Trading Partners

Trading Partner FAQ #


The FAQ here are intended for CARO users and people who have already had some exposure to CARO. If you have just discovered CARO, you might find the introductory FAQ and resources on our website helpful to get started.

CARO usage #

Do I have to upload all my trading partners to set up CARO? #

No, you do not need to pre-populate CARO with your business partners. The list of trading partners within CARO will grow organically as interactions with your CARO Enterprise Account happen. The use of verifiable credentials by CARO caters for the underlying due diligence and capturing of salient counterparty details in your audit log by design.

Are a Trading Partner’s licenses visible in the electronic credentials? #

No. Any organizational or licensing documents submitted during the credential application process are used for due diligence by the Credential Issuer but will not be disclosed in the electronic credentials.

What details are captured by CARO’s audit log? #

CARO captures transaction details, such as transaction ID, time, type, status, interacting parties. These data are securely stored in a non-public AWS database.

What data are stored on the blockchain? #

CARO stores an enterprise’s unique Decentralized Identifier (DID) on the Ethereum blockchain. The DID leads to the DID document, which may contain details on how to contact you through your CARO account (a so-called endpoint). This enables certain types of information exchange with your trading partners for a variety of business interactions.

Why can I not access a page in the CARO app? #

Certain web addresses might need to be whitelisted (allowed) by your IT system for CARO to be fully functional. Please refer to our whitelisting guide for more details.

CARO and my service provider #

Is CARO interoperable with other digital wallets and service providers? #

In short, yes as far as it is within our control.

CARO is fully aligned with OCI’s Conformance Criteria for Digital Wallets. We are interoperable with any other digital wallet that is also aligned with these criteria. This means us and them can process each other’s credentials. We cannot guarantee interoperability with digital wallets that are not OCI-aligned.

Further, there are a number of service providers that offer message routing (VRS) and are fully integrated with CARO (see for example our Partners). This means they can use CARO to facilitate product enquiries on your behalf. These VRS have their own interoperability tests to make sure they can exchange information with each other. Wallet interoperability

How do I connect my VRS to my account? #

The CARO team will do this for you once you give us the go-ahead or when your Service Provider requests a CARO account on your behalf (via API).

How do I remove my VRS provider’s account access? #

The CARO team will do this for you if we are instructed to do so. Once deactivated, the VRS will no longer be able to generate or verify DSCSA ATP Credential presentations on your behalf.

What can the VRS do with my user account? #

The VRS can fetch the credential information from your CARO Enterprise Account for inclusion into routing messages, e.g. attach the ATP credential to product identifier verification messages or suspicious product enquiries between pharmacy and manufacturer. This will not remove any credentials from your CARO Enterprise Account. They will remain available for re-use.

How are individual interactions between CARO and my service provider’s app traceable? #

CARO and your service provider both keep transaction records to provide an audit trail. Any interaction that your service provider has with CARO is mapped on either side by the same unique identifier, a so-called correlation UUID. Thus, the correlation UUID can be used to search each side’s database for individual transactions and VRS roundtrips.

Will my app process PI verification messages from trading partners without ATP credentials? #

CARO will only ever see transactions that involve credentials. However, the transaction record within your VRS provider’s app should list all interactions with other trading partners. How these are processed depends on the set-up of your VRS app. Your service provider might offer you the choice of making the use of ATP credentials by your counterparties optional or mandatory. Only if set to mandatory, should the VRS app block any further processing of counterparty messages lacking the ATP credential. Please ask your VRS provider about possible configurations.