What is tracked in the audit trail?

Every event is appended to a per-SOW audit trail with IP, user agent, and timestamp. Events include email sent, email opened, link opened, signed, executed, and executed email opened. A HMAC-SHA256 verification hash is appended to the PDF as an e-sign certificate, giving each executed document a cryptographic verification path.

What service blocks are available by default?

Six default service blocks seed a new tenant: web design, hosting, content marketing, citation building, AEO optimization, and PPC management. Admins can add custom sections when building a SOW, or reuse blocks from the shared library. A full-screen preview renders the document before the invitation email dispatches.

What happens to unsigned SOWs?

Unsigned SOWs expire after seven days via an hourly CloudWatch cron. An auto-reminder email nudges clients before expiry. The module also supports void-and-replace versioning for contracts that need revisions after sending, dashboard filters to find unsigned or expiring documents, and an analytics page with signing-rate metrics.

SOW Generator

Q: How does the signing flow work?

Sending a SOW generates a UUID-secured public signing URL and dispatches a branded SES invitation email. The client opens the signing page with no login required, types their name to validate it against the contract, confirms consent, and submits. The countersignature applies automatically, status transitions to executed, and both parties receive the PDF.

Abstract

The SOW Generator is an Apex module that replaces DocuSign for all client Statements of Work. An admin builds a SOW from a reusable service block library, sends a branded signing link, the client signs with name validation and full audit trail, and both parties receive an executed PDF.

Problem

DocuSign is expensive and operates outside the iSM platform stack — every signed contract requires context-switching to a third-party service with no integration into project tracking, billing, or the client portal. Service block reuse, template management, and audit history all live in separate tools.

A purpose-built SOW tool inside the client portal connects the contract lifecycle to the rest of the engagement: proposals feed directly into billing, signed documents link to project records, and the admin has visibility into unsigned SOWs before they expire.

Approach

Authoring

The admin builds a SOW by selecting service blocks from a shared library (or adding custom sections), filling client info, and setting payment terms. A full-screen preview renders the document before sending.

Sending generates a UUID-secured public signing URL and dispatches a branded SES invitation email.

Signing flow

The client opens the signing page (no login required), types their name to validate it against the contract, confirms consent, and submits. Joe's countersignature applies automatically, the SOW status transitions to executed, and both parties receive an executed PDF email.

Unsigned SOWs expire after 7 days via an hourly CloudWatch cron.

Audit trail

Every event — email sent, email opened, link opened, signed, executed, executed email opened — is appended to a per-SOW audit trail with IP, user agent, and timestamp. A HMAC-SHA256 verification hash is appended to the PDF as an e-sign certificate.

Status

Live on production at apex.isimplifyme.com/dashboard/sow since 2026-03-30.
Full enhancement suite shipped: PDF download, resend, duplicate fix, Slack/Telegram notifications, void-and-replace versioning, auto-reminder email, SOW templates, dashboard filters, e-sign certificate, and analytics page.
Six default service blocks seeded (web design, hosting, content marketing, citation building, AEO optimization, PPC management).
PDF generation on Lambda needs end-to-end verification after deploy.