Compliance & Legal

How to run an annual policy attestation cycle as Small Legal and Compliance Teams

Compliance & LegalFor Small Legal and Compliance Teams3 apps12 steps~24 min to set up

Your two-person legal team is the gatekeeper for your company's annual policy attestation cycle — and right now that means a spreadsheet in Notion that was last touched in Q3, a Gmail thread where you're chasing 140 employees to sign an acknowledgment PDF, and a Vanta or Drata dashboard that tells you which policies are overdue but doesn't actually send the reminders or track the responses. Every year you spend two to three weeks on a process that should take two days: exporting a roster from HR, drafting the email, chasing the 40% who don't respond, logging completions, and producing an evidence export your auditor will accept. You do this while also reviewing the MSA sales wants signed by Thursday.

Build this on Starch → See the apps used

Compliance & LegalFor Small Legal and Compliance Teams3 apps12 steps~24 min to set up

Outcome

What you'll set up

A policy attestation tracker that shows, in real time, which employees have attested, which are overdue, and which policies still have open gaps — built on top of your existing HR system and Gmail or Outlook

Automated follow-up emails that go out on a schedule to non-responders, drafted in your voice and sent from your existing inbox, with no manual chasing required

An audit-ready evidence log — timestamped completions, employee names, policy versions — that you can export as a clean report when your SOC 2 auditor or a regulator asks

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Task Manager Email Agent Knowledge Management

Data sources & config

Starch syncs your ADP employee roster on a schedule so the attestation tracker always reflects current headcount — new hires get added, departed employees are removed before you send. Starch syncs your Gmail or Outlook data on a schedule to track reply status and power the follow-up automation. Notion (connected from Starch's integration catalog; the agent queries it live) stores policy versions and serves as the source of truth for which policies are in scope this cycle. For any attestation portal or HR intranet that doesn't have a direct API, Starch automates it through your browser — no API needed.

Prompts to copy

Build me a policy attestation tracker. Connect to our ADP employee roster so I have a current list of everyone who needs to attest. For each policy — Code of Conduct, Data Protection, Acceptable Use, Conflicts of Interest — track whether each employee has completed attestation, the date they completed it, and the policy version they signed. Show me a dashboard view sorted by overdue first.

Create an automated follow-up sequence: on day 1 of the attestation window, send every employee an email with the attestation link and a one-sentence summary of what they're signing. On day 7, send a reminder to anyone who hasn't completed. On day 14, Slack me a list of the remaining non-responders so I can escalate to their managers.

When an employee clicks the attestation link and confirms, log their name, employee ID, timestamp, and policy version to the tracker and mark them complete. At the end of the cycle, generate a completion report I can send to our auditor — total headcount, completion rate by policy, list of any exceptions with notes.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect ADP in Starch (scheduled sync). Starch pulls your full employee roster — names, email addresses, department, hire date — and refreshes it on a schedule so you're not starting with a stale export.

2 Connect Gmail or Outlook in Starch (scheduled sync). This is how Starch tracks who has replied, who has bounced, and what follow-up has already gone out — without you manually checking your sent folder.

3 Connect Notion from Starch's integration catalog. Your Notion policy database becomes the source of truth: policy name, current version number, effective date, and whether attestation is required this cycle.

4 Tell Starch to build the attestation tracker: 'Build me a table with one row per employee per policy in scope. Columns: employee name, department, policy name, policy version, date email sent, date completed, status (Pending / Complete / Overdue / Exception).'

5 Tell Starch to generate the initial outreach: 'Draft an attestation email for each policy. Subject line should include the policy name and the deadline. Body should be two sentences max — what they're confirming and where to go. Send from my Gmail account.'

6 Launch the cycle. Starch sends wave one to all employees in scope and logs the send timestamp in the tracker. You review a sample of the emails before they go out.

7 Starch monitors for completions. As employees attest (via your existing link or portal), Starch updates the tracker — either by watching for replies, reading a form-submission webhook, or automating the attestation portal through your browser if it has no API.

8 On day 7, Starch sends the automated reminder to everyone still showing Pending. The reminder references the original deadline and links directly to the attestation step — no new email thread, just a reply to the original.

9 On day 14, Starch sends you a Slack message: 'These 12 employees have not attested to the Code of Conduct. Their managers are listed. Do you want me to draft escalation emails to each manager?' You approve and it sends.

10 For any exceptions — an employee on leave, a contractor not in scope, someone who attested offline — you add a note in the tracker and Starch marks them as Exception so they don't show up as open gaps in the final report.

11 At the close of the window, tell Starch: 'Generate my attestation completion report. Include total employees in scope, completion rate by policy, list of exceptions with notes, and a timestamp for each completion. Format it as a PDF-ready table.' Export and attach to your audit evidence folder.

