Meeting Notes to SoW Converter
A static conversion page that turns first-meeting notes into a 90-day DEFONEOS statement of work: buyer problem, scope, data boundary, governance, success metrics, commercial route, and risks.
Converter purpose
After a meeting, the owner should be able to turn notes into a one-page statement of work without inventing scope. This page gives the slots, the guardrails, and the paste-ready output.
- Write the buyer problem before writing the solution.
- Keep scope capped to 90 days unless the buyer asks for a longer programme.
- Make data boundaries explicit. Public-source and synthetic first.
- Use a fixed-price pilot route before discussing enterprise expansion.
- If a buyer asks for certification, route to csoai-defoneos and the BFT council path.
Meeting notes intake
Fill these eight rows immediately after the call.
| Field | Question | Constraint |
|---|---|---|
| Problem statement | What the buyer actually said, in their words. | One paragraph, no sales language. |
| Scope | The smallest 90-day pilot that can prove or falsify value. | Three work packages max. |
| Data boundary | Public, synthetic, or buyer-provided data classes. | No personal surveillance by default. |
| Governance | Human oversight, audit log, red-line checks, decision record. | JSP 936 and NIST AI RMF mapping. |
| Success metrics | Operational, commercial, and assurance metrics. | Baseline plus target plus owner. |
| Commercial | Fixed price, milestones, payment terms, optional extensions. | No per-seat trap. |
| Risks | Top five risks and mitigations. | Include human gates. |
| Next step | A dated validation slot or procurement route. | One ask only. |
One-page SoW output template
Copy this into a document after filling the intake rows.
DEFONEOS 90-day sovereign pilot — draft SoW Buyer problem [Use the buyer words. One paragraph.] Pilot objective Prove whether DEFONEOS can deliver [outcome] using UK-sovereign, audit-grade, signed, neutral architecture without personal surveillance or kinetic-targeting patterns. Work package 1 — Evidence and controls - Map buyer use case to JSP 936, NIST AI RMF, ISO 42001, UK GDPR, and OSCAL evidence. - Produce a signed evidence-room bundle and red-line register. Work package 2 — Public-source integration demo - Connect only approved public, synthetic, or buyer-provided non-sensitive data. - Demonstrate Common Operating Picture, audit trail, and human oversight. Work package 3 — Assurance and procurement route - Produce go or no-go report, residual-risk register, pricing route, and next procurement vehicle. Success metrics 1. [metric] baseline [x] target [y] 2. [metric] baseline [x] target [y] 3. [metric] baseline [x] target [y] Commercial Fixed pilot fee: [choose from pricing card] Milestones: 30 percent start, 40 percent midpoint, 30 percent final acceptance Owner gates: DSP, CE Plus, SC, procurement route, buyer data access Honesty Draft only until buyer validates scope and procurement route. No endorsement, no certification, no controlled technical data.
Pilot package selector
Use this table to choose the first commercial route.
| Buyer state | Recommended package | Rationale |
|---|---|---|
| Discovery only | Technical validation sprint | Low friction, validates pain before procurement |
| Named project and budget | 90-day sovereign pilot | Buyer has need and route, but wants bounded risk |
| Security-led buyer | Evidence-room plus assurance sprint | Trust is the blocker, not features |
| Procurement-led buyer | G-Cloud or DASA route pack | Route matters more than demo |
| Prime or consortium | Referral partner letter plus SoW | They need partner-safe language and margin clarity |
Risk register starter
Every SoW needs these risks stated openly.
- Certification risk: Cyber Essentials Plus and SC are owner-gated until completed.
- Procurement risk: route may require framework listing or prime sponsorship.
- Data risk: no sensitive buyer data enters a public demo environment.
- Expectation risk: DEFONEOS is an open sovereign OS surface, not a secret MOD-accredited platform today.
- Scope risk: broad platform asks must be reduced to three work packages for a 90-day pilot.
Acceptance criteria library
Select three to five criteria only.
- All pilot pages and evidence artefacts return HTTP 200 from canonical URLs.
- Buyer receives an OSCAL-ready control map for the scoped use case.
- Human oversight log exists for every AI-assisted recommendation.
- No red-line pattern appears in demo, data, or documentation.
- Commercial next step is explicit: stop, extend, framework route, prime route, or grant route.
- A named buyer stakeholder can explain the value in one paragraph without Nick present.
Owner handover checklist
Before sending the SoW, run this checklist.
- Replace every bracketed field.
- Attach only public links or buyer-approved private artefacts.
- Check the pricing card matches the package selected.
- Check the evidence-room link is live.
- Send to one named owner, not a generic list.
- Log the SoW in the CRM and attach the tick-67 SIGIL record.
