How to run an annual policy attestation cycle on Starch
An annual policy attestation cycle is the process of getting every employee on record as having read and acknowledged your company's active policies — things like your code of conduct, data handling rules, acceptable use policy, or harassment prevention guidelines. Most operators run this once a year (often tied to a compliance deadline, an insurance renewal, or a new hire class that made you realize nothing was formalized). What the cycle looks like in practice varies: a 10-person team might do this through a shared Notion doc and a few Slack nudges; a 50-person team might need tracked sign-offs, escalation for non-responders, and a clean audit trail to show an auditor or board member. The stakes and the tooling differ, but the core job is the same — get every active employee to confirm they've read the right documents, and have proof that they did.
On Starch, you end up with a tracked acknowledgment log you can actually point to, automated follow-up emails that go out without you remembering to send them, and a task view that shows you exactly who hasn't signed off as the deadline approaches — not a spreadsheet you last updated on Tuesday.
Why it matters
A policy attestation cycle that doesn't close cleanly leaves you exposed. If an employee later claims they weren't aware of a policy, 'we sent an email' is a weak defense without a timestamp and a confirmation. Auditors, insurers, and enterprise customers increasingly ask for signed acknowledgment records — not because they expect problems, but because the absence of records signals that your compliance posture is informal. Done well, it takes a half-day of setup once a year and produces a document you're glad you have.
Common pitfalls
Sending one email blast and assuming silence means acknowledgment — non-response is not sign-off. Using document version names inconsistently, so your log shows 'Code of Conduct v2' but the file employees actually signed was 'COC_final_FINAL' and you can't prove they match. Tracking completions in a spreadsheet that only one person can update, so the status is always stale. Starting the cycle too close to the deadline — attestation rounds almost always surface someone who left, a policy that needs updating, or a contractor classification question that takes two weeks to resolve.
Starch apps used
See this running on Starch
Connect your tools, describe what you want, and the agent builds it. Closed beta is free.
Choose your operator
A version of this guide tailored to your role — same recipe, different starting context.
The AI stack built for small in-house legal and compliance teams.
The AI stack built for small HR teams.
The AI stack built for small IT and ITOps teams.
The AI stack built for the founder's office.
The AI stack built for foundation and nonprofit ops teams.
The AI stack built for independent clinic owner-operators.
The AI stack built for small law and accounting practices.
Related workflows in Compliance & Legal
SOC 2 evidence collection is the part of an audit where you prove that your controls actually work — not just that they're written down somewhere.
Read guide →A Data Subject Access Request is a formal ask from an individual — a customer, a former employee, a prospect — for a copy of every piece of personal data your business holds on them.
Read guide →A subpoena or legal hold lands in your inbox and immediately creates two problems: figuring out what you actually have to produce, and making sure nothing relevant gets deleted while you figure it out.
Read guide →Vendor contracts land on your desk constantly — software subscriptions, supplier agreements, master service agreements, NDAs, statements of work.
Read guide →