12 Archive the cycle in Notion — policy versions, completion report, and any exception documentation — so next year's cycle starts with a clean prior-year record rather than a blank spreadsheet.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

April 2026 Annual Attestation Cycle — 148-person company, 4 policies

Sample numbers from a real run

Employees in scope	148
Policies requiring attestation	4
Total attestation tasks (148 × 4)	592
Wave 1 completions (day 1–6)	381
Wave 2 completions after day-7 reminder	163
Manager escalations sent (day 14)	11
Final exceptions logged (leave / contractor)	4
Completion rate at cycle close	97

On April 1st you tell Starch: 'Pull our current ADP roster — 148 employees — and cross it against the four policies in Notion that are due this cycle: Code of Conduct v2.3, Data Protection Policy v1.8, Acceptable Use Policy v3.1, and Conflicts of Interest Policy v2.0. Create one attestation task per employee per policy and send the initial email today.' By April 6th, 381 of 592 tasks are marked complete — a 64% first-wave response rate, which is actually decent for your company. On April 7th Starch sends reminders to the 211 still-pending employees without you lifting a finger. Another 163 complete over the next week. By April 14th you have 48 tasks still open across 12 employees. Starch sends you a Slack message with the list; you approve the manager escalation emails and Starch sends them. Four employees — two on parental leave and two contractors who were out of scope — get logged as exceptions with notes. Final completion rate: 97% of in-scope employees across all four policies, with a timestamped evidence log ready to hand to your SOC 2 auditor. The whole cycle took you about four hours of active work over two weeks instead of the usual three weeks of inbox archaeology.

Measurement

How you'll know it's working

Attestation completion rate by policy at cycle close (target: 95%+ in-scope employees)

Days to first 80% completion (measures how well the initial outreach and reminder timing is calibrated)

Number of manual follow-up actions required from legal (the lower, the better — automation should handle chasing)

Audit-ready evidence package turnaround time (how many hours from cycle close to report delivered)

Exception rate and exception resolution time (employees flagged as out-of-scope or on leave, resolved without leaving open gaps)

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Vanta or Drata (built-in policy tracking)

Vanta and Drata tell you which policies are overdue and can send basic email reminders, but they don't let you build a custom tracker on top of your ADP roster, customize the follow-up logic, or generate a formatted audit report — you still do that manually.

Ironclad or OneTrust

Purpose-built for policy management and attestation workflows at scale, but they cost six figures, require a dedicated legal-ops admin to configure, and take months to implement — overkill for a 150-person company with a two-person legal team.

Google Sheets + Gmail manual process

Free and familiar, but you're the automation — you export the roster, paste it into the sheet, write the emails, track replies by hand, and rebuild the report every year from scratch with no audit trail.

Rippling or Gusto built-in acknowledgment flows

If your HR platform has a built-in attestation module it handles collection cleanly, but it doesn't connect to your Notion policy tracker, your Gmail audit trail, or your auditor's evidence format — you still do the reconciliation step yourself.

On Starch RECOMMENDED

One platform — task manager, email agent, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Can Starch actually send emails on my behalf, or does it just draft them for me to send?

Starch syncs your Gmail or Outlook on a schedule and can send outbound emails from your inbox as part of an automation — so yes, it can send the wave-one attestation email and the day-7 reminder without you clicking send each time. You review the drafts and approve the automation before it runs; after that it's hands-off. The Gmail OAuth consent screen currently shows the underlying connector's name rather than 'Starch' — that's a known cosmetic issue and will be fixed, but it doesn't affect functionality.

Our company uses Rippling instead of ADP. Can Starch pull the employee roster from there?

Rippling is reachable from Starch's integration catalog, so the agent can query it live when building or refreshing the attestation tracker. It won't sync on a schedule the way ADP does, but for a once-a-year attestation cycle where you kick off the roster pull at the start of the window, a live query is usually fine. If you need a scheduled daily refresh of headcount during the cycle, you can also export the Rippling roster to a Google Sheet and connect that instead.

What if our attestation is done through a third-party portal (like our compliance vendor's hosted form) rather than a link we control?

If the portal has an API, Starch can query it from the integration catalog. If it doesn't, Starch can automate the portal through your browser — no API needed. For example, if completions show up in a web dashboard that you normally log into manually to check, Starch can navigate that dashboard on a schedule, read the completion status for each employee, and update the tracker automatically.

Is Starch SOC 2 certified? We have to think about what we're connecting sensitive HR data to.

Starch is not SOC 2 Type II certified today — that's worth knowing before you connect ADP or pull employee PII into a workflow. If your internal data handling policy requires SOC 2 for any tool that touches employee data, that's a real constraint. Starch's honest position is: we're a small AI platform built for operator founders, certification is on the roadmap, and you should make that call with eyes open.

Can the same setup track multi-policy attestation — like, different employees attest to different policies depending on their role?

Yes. When you build the tracker, you can tell Starch: 'Only employees in Engineering and Product need to attest to the Acceptable Use Policy. All employees attest to the Code of Conduct. Only people-managers attest to the Conflicts of Interest Policy.' Starch builds the matrix from your ADP roster and department data, so you get a tracker with the right tasks per person rather than a blanket send to everyone for everything.

What happens if we need this to work with DocuSign for actual e-signatures rather than just email acknowledgments?

DocuSign is reachable from Starch's integration catalog — the agent can query it live. You can build a workflow where Starch triggers a DocuSign envelope per employee for each policy, monitors for completion status via the DocuSign API, and updates the attestation tracker when envelopes are signed. That's a more formal attestation record and auditors generally prefer it. Describe what you want and Starch builds the surface on top of your existing DocuSign account.