Certificates of Analysis, or COAs, have become standard operating currency in regulated markets. They’re no longer just lab paperwork — they function as legal verification that a specific batch of flower or finished goods was tested and that the reported results are accurate. Every potency percentage, terpene reading, and safety panel result lives inside that document.

The problem isn’t what COAs are. The problem is how they’re handled.

Most labs send them as PDF attachments via email. From there, the process usually goes quiet and manual: someone saves the file, maybe renames it, maybe drops it into a folder, maybe leaves it sitting in their inbox. When someone needs it later — for an inspection, a recall, a pricing decision, or a QR code request — it turns into a scavenger hunt. And if the data inside that PDF needs to live in a table? That’s more manual entry, more maintenance, more friction.

Why COAs Matter Across the Business

COAs don’t just sit in compliance folders gathering dust. They influence nearly every department in the operation.

Marketing relies on them for terpene profiles, potency numbers, and verified strain names. Sales and wholesale teams use the numbers to strengthen conversations and position products accurately. Retail and operations often price or merchandise based on potency tiers. Packaging and manufacturing depend on batch accuracy to prevent mix-ups and maintain recall traceability.

Most operators store COAs in relatively manual ways — either leaving them in email inboxes, uploading them to shared cloud folders like Drive or Dropbox, logging them in spreadsheets, attaching them inside compliance or ERP systems, relying on lab-hosted portals, keeping printed binders for inspections, or using third-party QR hosting services. While these methods centralize the document itself, they typically treat COAs as static files rather than structured data. The common pattern is simple storage and retrieval, not analysis or operational integration. As a result, teams can access the PDF when needed, but they rarely unlock the deeper value inside the potency, terpene, and batch data.

Pros and Cons

When it comes to managing COAs, the decision usually comes down to control versus convenience. Third-party services offer speed and simplicity — they’re turnkey, often built specifically for compliance visibility and QR hosting. In-house systems require more setup and technical effort, but they give you full ownership of your data, structure, and long-term scalability. The real tradeoff isn’t just cost — it’s flexibility, customization, and who controls the infrastructure. Over time, that difference compounds.

Third-Party Services

Pros:

• Quick deployment with minimal technical setup

• Built-in public portals and QR hosting

• Ongoing maintenance handled externally

• Often inspection-ready out of the box

Cons:

• Monthly or annual subscription costs

• Limited customization and analytics depth

• Data control resides partially outside your organization

• Scaling features or integrations may cost more

In-House Systems

Pros:

• Full ownership and control of data and structure

• Customizable workflows tailored to your operation

• Deeper analytics and integration potential (pricing, sales, ops)

• No recurring platform fees beyond your existing tech stack

Cons:

• Requires technical setup and maintenance

• Responsibility for uptime, security, and updates falls on you

• Longer initial build timeline

• Needs internal knowledge to manage effectively

Third-party platforms are like leasing infrastructure. In-house systems are like building your own facility — more work upfront, but you control the blueprint.

Building the Google Automation Workflow

The goal of this system is simple: eliminate manual intake the moment a new COA hits your inbox.

Instead of letting PDFs float around email threads, a dedicated intake address (for example, coa@nmcdn.com) is configured as a mirrored alias. It routes directly into your primary inbox, so you’re not managing another login. Vendors send COAs there, and that’s the trigger point.

From there, Google Apps Script does the heavy lifting.

Step 1: Automated Email Capture

A background script scans for unopened emails sent to the COA intake address. When it finds one, it opens the message, extracts any PDF attachments, and prepares them for archiving.

No manual downloading. No renaming. No forgetting.

Step 2: Centralized Drive Archive

All COAs are stored inside a single shared Google Drive folder titled “COAs.” Nothing else lives there.

When the script runs, it creates a timestamped folder inside that archive and stores the PDFs within it. Files retain their original naming conventions — often including the date, lab name, and order reference — preserving the source detail while maintaining structure.

If needed, files can still be added manually, ensuring nothing is left outside the system.

Step 3: Logging & Indexing in Google Sheets

Simultaneously, the script logs each file into a master spreadsheet called the COA Library.

Inside that workbook are three key tabs:

• COA Links – the intake ledger. It stores timestamps, Drive URLs, folder names, sender, subject line, and a test/sample ID used as a relational key.

• COA Analyzer – the structured data layer, where detailed lab results are stored.

• COA Library – the consolidated operational view, combining metadata, potency, terpene insights, averages, and generated product language.

At this stage, every PDF is archived and indexed. You know where it is, when it arrived, who sent it, and how to retrieve it instantly.

But the real shift happens when AI enters the room.

The AI Extraction Layer

Once the PDFs are stored and logged, an AI instance of ChatGPT is connected to the Drive folder.

It processes each PDF individually, extracting predefined data points:

• Potency breakdown (Total THC, THCA, CBD, etc.)

• Top three terpenes

• Full terpene panel (if available)

• Sample ID / batch ID

• Test dates and metadata

• Lab identifiers

The AI outputs a structured table. That table is placed into the COA Analyzer tab, where the sample ID links it back to the metadata in COA Links.

Now the document isn’t just stored — it’s normalized. Searchable. Relational. Usable.

The final COA Library tab consolidates everything: averages, trends, and even generated frontline language derived from terpene dominance and potency profiles.

You’ve effectively converted static PDFs into a living database.

What This Enables

Once COAs are structured and centralized, they stop being paperwork and start becoming infrastructure.

You can:

• Build a compliance landing page using Google Sites that dynamically links to Drive-hosted COAs and ingredient lists.

• Generate QR codes tied to a page that updates automatically — no third-party hosting fees, no constant redesign.

• Create an AppSheet dashboard where users search, filter, and interact with COAs in real time.

• Build pivot tables in Sheets to analyze potency trends, terpene dominance shifts, lab turnaround times, or strain performance over time.

Instead of digging through folders during an inspection, you pull up a dashboard.
Instead of manually updating QR links, they update themselves.
Instead of guessing which strains consistently test higher, you can see the pattern in seconds.

The Bigger Picture

COAs are legally binding proof that a product was tested and verified. But in most operations, they’re treated like digital paperwork — saved, forgotten, and only pulled out when someone’s asking hard questions.

By automating intake, archiving, indexing, and AI extraction inside Google’s ecosystem — Gmail, Drive, Sheets, Apps Script — you create a closed-loop system that turns compliance documents into operational intelligence.

It’s not about saving PDFs.
It’s about owning your data.