What you can do
- Create campaigns — Select policies and recipients, set a due date
- Send for signature — Employees receive personalized emails with a link to sign
- Track completion — Monitor who has opened, signed, and who’s pending or overdue
- Tie to policy versions — Each campaign is linked to specific policy versions; if a policy changes, create a new campaign for re-acknowledgment
- Generate audit evidence — Completion reports prove your workforce understood and agreed to your policies
How to send a policy campaign
Select policies to include
Check the boxes for the policies (or specific policy versions) you want to send. Common picks: Information Security Policy, Acceptable Use Policy, Incident Response Policy, Data Privacy Policy.
Choose recipients
Select employees from your directory or upload a list. You can target specific departments or roles.
Set a due date
Pick the date by which you need all acknowledgments — typically 2-4 weeks from send date.
Campaign status lifecycle
| Status | Meaning |
|---|---|
| Draft | Campaign is being prepared but not yet sent |
| Scheduled | Queued to send at a future date |
| Sending | Currently dispatching emails |
| Sent | All emails delivered; awaiting sign-offs |
| Completed | All recipients signed (or campaign due date passed) |
| Cancelled | Abandoned before sending; links invalidated |
Recipient flow
Each recipient gets an email with a unique, secure link. When they click:- View policies — they read each policy included in the campaign
- Confirm understanding — a checkbox or button confirms they’ve read and understand
- Sign — they electronically sign and submit
- Confirmation — they see a confirmation page with timestamp and receipt
Linking acknowledgments to policy versions
Each campaign is tied to the specific policy version current when you sent it. If you update the policy later, the old acknowledgments remain tied to the old version — showing auditors that sign-offs were collected for the language in effect at that time. To get new acknowledgments after a policy change:- Publish the updated policy version
- Create a new campaign with the new version
- Send to the same (or different) recipients
Exporting acknowledgment reports
Store the evidence
The report includes recipient names, emails, sent date, opened date, signed date, and policy versions. Store in Evidence Collection for auditors.
Best practices
- Plan ahead — send campaigns 4-6 weeks before audit so you have time to follow up on stragglers
- Set realistic due dates — give employees 2-4 weeks; many will procrastinate
- Send reminders — when due date is a week away, ping unsigned recipients
- Document non-compliance — if someone refuses to sign, escalate and document the exception
- Archive evidence — after the campaign closes, export and store
Frequently asked questions
Can I send a campaign to just part of my organization?
Can I send a campaign to just part of my organization?
Yes. Filter recipients by department, location, role, or upload a custom list — useful for targeted policy updates.
What happens if someone doesn't sign before the due date?
What happens if someone doesn't sign before the due date?
Their status shows Pending or Overdue. Send a reminder email. If they still don’t sign, document the exception and escalate.
Can I edit a policy while a campaign is active?
Can I edit a policy while a campaign is active?
You can update the policy content, but the campaign remains tied to the version it was sent with. Existing sign-offs are locked to that version. New campaigns will use the new version.
Is click-to-sign sufficient for compliance?
Is click-to-sign sufficient for compliance?
Yes for most frameworks (SOC 2, ISO 27001, HIPAA). If you need advanced e-signatures, you can integrate DocuSign or similar.
How long should I keep acknowledgment records?
How long should I keep acknowledgment records?
Typically 6 years. Store in your secure archive and reference during audits.