Milestone and payment schedule
Use this when a buyer asks how the 90-day pilot is governed commercially. Keep it capped and measurable.
| Day | Milestone | Deliverable | Payment trigger |
|---|---|---|---|
| Day 0 | Kickoff and evidence boundary | Signed scope, data classes, owner gates, communication rhythm | 30 percent on start |
| Day 15 | Control map | JSP 936, NIST AI RMF, ISO 42001, UK GDPR, and OSCAL starter map | No payment, review gate |
| Day 30 | First public-source demo | Non-sensitive common operating picture, audit log, human oversight record | 40 percent on midpoint acceptance |
| Day 60 | Assurance review | Risk register, red-line audit, evidence-room bundle, procurement route | No payment, decision gate |
| Day 90 | Final go or no-go | Final report, residual risks, next-route recommendation, extension or closeout | 30 percent on final acceptance |
Clause library
These clauses are safe starter language. They are not legal advice and should be reviewed before signature.
- Data boundary: The pilot uses public, synthetic, or buyer-approved non-sensitive data only unless a separate written data processing schedule is agreed.
- Human oversight: DEFONEOS outputs are advisory in the pilot. A named human owner remains accountable for every operational decision.
- Red lines: The pilot excludes kinetic targeting, find-fix-finish workflows, kill-order generation, personal surveillance, face recognition, and phone-location tracking.
- Assurance: Governance artefacts are prepared for review and do not represent third-party certification unless expressly issued by the relevant authority.
- Provenance: Pilot artefacts are versioned and hash-recorded. Ledger anchoring is used where the endpoint is available.
- Exit: Either party may close the pilot at a decision gate if the value hypothesis is not validated.
Worked example — public resilience pilot
This example shows how to fill the SoW without creating an overbroad platform promise.
| Slot | Filled example |
|---|---|
| Buyer problem | Regional teams lack a single audit-grade view of public-source weather, transport, and service-disruption signals during resilience planning. |
| Objective | Validate whether DEFONEOS can produce a public-source common operating picture with human oversight and signed evidence logs. |
| Scope | Three feeds, two dashboards, one evidence-room bundle, one final go or no-go report. |
| Out of scope | No personal data, no emergency-service live dispatch integration, no classified feeds, no automated operational decision. |
| Success metric | Named stakeholder can answer what changed, why, and who approved it from the audit log within five minutes. |
| Commercial route | Capped 90-day pilot from the pricing card, then route to G-Cloud or prime partner if value is validated. |
12-framework crosswalk
Every page in this tick is written as an owner-executable artefact and an audit trail. These mappings are design mappings, not third-party certifications.
| Framework | How this page maps | Honesty status |
|---|---|---|
| EU AI Act | Transparency, human oversight, logging, post-market monitoring, and high-risk discipline when a workflow crosses into regulated public-service use. | Designed control language. Verify per-buyer before external submission. |
| GDPR and UK GDPR | Data minimisation, lawful basis notes, retention windows, subject-access response path, and no personal-surveillance pattern. | Designed control language. Verify per-buyer before external submission. |
| JSP 936 | Assurance case language, operator accountability, safety case evidence, and escalation logging suitable for UK defence AI review. | Designed control language. Verify per-buyer before external submission. |
| JSP 440 | Protective marking, supplier-security posture, evidence handling, and separation of public facts from owner-gated sensitive data. | Designed control language. Verify per-buyer before external submission. |
| NIST AI RMF | Map, Measure, Manage, and Govern rows for every buyer artefact, with clear residual-risk ownership. | Designed control language. Verify per-buyer before external submission. |
| ISO 42001 | AI management-system controls, role ownership, change control, review cadence, and documented competence. | Designed control language. Verify per-buyer before external submission. |
| NIST PQC | Cryptographic-agility language, no false PQC certification claim, and upgrade path for signed evidence bundles. | Designed control language. Verify per-buyer before external submission. |
| NATO STANAG | Interoperability language only, no NATO endorsement claim, and neutral alliance-compatible evidence formatting. | Designed control language. Verify per-buyer before external submission. |
| AUKUS Pillar II | AUKUS-compatible technology framing only, no partnership claim unless a signed letter exists. | Designed control language. Verify per-buyer before external submission. |
| OSCAL | Machine-readable control catalogue and component-definition path for the evidence room. | Designed control language. Verify per-buyer before external submission. |
| Five Eyes export discipline | Public-source and EAR ITAR awareness note, no controlled technical data in the page. | Designed control language. Verify per-buyer before external submission. |
| C2PA 2.0 | Content provenance, artefact signing, and media lineage notation for decks, screenshots, and demo recordings. | Designed control language. Verify per-buyer before external submission. |
Honesty register
The register below is deliberately explicit so the artefact stays usable in a UK-sovereign procurement conversation without overclaiming.
- This page is an executable owner pack, not legal advice and not a government endorsement.
- AUKUS-compatible means design compatibility only. No AUKUS partnership is claimed without a signed letter on file.
- DEFONEOS-SEAL is not issued here. Any credential requires the 33-agent BFT council quorum and owner gate.
- No kinetic-targeting, find-fix-finish, kill-order, face-recognition, phone-location, or individual-tracking pattern is included.
- Buyer names and public bodies are routing examples from public procurement context. Nick must verify the current named contact before sending.
- SIGIL anchor is local until the SOV3 ledger endpoint is reachable from this Mac session.
- Generated 2026-07-11T08:01:33Z. File slug: defoneos-mod-meeting-notes-to-sow.