Compliance & Legal

How to run an annual policy attestation cycle as Small IT and ITOps Teams

Compliance & LegalFor Small IT and ITOps Teams3 apps11 steps~22 min to set up

Annual policy attestation sounds simple: send a form, collect a signature, close the ticket. In practice, you're a 2-person IT team chasing 300 employees across Slack, email, and Jira, manually tracking who's acknowledged the Acceptable Use Policy and who hasn't opened it since you sent it in February. You built a Google Sheet to track completion rates. It's already wrong. HR is asking for a compliance report by Friday. You don't have one. The process is manual, the reminders are manual, the escalation to managers is manual, and next year you'll do the whole thing again from scratch.

Build this on Starch → See the apps used

Compliance & LegalFor Small IT and ITOps Teams3 apps11 steps~22 min to set up

Outcome

What you'll set up

An automated attestation tracker that knows — in real time — which of your 300 employees have signed each policy and which are overdue, pulling from Gmail and your HR system

A reminder and escalation workflow that fires automatically: first reminder at day 7, manager CC at day 14, IT alert at day 21 — with no manual follow-up from you

A compliance summary report you can drop into a Notion page or Slack channel for your security lead, showing completion rate by department and outstanding names

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Knowledge Management Task Manager

Data sources & config

Connect Gmail (Starch syncs your Gmail data on a schedule — messages and labels) to send and track attestation emails. Connect Google Workspace user directory and Jira from Starch's integration catalog — the agent queries them live when the automation runs. Connect Slack from Starch's integration catalog for the weekly digest. If your HR system is Rippling, Gusto, BambooHR, or similar, connect it from Starch's integration catalog; the agent queries it live to pull the employee-manager org chart.

Prompts to copy

Build me a policy attestation tracker. Pull the employee list from our Google Workspace directory via browser automation. For each employee, track which policies they've acknowledged (AUP, Data Handling, Remote Work) and the date they signed. Show me a table sorted by department with a completion percentage per policy.

Create an automation that emails each unattested employee a reminder every 7 days, CCs their manager if they haven't responded after 14 days, and creates a Jira ticket assigned to me if they hit 21 days with no response. Pull the employee-manager mapping from our HR data.

Every Friday at 9am, post a summary to our #it-ops Slack channel showing: total attestation rate, breakdown by department, and a list of employees who are 14+ days overdue.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Gmail — Starch syncs your Gmail data on a schedule and can both read existing attestation threads and send new ones on your behalf.

2 Pull your employee roster. If you're on Google Workspace or Okta, connect them from Starch's integration catalog; the agent queries the directory live each time the workflow runs to catch new hires and offboarded accounts.

3 Tell Starch which policies need to be attested this cycle (e.g., Acceptable Use Policy v2.1, Data Handling Policy, Remote Work Policy) and paste in the policy document links or upload the PDFs to Notion — Starch connects to Notion from its integration catalog.

4 Starch builds your attestation tracker: a live table of all 300 employees × 3 policies, with status (not sent, sent, acknowledged, overdue) and the timestamp of each action.

5 Starch sends the initial attestation email to each employee with a one-click acknowledge link or a reply-to-confirm instruction, tracked back to Gmail threads.

6 Set the reminder schedule: day 7 sends a follow-up email to the employee; day 14 adds the employee's manager to the thread; day 21 creates a Jira ticket assigned to your IT queue with the employee's name and days overdue.

7 Connect Jira from Starch's integration catalog so escalation tickets land directly in your existing IT service desk — no separate system.

8 The attestation tracker updates automatically as Gmail threads close. Starch marks each employee acknowledged when they reply or click confirm.

9 Every Friday, an automated Slack message (via Starch's integration catalog connection to Slack) posts your current completion rate, a department breakdown, and the overdue list to #it-ops.

10 When the cycle closes, Starch generates a compliance summary report: total completion rate, dates of completion per employee, and any unresolved escalations. Export it to a Notion page or as a CSV for your security audit trail.

