Processes that do not run on goodwill and email
This is where you decide how a document comes into being, who approves it, and where it rests once the process is done. Underneath sits a single kernel: a registry of document types, a state machine with named guards and effects, and five dates on every document — the same mechanism carries a purchase order, a contract and a leave decision. Above it sit approval rules with amount limits, maker-checker, delegation, SLA and escalation. The records registry, attachment versions, the electronic archive and the archive book close out the document's life all the way to disposal. Tasks land in the Task Inbox under My work; this space is where the processes themselves are designed, administered and measured.
- Document type registry
- State machines
- Approvals with limits
- Maker-checker
- SLA and escalation
- Electronic archive
A process that lives in email is not a process
In most companies the document flow exists but is written down nowhere: everyone knows who signs what — until that person goes on leave.
The contract is in someone's mailbox, the signed scan on a shared drive, the approval somewhere in a March email thread. When an auditor asks who approved the overrun and under which rule as it stood at the time, the answer gets reconstructed from memory. Meanwhile the same work is being done separately in every module: procurement keeps its approval chain in a spreadsheet, HR keeps its own in email, finance keeps its own in the chief accountant's head. When the rule changes, it changes in one of the three places — and that is discovered at the next audit.
NG One has no document module sitting above the others; it has a document kernel sitting under all of them. A document type is a record in a registry: code, module, numbering, mandatory fields, defaults, state machine, print templates and effects, with global defaults and a per-tenant override. States and transitions are configuration, but guards and effects are named, registered in code and covered by tests: configuration composes them, it does not write them. The server decides which actions are permitted on a given document and hands them to the screen, so the action bar never guesses. The same kernel carries the workflow — a transition may wait on an approval, an approval may carry an amount limit and a branch, and every transition leaves a record in an append-only history.
The structural advantage is that the approval rule is versioned and that the document carries a reference to the rule version it passed under. A year later the system does not answer “who was allowed to approve this” from today's configuration, but from the configuration that was in force on the day of the decision — the same mechanism that holds effective-dated statutory parameters. And because the kernel is a platform layer, every module in the system — and every document type a tenant adds later — inherits numbering, attachment versions, approvals, SLA and archiving without an implementation of its own: you add a record to the registry, not another approval flow. This is also why the kernel is not a generic engine that replaces the domain — business invariants stay in their own module, while the kernel carries identity, number, status, history, attachments, links and approvals.
The life of a document, from type to disposal
Six steps every document goes through — whether it originated in procurement, in HR, or in the incoming mail.
- Step 1
The document type and its machine
Before the first document exists, you define what the type is: how it is numbered, what is mandatory, which states it moves through, and what happens on each transition. It is done in the console, as configuration, with a config audit and reusable config sets.
- Code, module, name, numbering series per legal entity
- Mandatory fields, defaults, print templates
- States and transitions with named guards and effects
- Global default type plus a per-tenant override
- Step 2
Creation, attachments and versions
A document is created by hand, from another document, or from incoming mail. The number is assigned on registration, attachments go to object storage and are virus-scanned, and every change to an attachment creates a new version instead of overwriting the old one.
- Number drawn from the series on registration, per legal entity
- Attachments on object storage with antivirus scanning
- Attachment versions with author, timestamp and reason
- Explicit links back to the documents it came from
- Step 3
Approval and the signed decision
A transition that needs a decision stops and raises a task. The approval chain knows amount limits and branching, maker-checker prevents the same person from entering and confirming, and a rejection requires a reason. The signature on the decision is recorded with full context.
- Multi-step chain with amount limits and conditional branching
- Maker-checker and segregation of duties on the same document
- Delegation and stand-in when the approver is away
- Audited signature: who, when, what they saw, in what capacity
- Step 4
Execution, effects and the chain
Once a transition goes through, the kernel runs the named effects inside the same transaction and publishes an event. The document takes its place in the chain — what caused it, and what came out of it.
- Transition effects in the same transaction, no partial state
- An event per transition as the trigger for automation rules
- A visual chain of related documents (Document Flow)
- Append-only transition history — never edited, never deleted
- Step 5
Registry, archive and retention
A document leaving the process enters the record: the registry for incoming and outgoing mail, classification marks, a category in the archive book and a retention period. The archive knows both when a document may be disposed of and when it must not be touched.
