SOW & SLA Drafter
Get Started with This SkillOverview
The SOW & SLA Drafter skill guides the elaboration of professional Statements of Work combined with Service Level Agreements for B2B service engagements. It produces a structured, multi-section document covering scope, deliverables, timelines, service levels, fees, governance, and compliance. The skill applies industry-aware conditional logic: depending on the client’s sector, it suggests regulatory and compliance sections that a generic template would miss — such as HIPAA and ISO 13485 for MedTech, SOC 2 and PCI DSS for Fintech, or GDPR and Standard Contractual Clauses for engagements involving EU data.
Getting Started
Activate the SOW & SLA Drafter skill and tell the agent about your engagement. The agent will ask for the client’s industry, the engagement type, and the parties involved, then guide you through a phased workflow: discovery, scope and deliverables, SLA definition, commercial terms, governance and compliance, and final review. The completed document is saved to output/sow-sla.md.
Example Conversation
Below is an example of a typical session when drafting a SOW/SLA for a SaaS implementation engagement with a MedTech client.
You: Let’s draft a SOW. The client is MedVault Inc., a medical device company based in Boston. We’re implementing our cloud-based quality management platform for them.
Agent: Since this is a MedTech engagement, I recommend including the following compliance sections in the SOW:
- ISO 13485 — Quality Management System alignment for medical device software
- HIPAA Business Associate Agreement — since the platform will handle Protected Health Information (PHI)
- FDA 21 CFR Part 11 — if electronic signatures or audit trails are involved
Should we include all three? Also, does MedVault have EU operations that would require us to address EU MDR 2017/745 or GDPR?
You: Yes to ISO 13485 and HIPAA. No FDA 21 CFR Part 11 — they handle e-signatures separately. No EU operations.
Agent: Understood. I’ll include ISO 13485 and HIPAA/BAA sections and skip FDA Part 11 and EU provisions. Now let me propose the scope. For a SaaS QMS implementation, I suggest these milestones:
- Project kickoff and requirements gathering (Weeks 1–2)
- Solution design and architecture review (Weeks 3–4)
- Environment setup and configuration (Weeks 5–6)
- Data migration from their current QMS (Weeks 7–9)
- Integration testing and IQ/OQ validation (Weeks 10–12)
- User acceptance testing (Week 13)
- Training and knowledge transfer (Week 14)
- Go-live and hypercare (Weeks 15–16)
Any custom inclusions or exclusions?
You: Add a Phase 0 for vendor security assessment — their compliance team requires it before kickoff. Also exclude any hardware procurement.
Agent: Added Phase 0: Vendor Security Assessment (Week 0). Hardware procurement is listed as explicitly out-of-scope. Now for the SLA — given this is a healthcare platform, I’d recommend the Enhanced tier: 99.9% uptime, 4-hour Sev 1 response, 8-hour resolution, with extended-hours monitoring. For patient-facing systems, some clients go with Mission-Critical (99.99%). Which tier fits?
You: Enhanced is fine. Their clinical systems are separate — this is back-office QMS.
Agent: I’ve drafted the full SOW with all sections and saved it to
output/sow-sla.md. Here’s a summary of what’s included:
- 14 sections covering parties, definitions, scope, deliverables, SLA, fees, governance, HIPAA/BAA, ISO 13485 compliance, confidentiality, IP, term/termination, liability, and signatures
- Enhanced SLA tier: 99.9% monthly uptime, 4h/8h response/resolution for Sev 1, service credits at 10% per 0.1% breach (max 30%)
- 9 milestones with a Phase 0 security assessment
- HIPAA BAA section with breach notification (60-day timeline), PHI handling requirements, and audit rights
- ISO 13485 section covering QMS documentation alignment and CAPA process integration
Would you like to review any section in detail or make adjustments?
Sample Output Excerpt
Below is a representative excerpt from a Statement of Work & SLA produced with the SOW & SLA Drafter skill — SaaS implementation for a MedTech client.
Statement of Work — Excerpt (SaaS Implementation, MedTech)
Document ID: SOW-2025-042 Client: MedVault Inc. Date: 2025-06-15 Status: DRAFT
3. Scope of Services
3.1 Engagement Overview
Provider shall implement and configure its cloud-based Quality Management System (“QMS Platform”) for Client’s medical device quality operations, including data migration from Client’s existing QMS, integration testing with validation protocols, user training, and post-go-live hypercare support.
3.2 In-Scope Services
- Vendor security assessment and compliance documentation
- Requirements gathering and solution design
- QMS Platform configuration and environment setup
- Data migration from Client’s existing QMS (up to 50,000 records)
- Integration testing and IQ/OQ validation protocols
- User acceptance testing with Client’s quality team
- End-user training (up to 3 sessions, max 20 participants each)
- Go-live support and 2-week hypercare period
3.3 Out-of-Scope
- Hardware procurement or infrastructure provisioning
- Modifications to Client’s existing on-premise systems
- Regulatory submissions to FDA or other authorities
- Electronic signature implementation (managed separately by Client)
5. Service Level Agreement
5.1 Service Availability
| Metric | Target | Measurement Period |
|---|---|---|
| Uptime | 99.9% | Monthly |
| Scheduled Maintenance | Max 4 hours/month | Monthly |
| Maintenance Notice | 48 hours advance | Per occurrence |
5.2 Incident Response & Resolution
| Severity | Description | Response Time | Resolution Time |
|---|---|---|---|
| 1 — Critical | QMS Platform unavailable; quality processes blocked | 4 hours | 8 hours |
| 2 — High | Major feature degraded; workaround available | 8 hours | 24 hours |
| 3 — Medium | Minor feature issue; no business impact | 16 hours | 48 hours |
| 4 — Low | Cosmetic or informational | 2 Business Days | 5 Business Days |
8. Regulatory Compliance
8.1 ISO 13485 Alignment
Provider shall maintain its QMS Platform in alignment with ISO 13485:2016 requirements applicable to software used in medical device quality management. Provider shall support Client’s CAPA (Corrective and Preventive Action) processes and maintain traceability of quality records within the platform.
8.2 HIPAA — Business Associate Agreement
Provider acknowledges that it may receive, create, or maintain Protected Health Information (“PHI”) in the course of providing services. Provider agrees to:
- Use and disclose PHI only as permitted by this Agreement and applicable law
- Implement administrative, physical, and technical safeguards per 45 CFR §§ 164.308, 164.310, and 164.312
- Report any Security Incident or Breach of Unsecured PHI to Client within sixty (60) days of discovery
- Make records available to the Secretary of HHS for compliance audits
- Return or destroy all PHI upon termination of this Agreement
This excerpt is illustrative. Final SOW/SLA documents must reflect your actual engagement terms and legal advice.
Resources
This skill provides:
- Reference documentation — Industry-specific compliance frameworks, SLA tier benchmarks, and typical engagement milestones by sector (see
references/industry-standards.md). Covers Healthcare/MedTech, Fintech, SaaS/Cloud, Manufacturing, Government, and Retail. - SOW/SLA template — A structured 14-section document template (see
assets/sow-sla-template.md) covering parties, definitions, scope, deliverables, SLA, fees, governance, compliance, confidentiality, IP, term/termination, liability, dispute resolution, and signatures.
The agent uses the reference material to suggest appropriate compliance sections based on the client’s industry, then fills in the template section by section as the conversation progresses.