Compliance & Legal

How to run an annual policy attestation cycle as Chief of Staff and Founder's Office

Compliance & LegalFor Chief of Staff and Founder's Office2 apps12 steps~24 min to set up

Once a year, someone has to chase down 150 employees to confirm they've read and acknowledged the employee handbook, data security policy, acceptable use policy, and whatever new compliance document legal just dropped. That someone is usually you. Right now that means a Google Sheet tracking who's signed what, a mail merge from Gmail, three reminder emails you wrote manually, a Slack message to every manager whose directs haven't responded, and a final audit you export to PDF and send to the board. It takes two weeks of calendar space you don't have, and the bottleneck is always the last 20 people who ignore every message.

Build this on Starch → See the apps used
Compliance & LegalFor Chief of Staff and Founder's Office2 apps12 steps~24 min to set up
Outcome

What you'll set up

A live attestation tracker that pulls employee rosters from your HR system and shows completion rates by department, manager, and policy document — updated automatically so you're never working from a stale spreadsheet
An automated reminder sequence that escalates through email and Slack — first to the employee, then to their manager — without you writing a single message after the initial setup
A final audit report you can export and attach to a board deck or hand to your auditor, showing who attested, when, and from which acknowledgment method
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Task Manager
Data sources & config

Starch syncs your Paylocity employee data on a schedule (employees, org units, managers) to power the roster. Gmail is synced directly by Starch so outbound reminder emails go from your actual account. Slack is connected directly by Starch so manager escalations post to the right channels. Google Calendar is synced directly so the automation knows which weeks fall inside the attestation window you define. The tracker app itself lives in Starch — no separate spreadsheet to maintain.

Prompts to copy
Build me a policy attestation tracker that imports our employee list from Paylocity, creates one row per employee per policy document, and tracks attestation status (not started, reminded, complete) with a timestamp for each completion. Add a dashboard view grouped by department and manager showing completion percentage.
Create an automation that runs every Monday during the attestation window: pull incomplete attestations from the tracker, send a reminder email from Gmail to each employee who hasn't completed, and if they've already been reminded once this cycle, send a Slack message to their manager with a list of their direct reports who are still outstanding.
Build me a final audit report generator that, when I click Run, exports a timestamped CSV of all attestation records — employee name, policy, completion date, reminder count — and drafts a summary email I can send to the board with overall completion rate and any outstanding exceptions.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Connect Paylocity as a scheduled-sync provider in Starch. Starch pulls your full employee list including department, manager, and employment status automatically — this is your source of truth for who needs to attest.
2 Upload your policy documents (or link to them in Notion, which Starch connects to directly). For each policy, set a due date and define what 'attestation' means — email reply, checkbox in a Starch app, or a form submission.
3 Tell Starch: 'Build me a policy attestation tracker with one row per employee per policy, showing status, last reminder date, and completion timestamp. Group the dashboard by department and manager.' Starch builds the app; you review and adjust the column labels to match your internal terminology.
4 Define your reminder schedule — for example: initial outreach on Day 1, first reminder on Day 5, manager escalation on Day 10. Tell Starch: 'Create an automation that checks the tracker each morning and sends Gmail reminders to employees who haven't completed, escalating to their manager after two missed reminders.' Starch wires the logic; you approve the email and Slack message templates.
5 Send the initial attestation request. This can be a bulk email drafted by the Email Triage app from your Gmail, or you can trigger it from the automation directly. Either way, the outbound messages come from your actual Gmail account, not a no-reply address.
6 Watch the dashboard. As employees complete attestations, the tracker updates. You see live completion rates by department — engineering is at 82%, sales is at 47%, and you know exactly which three managers to ping manually.
7 For the employees who are genuinely stuck (new hire who doesn't have Gmail access yet, contractor whose status is ambiguous), use the task manager to log exceptions with context. Tell Starch: 'Add a task for each open exception with the employee name, issue, and owner, due by the attestation close date.' These won't fall into a spreadsheet row nobody reads.
8 On Day 10, the manager escalation fires automatically via Slack. Each manager gets a message listing their direct reports who haven't completed, with a direct link to the attestation form. You don't write any of these messages — they go out from the automation.
9 Three days before the window closes, run a manual check: ask Starch to summarize current completion rates and flag any department under 80%. Use this to decide whether to escalate to the CEO or COO for a direct nudge to specific teams.
10 At close, trigger the audit report export. Tell Starch: 'Generate a final attestation report showing every employee, every policy, completion status, and reminder history. Export to CSV and draft a summary for the board showing overall rate and exceptions.' You get a board-ready paragraph and a clean CSV in under a minute.
11 Attach the CSV to your board materials or send it to your auditor. If you use a GRC tool, Starch can automate uploading the file through browser automation — no API with the GRC tool required.
12 After the cycle closes, save this whole setup as a reusable workflow. Next year, update the policy documents and the employee list syncs automatically — you're not rebuilding from scratch.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

Annual Policy Attestation Cycle — March 2026 (152 employees, 4 policies)