- Records registry, incoming and outgoing mail, classification marks
- Categories and retention periods in the electronic archive book
- Archive book transcript for the state archive, and disposal
- Legal hold — deletion blocked for the duration of a dispute
- Step 6
Process analysis
The space does not end at the document but at the question of why the process takes as long as it does. It measures where the flow stalls, who breaches SLA, how often things escalate, and how many steps the system completed without a person.
- Duration per step and per approver
- Breached SLA deadlines and the escalation chain
- Share of steps automation completed on its own
- The rule version each document actually passed under
What this space covers
Five groups and thirty named capabilities, all on one document kernel: the same mechanism carries a purchase order, a contract and a leave decision.
The document kernel
The foundation under every document in the system, from a purchase order to a leave decision. Every module uses it; no module reimplements it.
6 capabilities
Document type registry
A document type is a record, not a class in code: code, module, name, numbering, mandatory fields, defaults, print templates and effects. Global default types with a per-tenant override, no developer involved.
State machines with named guards
States and transitions are configuration; guards and effects are named and registered in code, so configuration composes them rather than writing them. Validation runs in the same transaction as the transition — there is no document that is “half moved”.
Five dates on every document
Document date, delivery date, posting date, value date and tax date are kept apart from day one. A system that collapses them into one cannot later separate the tax truth from the accounting truth without a migration.
Permitted actions computed by the server
Which actions a user may take on a given document in a given state is decided server-side and handed to the action bar. The screen never guesses, and never hides a button the backend would reject anyway.
Attachments, versions and virus scanning
Attachments live on object storage and are scanned on upload. A new version is appended with author, timestamp and reason — the old one stays reachable, because someone may already have decided on the basis of it.
Document links and transition history
Links between documents are explicit rather than inferred from matching numbers. The transition history is an append-only table — no updates, no deletes, enforced at the database level and not only in the application.
Approval and control
Who may approve what, up to which amount, and with whose confirmation. Six-layer authorization and the workflow kernel that enforces it are one layer — the rule is written once and holds on every document in the system.
6 capabilities
Authorization matrix and approval limits
Six-layer authorization: roles, data scope, approval limits, segregation of duties, maker-checker and delegation. A limit is not a figure in a manager's head but a rule the system applies to every document.
Segregation of duties
Combinations of rights that must not sit with the same person are defined as a rule rather than an understanding. The system blocks an assignment that creates a conflict and records every attempt to work around it.
Maker-checker
For sensitive actions, entry and confirmation are split across two people. It works on documents, on configuration changes and on administrative operations — through one mechanism, not three.
Delegation and stand-ins
Absence is declared, not solved by sharing a password. The stand-in inherits tasks for a defined period, with a record that the decision was taken by the stand-in and under whose authority — limits and SoD rules stay in force.
Immutable log and change log
Who changed what, when, from which value to which. The log cannot be edited or deleted, not even by an administrator account; a configuration change leaves the same trail as a document change.
Multi-step approvals and bulk confirmation
A chain with conditional branching and amount limits; a state machine transition may wait on an approval as its condition. A manager facing thirty requests of the same type confirms them at once, with an individual trail per request.
Tasks, SLA and automation rules
The layer that pushes a process forward when nobody is watching. The global Task Inbox lives in My work — here the rules are set, measured and changed.
6 capabilities
Tasks per user and per role
A task is assigned to a person or to a role, and carries a deadline, comments and evidence. A task on a role survives an employee leaving — the request does not sit waiting on an account nobody opens any more.
SLA and escalation
The deadline is set per task type, not per goodwill. When it lapses, the task moves up by a rule written in advance — escalation is configuration, not a phone call.
Automation rules: event → condition → action
An event on a document evaluates a condition, and the condition fires a named action: a task, a document, a notification or a transition. Rules are set in the console and behave deterministically — the same input always produces the same output.
Rule versioning
Approval configuration has a validity period, and the document carries a reference to the rule version it passed under. “Under what was this approved in March” still has an answer after three changes to the rule.