11 Next year, you clone the automation, update the policy document links and the target date, and run it again — no rebuild required.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

April 2026 Annual Policy Attestation — 300 employees, 3 policies

Sample numbers from a real run

Employees targeted	300
Policies per employee	3
Total attestations required	900
Completed by day 7 (no reminder needed)	612
Completed after day-7 reminder	198
Escalated to manager at day 14	63
Jira tickets opened at day 21	18
Final unresolved at cycle close	4

You kick off the April 2026 cycle on April 1st. Starch pulls 300 employees from your Google Workspace directory via the integration catalog and sends attestation emails for the AUP, Data Handling Policy, and Remote Work Policy. By April 8th, 612 of 900 attestations are done — 68% without any manual action. On April 8th, Starch automatically sends day-7 reminders to 96 employees with at least one outstanding policy. 198 more attestations close in the next week. On April 15th, 63 emails go out with manager CC for employees still unresponsive. By April 22nd, 18 Jira tickets land in your IT queue — each one pre-populated with employee name, department, manager, and the specific policy they haven't signed. You work those 18 directly. Four employees are on leave and get a documented exception. When your security lead asks for the compliance report on April 25th, Starch has already posted it to the Notion page you pinned in #security: 298/300 employees attested, 4 documented exceptions, zero manual spreadsheets.

Measurement

How you'll know it's working

Attestation completion rate by policy and by department (target: 100% or documented exception for every seat)

Days to 90% completion — the faster this number, the less time you spend chasing

Number of escalations reaching day-14 manager CC (a leading indicator of policy communication gaps)

IT hours spent on attestation cycle vs. prior year (your baseline is probably 8–12 hours of manual chasing)

Audit trail completeness: every employee has a timestamped record of acknowledgment or an exception note before the cycle closes

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Google Forms + Sheets + manual Gmail

You can track who submitted the form, but reminders, escalations, and the compliance report are all manual — this is what you're already doing and it takes 8–12 hours of your time each cycle.

Drata or Vanta (compliance platforms)

Purpose-built for SOC 2 evidence collection including policy attestation, but start at $1,000+/month, require significant setup time, and are overkill if policy attestation is your only compliance workflow right now.

Workday or Rippling (if you're already on them)

Some HR platforms include policy acknowledgment modules, but they're locked to employees in that system and don't generate the cross-system escalation workflow (email → Jira → Slack) that covers the gaps in your current IT stack.

Typeform + Zapier

Gets you a nicer collection form and basic automation, but you'll hit Zapier's step limits on a 300-person multi-policy cycle and still end up maintaining a Google Sheet tracker manually.

On Starch RECOMMENDED

One platform — founder inbox, knowledge management, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Can Starch actually send emails on behalf of my IT team's Gmail account, not just read the inbox?

Yes. Starch syncs your Gmail data on a schedule with read and send permissions. It can originate attestation emails from your connected Gmail account. One note: the Gmail OAuth consent screen currently shows the underlying connector's name rather than 'Starch' — a verified Starch client is on the roadmap. Your employees will still get the email; it just won't say 'Starch' in the authorization flow.

We use Okta for identity. Can Starch pull the employee list from there instead of Google Workspace?

Yes. Okta is reachable from Starch's integration catalog — connect it and the agent queries your user directory live each time the workflow runs. This also means new hires provisioned in Okta after the cycle starts get picked up automatically on the next run, and deprovisioned accounts are excluded.

What if we use a tool like BambooHR or Rippling for the employee-manager org chart?

Both are in Starch's integration catalog. Connect your HR tool and tell Starch to pull the manager mapping from there when it needs to CC someone. If your HR system isn't in the catalog but has a web interface, Starch can automate it through your browser — no API required.

Is the attestation data stored in Starch long-term for audit purposes?

Starch is designed for live data surfaces, not a long-horizon data warehouse. Attestation records are tracked in your Starch app during the cycle. For your permanent audit trail, you should export the completion report to Notion (where it persists in your knowledge base) or to a CSV at cycle close. Starch is honest about this: it's not a compliance evidence archive, it's the workflow that gets you to a clean record you store elsewhere.

Our security audit requires a signed PDF, not just an email reply. Can Starch handle that?

Email-reply acknowledgment is what Starch orchestrates natively. If you need a signed PDF (e.g., via DocuSign or HelloSign), Starch can automate those platforms through your browser — no API needed — or connect them if they're in the catalog. Tell Starch: 'For each employee, open a DocuSign envelope for the AUP and track completion back to the tracker.' It'll build that flow.

Is Starch SOC 2 certified? We might get asked this by our auditor.

Not yet. Starch is not SOC 2 Type II certified today. If your auditor requires SOC 2 on every tool touching employee data, that's worth knowing upfront. The honest answer: Starch is the right fit if you need a working attestation workflow now and your security posture doesn't yet require SOC 2 on every internal ops tool.

We do this once a year. Is it worth setting this up versus just doing it manually?

If your current cycle takes 8–12 hours of manual chasing across Gmail, a spreadsheet, and Slack — and you're a 2-person team — the setup pays back in the first run. The second run costs almost nothing: update the policy links, set a new target date, trigger the cycle. The Jira escalations and Slack digest keep running without you touching them.