Compliance & Legal

How to run an annual policy attestation cycle as Small HR Teams

Compliance & LegalFor Small HR Teams3 apps12 steps~24 min to set up

Once a year, you have to get every one of your 150 employees to read and sign off on your acceptable use policy, code of conduct, data handling policy, and whatever else legal added this cycle. You're doing this out of a combination of DocuSign, a Google Sheet tracking who's signed what, a Slack reminder that went out three weeks ago and half the company ignored, and a frantic email to managers two days before the deadline. Paylocity or BambooHR tells you who exists; it does not tell you who has ignored three reminders, whose manager needs to be looped in, or which new hires got the wrong policy version. You are the tracking system.

Build this on Starch → See the apps used

Compliance & LegalFor Small HR Teams3 apps12 steps~24 min to set up

Outcome

What you'll set up

A live attestation tracker that pulls your employee roster from Paylocity or ADP on a schedule and shows exactly who has signed each policy, who is overdue, and who hasn't opened the request

Automated reminder sequences that escalate from employee → manager → HR after configurable intervals, drafted and sent through Gmail without you touching each one

A completion dashboard you can drop into a board update or audit file showing attestation rate by department, hire date, and policy version — no manual pivot tables

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Knowledge Management Email Agent Task Manager

Data sources & config

Starch syncs your Paylocity data on a schedule — employee records, org units, and department assignments refresh automatically so your completion denominator is always current. Gmail is connected via scheduled sync so Starch can read send history and draft outbound reminders. Policy documents live in Notion (synced on a schedule) or uploaded directly into the Knowledge Management app. For any attestation portal your company uses that has a web interface but no direct API — like a legacy compliance vendor or a custom intranet form — Starch automates it through your browser with no API needed.

Prompts to copy

Build me a policy attestation tracker that pulls our active employee list from Paylocity, lets me upload the four policy documents we need signed this cycle, tracks who has confirmed receipt and agreement for each policy, and shows a completion percentage by department

Create an automated reminder workflow: seven days after a policy attestation request goes out, identify everyone who hasn't confirmed and draft a personalized follow-up email from my Gmail account addressed to that employee with their manager CC'd; escalate to a second reminder at fourteen days for anyone still outstanding

Build a dashboard that shows attestation completion rate across all four policies, broken out by department and by tenure band (under 90 days, 90 days to 1 year, over 1 year), pulling headcount from Paylocity so the denominator stays current as people join or leave

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Paylocity to Starch (scheduled sync) — your active employee roster, department, and manager fields sync automatically. This is your source of truth for who needs to attest.

2 Upload your policy documents for this cycle — acceptable use, code of conduct, data handling, and any new additions — into the Knowledge Management app or link the Notion pages where they already live.

3 Tell Starch: 'Build me an attestation tracker with these four policies as line items and our Paylocity employee list as the roster. Each employee should have a confirmed / pending / overdue status per policy.' Starch builds the app.

4 Set your attestation window and reminder cadence in natural language: 'Send the initial request email from my Gmail on April 1, first reminder on April 8 to anyone still pending, second reminder on April 15 with their manager CC'd.'

5 Starch drafts the initial outreach batch through the Email Agent — one personalized email per employee, referencing the specific policies they need to sign. Review a sample, approve the template, send.

6 As employees confirm, their status updates in the tracker. For any confirmation that comes in via email reply, the Email Agent logs it and marks the record; for attestations via a web form, browser automation checks the portal and updates the tracker.

7 At day seven, Starch identifies the outstanding list, drafts the first reminder batch, and queues it for your one-click send. You review, approve, send — no copy-paste from a spreadsheet.

8 At day fourteen, the second-reminder batch goes out with managers CC'd. The Task Manager creates a follow-up task for each manager whose direct report is still outstanding, so accountability is documented.

9 Two days before the deadline, pull the completion dashboard: attestation rate by department, flagged employees by name, and a count of how many have not opened any request. Share it with your CHRO or COO as a one-page status.

10 After the deadline, export the completion record — employee name, policy version signed, timestamp — as your audit artifact. Store it back in Notion via the Knowledge Management app so it's findable next year.

11 For the handful of employees on leave or with extenuating circumstances, log exceptions directly in the tracker with a note; they're excluded from the overdue count but flagged for follow-up when they return.