Comments, evidence and collaboration
The discussion about a document sits with the document, with attachments as evidence and visibility that respects the user's data scope. The decision and the reasoning behind it do not live in two different systems.
Process analytics and automation KPI
How long a step takes, where the flow stalls, who breaches SLA, and how many steps the system finished on its own. The figure for “what NG One did without a person” is measured, not estimated — every automated step has its own record.
Signature, registry and archive
The part of this space where marketing most often overreaches. Here the mechanisms are named literally: internal approval is internal approval, a qualified signature is a qualified signature, and the system shows which is which at every point.
7 capabilities
Internal electronic approval and signed decision
An audited signature on the decision: who signed, when, what they saw and in what capacity, with a hash of the signed version and a visual signature block on the printout. A legally clean mechanism for internal consent, with no claims of a qualified signature.
Signing flows
Order of signatories, reminders and SLA, rejection with a mandatory reason, and a signature as the condition of a state machine transition. The same workflow kernel that carries approvals — signing is not a separate system with rules of its own.
PAdES signatures and the signature block on the PDF
PDFs come out with a PAdES signature structure: signature fields in the template, a visual signature block, a hash of the signed version, and the hook that ties the signature to a state machine transition. Legal weight comes from the certificate a document was signed with, so the interface shows, on every signature, which means produced it.
Records registry and classification marks
Incoming and outgoing mail, registry number, classification marks, and the link from an incoming document to the business document it produced. The full DMS layer sits over the document kernel: an incoming letter gets its number, versions and retention from the same registry a purchase order does.
Electronic archive book and disposal
Categories of documentary material with their retention periods (financial records 20 years, general ledger 10, payslips permanently), the archive book transcript as a file for the state archive by 30 April, and disposal once retention lapses.
Advanced eSign over XML and the eArchive
XAdES structure over XML documents, a qualified corporate seal and a timestamp, including the signature over the copy held in the eArchive. Reliable electronic preservation needs a seal and a timestamp from a qualified provider — NG One runs the flow, binds the timestamp to the copy and keeps the evidence beside it.
Qualified signature, seal and timestamp
A local agent with a smart card (the private key never leaves the signatory), remote signing through a qualified QTSP provider, a qualified corporate seal, and long-term validation (PAdES-LTA). The same workflow kernel that carries internal approval — what changes is the signing means and the legal weight, not the flow.
Screens, print and document intake
What a document looks like while it is being worked on, how it comes out on paper, and how it comes in from the outside world.
5 capabilities
Document Workspace
A key document is not a long generic form: a condensed header, generous room for line items, a sticky action bar, a right-hand panel with status and permitted actions, attachments, comments, and an event timeline at the bottom.
Document Flow — the chain of related documents
A visual chain showing what a document came from and what came out of it: purchase order → goods receipt → supplier invoice → journal entry → payment. A click opens the document itself, not a filtered list.
Print templates and labels
The template belongs to the document type: Cyrillic and Latin script, large tables with page breaks and repeated headers, barcodes and QR, PDF/A-2b for the archive. Labels go straight to a ZPL printer, with nothing in between.
Report and print designer
Changing the look of a printout without a developer and without a release: layout, fields, language and legal entity as template parameters. The same designer drives both a document printout and a report from the reporting centre — one tool, not two.
OCR on incoming documents
A supplier invoice or delivery note is read field by field, with confidence measured per field type. A field below threshold is left empty for a person rather than filled in; duplicates are caught before entry, and the document is linked to its goods receipt.
What the AI actually does here
None of this decides in place of a person. It proposes, explains and shows what it based itself on — and the result enters the same approval flow as a document a person wrote.
OCR that refuses to guess
Number, date, tax ID, amount and line items are read as separate fields, each with its own confidence. A field below threshold stays empty and asks for a person instead of offering a plausible number — a wrong amount that looks right costs more than an empty field. Accuracy is tracked per field type, not as a single percentage over the whole document: that figure means nothing when the tax ID lands 99% of the time and the amount 70%.
A copilot that shows its evidence
On an open document the panel offers concrete actions instead of an empty chat box: explain the posting, check the VAT treatment, find the related goods receipt, check for a duplicate, draft a message to the supplier. Every answer carries its source documents and a drill-down to the data — a claim without a path back to its source is not shown.
