Captain sign-off: closing the custody chain at the vessel
An agent can log every handover perfectly and still be exposed, because the most important confirmation comes from the other side of the gangway. The custody chain is not closed when the agent says the parcel was delivered — it is closed when the vessel confirms it received it. Capturing that confirmation cleanly is what turns a record into proof.
Why the vessel’s confirmation matters
A delivery the agent records but the vessel never acknowledges is a half-open loop. If a discrepancy surfaces later, the agent has their word and a timestamp, but not the counterparty’s agreement. The whole point of a custody chain is mutual, contemporaneous agreement on what changed hands.
Captain sign-off closes that loop. When the receiving party on the vessel confirms a parcel, the confirmation is bound into the custody record — so the proof is not “we say we delivered it” but “both sides agreed, at this time.”
What makes a sign-off trustworthy
A confirmation is only as good as the controls around it. A trustworthy captain sign-off is:
- Attributed to a verified vessel user, not an anonymous tap.
- Scoped to the right vessel, so a confirmation cannot be applied across vessels by mistake.
- Timestamped and bound into the immutable custody chain at the moment it happens.
- Reflected on both the agent’s and the vessel’s view of the same record.
Cross-vessel confirmations are blocked by design
A captain can only confirm parcels for the vessel they are actually granted access to. SeaPillar enforces the vessel scope on confirmation, so a confirmation can never leak across vessels — a quiet but important integrity guarantee.
The dual-confirmation closeout
Closing a whole port call is bigger than confirming one parcel. SeaPillar gives the agent and the vessel a shared workspace on each vessel call — documents, threaded comments, document requests, and a closeout checklist — and the call only closes when both sides confirm.
The closeout runs on an explicit state machine: open, pending confirmation, closed. A request to close requires the checklist to be resolved; the final close requires both the agent’s and the vessel’s confirmation. Either side reopening clears both confirmations, so the call cannot drift into a half-closed state.
Reaching the captain wherever they are
Captains are not sitting in the agency’s portal. They confirm from the bridge, often on a phone, sometimes on a thin connection. The confirmation flow has to meet them there — a focused view of what needs their sign-off, not the full operational console.
When the vessel side acts, the agency is notified in-app; when the agency needs something from the vessel, the vessel is reached by email, because captains have no agency-scoped feed. The two sides stay in sync without either having to chase the other.
Frequently asked questions
- Why does the vessel need to confirm a delivery the agent already logged?
- Because a custody chain depends on mutual, contemporaneous agreement. A delivery the agent records but the vessel never acknowledges is a half-open loop — if a discrepancy surfaces later, the agent has only their own word. Captain sign-off binds the counterparty’s agreement into the record at the time of the handover.
- Can a captain confirm parcels for the wrong vessel?
- No. SeaPillar enforces vessel scope on confirmation: a captain can only confirm parcels for a vessel they are granted access to, and the confirmation is checked against that vessel. A confirmation cannot leak across vessels.
- What is a dual-confirmation closeout?
- It is a port-call closeout that only completes when both the agent and the vessel confirm. The closeout follows an explicit state machine — open, pending confirmation, closed — where requesting close requires the checklist to be resolved and the final close requires both sides’ confirmation. Reopening clears both confirmations so the call cannot get stuck half-closed.
- captain
- sign-off
- custody chain
- collaboration