12 Run a retrospective prompt after close: 'Show me which departments had the highest non-completion rate and how many reminders it took on average.' Use that data to adjust next year's window length or reminder frequency.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

April 2026 Annual Policy Attestation — 150 employees, 4 policies

Sample numbers from a real run

Employees requiring attestation	150
Policies to attest (AUP, Code of Conduct, Data Handling, AI Use Policy)	4
Total attestation events required	600
Completed by day 7 (after first send)	381
Completed after first reminder (day 7–14)	147
Completed after manager-CC reminder (day 14–21)	58
Exceptions logged (leave, terminations during window)	9
Outstanding at deadline — escalated to HR direct outreach	5

On April 1, Starch pulled 150 active employees from Paylocity and sent 150 personalized attestation emails through Gmail — one per employee, each listing the four policies due by April 22. By April 8, 381 of 600 attestation events were logged as complete (63.5%). Starch drafted the day-7 reminder batch for the 73 employees with at least one policy still outstanding; you reviewed three sample emails, clicked send, and it went to all 73. By April 15, another 147 events were in — bringing the total to 528 of 600 (88%). The second reminder went out that morning with 28 managers CC'd on their direct reports' outstanding items. By April 21 — one day before deadline — the tracker showed 586 of 600 complete (97.7%). Nine employees were on parental leave or had been flagged for mid-cycle exceptions; they were excluded from the overdue count. Five events across three employees remained open; you pulled their names from the dashboard, called their managers directly, and closed four of the five that afternoon. The final audit export — employee name, policy slug, version number, confirmed timestamp — was written back to Notion automatically. Total active HR time spent: roughly four hours across three weeks, versus the eight to twelve hours this cycle took last year when it lived in a Google Sheet and a Slack channel.

Measurement

How you'll know it's working

Attestation completion rate by department and by policy (target: 95%+ before deadline)

Average number of reminders required per employee to complete (benchmark against prior cycle)

Days from first send to 90% completion (measures whether your reminder cadence is calibrated correctly)

Exception rate — employees who needed a manual HR touchpoint to complete (tracks where the automated flow breaks down)

Audit-ready artifact turnaround — time from deadline to exportable completion record

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

DocuSign + Google Sheets

DocuSign handles signature collection but has no awareness of your Paylocity roster, so you're manually maintaining the employee list, tracking completion in a spreadsheet, and writing reminder emails yourself — the coordination work is entirely on you.

Lattice or 15Five compliance modules

If you're already in Lattice for performance reviews, their attestation features are convenient, but they're scoped to what Lattice knows — they don't pull from Paylocity in real time or let you customize escalation logic without a higher-tier plan.

Rippling Policy Management

Solid if your entire HR stack is Rippling, but if you're on Paylocity or ADP for payroll and Rippling only partially, you'll have roster sync gaps and you still can't build a custom completion dashboard without exporting to a spreadsheet.

Dedicated compliance platforms (Drata, Vanta, Tugboat Logic)

Built for SOC 2 and continuous compliance monitoring, not for a 150-person team running an annual HR attestation cycle — significant setup cost and annual contract for a workflow you need three weeks a year.

On Starch RECOMMENDED

One platform — knowledge management, email agent, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

We use Paylocity. Does Starch actually know which employees are active, or do I have to upload a roster manually?

Starch syncs your Paylocity data on a schedule — employees, org units, and department assignments refresh automatically. You don't upload a roster; the tracker's denominator updates on its own as people join or leave during the attestation window.

What if employees are supposed to attest through a separate compliance portal, not just reply to an email?

If your compliance portal has a web interface, Starch can automate it through your browser — no API needed. It can check who has completed the form, pull the status back into your tracker, and flag who still needs to go through. The browser automation runs independently for each employee record so one failure doesn't stall the whole batch.

Is Starch SOC 2 certified? We'll need to answer questions about the tools we use for compliance workflows.

Not yet — Starch is not currently SOC 2 Type II certified. That's worth knowing if your legal or security team reviews vendor certifications. The honest answer is that Starch is a good fit for running the coordination layer of an attestation cycle; the signed documents and final records should live in your HRIS or a document management system that meets your audit requirements.

We have four policies and some employees only need to attest to two of them based on their role. Can the tracker handle that?

Yes. When you describe the app to Starch, you can specify the logic — 'Employees in engineering roles attest to the AI Use Policy and Data Handling Policy; all employees attest to the Code of Conduct and Acceptable Use Policy.' Starch builds the conditional logic into the tracker so each employee only sees the policies relevant to their department or role as pulled from Paylocity.

Can Starch send the reminder emails from my actual work email address, not a generic noreply?

Yes, if you connect your Gmail account (Starch syncs Gmail on a schedule with read and send access). Emails go out from your address. One thing to know: Gmail's OAuth consent screen currently shows the underlying connector's name during the authorization step — Starch's own verified client is on the roadmap but not live yet. The emails themselves come from your address normally once connected.

What happens to next year's attestation cycle — do I have to rebuild everything?

No. The app you build this year is yours to reuse. You update the policy documents in Notion or re-upload new versions, adjust the attestation window dates, and run it again. The Paylocity roster sync means you don't touch the employee list — it reflects whoever is active at the time you kick off the next cycle.