Proposals arrive as drafts
A dunning letter, purchase order, task or reply prepared by the AI is created as a draft document in the type registry. The draft passes through the same state machine, the same approval limits and the same signature as any other document. There is no silent edit, and no action executed because a model felt confident.
A deterministic layer under the model
Most of what is sold as AI in document flows is in fact a rule. That is why automation rules (event → condition → action) are a separate mechanism with named actions: predictable, repeatable, testable. The model proposes, the rule executes — blending the two produces a system nobody should let near a posting run.
AI inside the same permissions
The AI does not see a document the user may not see: retrieval runs strictly inside six-layer authorization, data scope and tenant isolation, a model gateway and guardrails sit between the model and the system, and every call leaves an entry in the AI audit. Prompt-injection resistance and tenant isolation are checked against golden sets in CI, before a change reaches a user.
Why this works differently
Measured against what a company runs today — Pantheon, Business Central, Odoo, or an in-house system with a DMS bolted on the side.
A kernel under every module, not a DMS beside them
In most systems the DMS is a module: it has its own folders, its own rights and its own approval flow, sharing no mechanism with approvals in procurement or in HR. The result is one rule maintained in three places and diverging in one of them. In NG One the document kernel is a platform layer: a document type is a record in a registry, so every new type — yours or ours — inherits numbering, versions, approvals, SLA and archiving without an implementation of its own. You add a record to the registry, not another approval flow.
The rule is remembered as it stood at the time
Systems generally answer “who may approve this” from today's configuration, so a decision from a year ago gets checked against a rule that did not exist then. NG One versions the approval configuration and writes the rule version onto the document itself — a check returns the rule as of the day of the decision. The same mechanic holds effective-dated statutory parameters, so a change in law and a change in an internal rule do not need two different explanations.
We do not lie about the signature
Both an image of a signature on a PDF and a user certificate held in a server vault get sold as an “electronic signature”. The latter breaks the requirement that the signatory has sole control of the signing means, and is not a qualified signature no matter how it is rendered. NG One separates the two and names them: internal approval with a full audit and version integrity for internal decisions, and a qualified signature through a local agent with a smart card or a remote QTSP — where the private key never leaves the signatory. Which signature is which is stated on the document, in the interface and in the trail, because the legal weight sits in the certificate, not in the software around it.
Configurable, but not handed over
One extreme is systems where changing an approval flow needs a developer and a release. The other is low-code engines where rules are drawn in a browser, never see a test, and break in production during the close. NG One splits the two: states, transitions and approval chains are configuration through the console, with a config audit and config sets; guards and effects are named, in code, and under test. An upgrade does not overwrite a customization — clean-core is an architectural decision, not a release policy.
The flows this space runs through
A business space is not an island. These processes touch it end to end, and where a flow leaves this space the record stays the same — the next step receives it structured rather than retyped.
Support
Case-to-Resolution
The path from a customer's report to a resolution. Complaint, service order and replacement are one case with a deadline, not three separate trails in someone's inbox.
- Case logged
- Triage and SLA
- Service or replacement
- Return
- Resolution and credit
Finance
Record-to-Report
The path from document to report. Postings come from the business event rather than a second round of data entry, and carry their dimensions from the first line, so period close does not begin by hunting for what is missing. POPDV, PP PDV and the APR statements come out of that same journal, with nothing reassembled afterwards.
- Document
- Posting
- Controls
- Close
- Reporting
Questions about this space
Scope, boundaries, and the rules this space posts by.
Does NG One replace our existing DMS?
Not necessarily, and that is deliberate. NG One carries the documents that arise inside business processes — the ones with a type, a number, a status, an approval and an accounting effect. Unstructured documentation you need to find by searching its contents is a different job, and the Konis family has DocDot for it: a document management system with OCR on scans, versioning and search over the text inside the file. If you already run DocDot or another DMS, NG One does not push it out: the process document stays in the kernel, while the archival copy and full-text search can stay where they are. NG One also carries its own DMS layer over the kernel — records registry, classification marks, attachment versions, archive book — so the split is a decision you make on merit, not one forced on you by a gap in somebody's scope.
