zero templates and EAS schemas in place, we’re looking at days to get partners set up instead of dragging it out for months. How great is that?

Emerging practices to future‑proof your roadmap

Why not think about using DIDs for different organizations and all sorts of devices? Pairing them with EAS could really give you the edge with portable, revocable attestations. It’s a combo that could streamline things nicely! This combo really helps reduce “allowlist drift” and makes it a lot quicker for partners to get onboard. (w3.org). When you're connecting to MQTT or the cloud, make sure you stick with OPC UA semantics. It might be tempting to just go for “raw JSON + a bunch of random topics” for the sake of convenience, but if you want those reliable end-to-end data models, it’s really worth it to stay true to OPC UA. Trust me, it pays off in the long run! (opcfoundation.org). When you’re dealing with DA, totally skip the calldata and go straight for the blobs. They’re definitely the better option! Try adjusting your batch sizes a bit to keep blob utilization near your target. This can really help with keeping those fees steady! (eips.ethereum.org). Hey pharma team, just a quick reminder: don’t forget to really put your EPCIS throughput to the test during those hectic holiday times. It’s super important to see how it holds up when things get crazy, not just when you’re in a quiet lab setting.
The FDA really wants to make sure you’re prepared for the actual challenges out there, not just filling out forms and checking things off a list. (fda.gov). When you're working with batteries, it's a good idea to set up your QR landing pages like registries. This way, they can check inclusion proofs right on the client side. Trust me, static PDFs just won't do the trick! According to the EU guidelines, it looks like you should be using structured data objects with specific access scopes rather than just relying on plain old documents. (airdbase.io).

Where to start with 7Block Labs

Alright, let’s dive in and kick off the pilot project with our fantastic dapp development and smart contract development teams! Hey, if you're thinking about expanding into cross-partner ecosystems, we’ve got you covered with our cross-chain solutions development. Whether you’re interested in multi-L2 setups or consortium-ledgers, we can definitely help you out! If your project includes tokenized entitlements--like warranties or carbon disclosures--we’ve got you covered! We can easily integrate asset tokenization into your plans, all while making sure compliance is our number one focus.

You’ll end up with a SOC2-aligned pipeline that’s super easy for your procurement team and regulators to understand. Plus, the finance team will be able to figure out the costs without breaking a sweat!

Book a 90-Day Pilot Strategy Call

Are you all set to move forward? Let’s schedule a strategy call that will take around 90 minutes. Alright, this call is really going to help us lay down a solid game plan for the next three months. Feel free to click the link below and pick a time that suits you best!

Schedule your call here!

Don't pass up the opportunity to grab some personalized insights that could really shake things up for you! I can’t wait to chat with you!

References (selected standards and market updates mentioned above)

• **EPCIS 2. You’ve got access to a bunch of features and APIs from GS1.
  (gs1.org).
• Timelines for DSCSA stabilization and exemptions (FDA and industry). (fda.gov).
• EU Battery Passport (Reg. 2023/1542) timeline. (airdbase.io).
• So, let's talk about EIP‑4844, also known as the blobs. This spec is super important, especially when considering how it affects Layer 2 fees after the Dencun upgrade. (eips.ethereum.org).
• MQTT v5 shared subscriptions: Let's dive into what shared subscriptions mean in MQTT version 5. It’s pretty cool because it allows multiple clients to share the work of receiving messages, making it a lot more efficient.
• OPC UA PubSub over MQTT details: Oh, and when it comes to OPC UA PubSub over MQTT, there’s a bunch of important stuff to consider. This combo really enhances communication in IoT applications, and it’s worth looking into how it all plays together. (docs.oasis-open.org).
• So, we've got the RATS architecture (that's RFC 9334 if you want to dive into the details) and then there's EAT, which stands for Evidence Attestation (and you can check it out in RFC 9711). (ietf.org). You should definitely check out NISTIR 8259A/B and NIST SP 800-213/213A if you're looking into IoT procurement or security profiles. They're really useful resources! (nist.gov).
• Ethereum Attestation Service (EAS) is a go-to for managing schema and attestation registries. (attest.org).

Book a 90-Day Pilot Strategy Call

Are you ready to jump in? Let’s set up your 90-Day Pilot Strategy Call! This is a great chance for us to chat about your goals and create a personalized game plan that’s just right for you. Can't wait to get started!

Hey, you really don’t want to pass up on this opportunity! It's a great chance to gather some useful insights and get some practical steps you can take. Let's get started!.