Sample numbers from a real run
Employees requiring attestation152
Policies in scope (handbook, data security, acceptable use, AI tools policy)4
Total attestation tasks generated608
Completed by Day 7 (before first escalation)489
Manager escalations sent on Day 1023
Open exceptions at close (contractors, LOA)6
Final completion rate (excluding documented exceptions)99

On March 3rd, you trigger the attestation cycle. Starch pulls the 152-person roster from Paylocity — including 12 employees who joined since last year's cycle and 3 who are on leave — and creates 608 rows in the tracker (152 employees × 4 policies). The initial Gmail outreach goes out that morning. By Day 7, 489 of 608 attestations are complete. The dashboard shows sales at 71% completion and engineering at 94%. On Day 10, the automation fires Slack messages to the 23 managers with outstanding direct reports — not a blast to all managers, only the ones who have an actual problem. Within 48 hours, 90 more attestations come in. By March 17th, the tracker shows 602 complete and 6 open exceptions: two contractors whose policy scope is under legal review, three employees on parental leave, and one whose employment status changed mid-cycle. You log each as a task with context. On March 18th, you ask Starch to generate the final audit report: 99% completion rate excluding documented exceptions, full timestamp log, clean CSV. You paste the summary paragraph directly into the board deck intro and attach the CSV. The board review takes three minutes instead of fifteen.

Measurement

How you'll know it's working

Attestation completion rate by department at Day 7, Day 14, and close — the leading indicator of whether you're going to hit 100% without a fire drill
Time from cycle open to 95% completion — last year this took 18 days; the target is 12
Manager escalations required — a high number means your initial comms weren't clear or your reminder cadence is wrong
Documented exceptions as a percentage of headcount — anything over 2% at close needs a conversation with legal
Hours of CoS time spent on manual follow-up — the number you're trying to get to zero
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Google Sheets + Gmail mail merge
Free and familiar, but the roster goes stale the moment someone joins or leaves, you're writing every reminder manually, and the final audit is a spreadsheet you assembled by hand — not something you'd hand to an auditor with confidence
Rippling or Workday built-in attestation module
Purpose-built for this workflow and deeply integrated with HR data, but you're locked into their template and reporting format — Starch lets you customize the tracker, the escalation logic, and the audit output to match exactly what your board or auditor asks for
Notion + Slack reminder bot
Works fine for a 30-person company; at 150 people with four policies and a real audit requirement, you need a tracker that updates automatically from your HR system and a reminder sequence that doesn't require manual intervention
Dedicated GRC platforms (Vanta, Drata)
Purpose-built for SOC 2 and compliance workflows with strong auditor integrations, but they're expensive, require significant setup time, and are overkill if policy attestation is one of five things you're trying to automate this quarter
On Starch RECOMMENDED

One platform — task manager, founder inbox all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

Can Starch pull our employee list automatically, or do I have to upload a CSV every time?
If you're on Paylocity or ADP, Starch syncs your employee data on a schedule — new hires appear automatically, terminated employees drop out. You set it up once and the roster stays current. If your HR system isn't one of those two, you can connect it from Starch's integration catalog (BambooHR, Gusto, Rippling, and others are reachable) and the agent queries it live when the tracker refreshes.
Will the reminder emails come from my actual Gmail address, or a generic Starch address?
They come from your Gmail. Starch connects directly to Gmail — employees will see your name and address in the From field, which matters for open rates and for not looking like a phishing attempt.
What if we use Outlook instead of Gmail?
Starch connects directly to Outlook too — same scheduled sync, same send capability. Switch the email connection in setup and everything else works identically.
Can Starch handle the actual signature or acknowledgment collection, or does it just send the reminder?
Starch tracks completion status and can update a record when an employee replies or clicks a link. If you need a legally binding e-signature (DocuSign, PandaDoc), Starch can automate those workflows through browser automation — no direct API required — and record the completion back in your tracker. For most internal policy attestations, an email reply or a checkbox in a Starch form is sufficient and simpler.
Is Starch SOC 2 certified? We have an auditor who will ask.
Not yet — Starch is not SOC 2 Type II certified. That's worth knowing upfront. If your auditor requires SOC 2 certification from every tool in your attestation workflow, that's a real constraint. For companies where the audit is internal or where you're producing attestation records for a board rather than an external auditor, this typically isn't a blocker.
What happens if an employee is on leave or is a contractor who's out of scope?
You define the scope when you set up the tracker — you can exclude specific employees, employment types, or departments. Anyone flagged as an exception gets logged as a task with context so they don't fall through a gap and don't get reminder emails they shouldn't receive.
Can I reuse this setup next year without rebuilding it?
Yes. Once the app and automation are built, next year you update the policy documents, confirm the attestation window dates, and run the cycle. The employee roster refreshes automatically from Paylocity. The only thing you're doing is reviewing the email and Slack templates to make sure they still say the right thing.

Ready to run run an annual policy attestation cycle on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.