Is your electronic signature legally valid?
That depends on which signature you mean, and we separate the two rather than hide behind the word. NG One carries both mechanisms. The first is internal electronic approval and a signed decision: it records who signed, when, exactly what they saw and in what capacity, with a hash of the signed version and a signature block on the printout. That is a legally clean mechanism for internal consent and entirely sufficient for an internal decision — approving an overrun, authorising a business trip, confirming a stock count sheet — but it is not a qualified electronic signature, and the system never presents it as one. The second is the qualified signature, which requires the signatory to have sole control of the signing means: it runs through a local agent with a smart card, where the private key never leaves the signatory, or through remote signing at a qualified QTSP provider — together with a qualified corporate seal and timestamp for documents that leave the company. Both run through the same workflow kernel, the same state machine and the same trail. The distinction worth remembering: the legal weight sits in the certificate a document was signed with, not in the software that runs the flow — which is why NG One records and displays, on every signature, the means that produced it.
Can a consultant build a new approval flow without a developer?
For everything made of states, transitions, conditions and limits — yes. The document type, its numbering, mandatory fields, states and transitions, approval chains with amount limits and branching, SLA deadlines and escalations, automation rules and print templates are all set in the console, with a config audit recording who changed what and from which value to which. What is not configurable is the logic of a guard or an effect: those are named, written in the code of their own module and covered by tests, and configuration only composes them. That boundary is intentional — an approval flow a user drew in a browser and that never passed a test has no business deciding on a posting.
What does the archive book and the transcript for the state archive look like?
The electronic archive book keeps categories of documentary material with their retention periods — financial records for twenty years, the general ledger for ten, payslips permanently — and is populated from documents already in the system rather than by re-entry. The transcript for the previous year is generated as a file and filed with the competent archive by 30 April. Once retention lapses, disposal is initiated, and disposal is itself a document with an approval and a trail; a legal hold locks deletion for the duration of a dispute regardless of an expired retention period. Reliable electronic preservation requires a qualified seal and timestamp: NG One binds both to the archived copy and keeps the evidence with it, and a qualified provider issues them — as everywhere that the legal weight rests on a certificate rather than on software.
Where are my tasks — in this space or in My work?
In My work. The global Task Inbox is a canonical part of the home screen: that is where you see the decisions waiting on you, the exceptions that need attention, and what the system finished on its own in the meantime. This space is the administrative and analytical side of the same mechanism — here you define which document type moves through which states, who approves up to what amount, what the SLA deadline is and who it escalates to. The rule from the Atlas is that every business object has exactly one canonical place in navigation; a task that existed in two places would become two tasks the moment one of them failed to refresh.
What happens when an approver goes on holiday?
They declare the absence and name a stand-in, with a validity period. Tasks in that window go to the stand-in, and the record shows that the decision was taken by the stand-in and under whose authority — delegation does not erase the original approver's name from the trail. Amount limits and segregation of duties stay in force: the stand-in gains no authority beyond their own, so an amount over the limit still climbs to the next level. If nobody responds within the SLA, the task escalates by a rule written in advance rather than by whoever remembers to make a call. Password sharing, which is today's most common answer to this problem, has nothing left to solve here.
What does adopting this space ask of us?
An inventory of the flows you run today, and an honest decision about which of them deserve to survive. The technical part is configuration: document types, states and transitions, approval chains with limits, SLA deadlines, escalations and print templates are set in the console and packaged into config sets that move from a test environment into production — no developer, no release. What costs you time is the decisions, not the data entry: who approves up to what amount, where maker-checker sits, which combinations of rights must never meet in one person, how long the SLA runs and who it escalates to. Those decisions already exist in your company — they are simply unwritten today, and this is the exercise that says them out loud for the first time. After go-live, correcting one is not a risk: rules are versioned, so a new version applies from the day it is introduced while documents approved before it keep the reference to the rule they actually passed under.
Neighbouring spaces
Bring us your worst approval flow
The one that runs on email, three spreadsheets and a phone call. We will show it back to you as a document type in the registry — with a machine, limits, delegation, an SLA and a trail — on your numbers and your rules, not on a demo example.