Skip to main content
Policies are the documented rules and procedures your organization follows to meet compliance requirements. Regentra provides a full policy management system — from drafting with templates to collecting signed acknowledgments from every employee.

Creating Policies from Templates

Regentra includes a library of pre-built policy templates tailored to each compliance framework. Templates cover common policies like:
  • Acceptable Use Policy
  • Access Control Policy
  • Incident Response Plan
  • Data Classification Policy
  • Business Continuity Plan
  • Password Management Policy
1

Navigate to Policies

Open the Compliance module and click Policies in the sidebar.
2

Click New Policy

Select New Policy and choose whether to start from a template or from scratch.
3

Select a template

Browse templates by framework or category. Each template includes boilerplate language adapted to the framework’s requirements.
4

Customize the content

Edit the template to match your organization’s specific environment, terminology, and procedures.
Templates are starting points, not final products. Always customize policy language to reflect how your organization actually operates. Auditors look for policies that match reality, not generic boilerplate.

Policy Editor

The policy editor supports both rich text and Markdown formatting. You can:
  • Structure content with headings, lists, and tables
  • Embed links to external resources or internal procedures
  • Add inline notes and callouts for reviewers
  • Preview the final formatted document before publishing

Policy Lifecycle

Every policy moves through a defined lifecycle:
StatusDescription
DraftInitial creation and editing. Only visible to compliance team members.
In ReviewSubmitted for review by designated approvers. Comments and revision requests happen here.
ApprovedReviewed and approved by an authorized approver. Ready to be made active.
ActiveLive and visible to the organization. Can be attached to controls and included in signature campaigns. This is the operational state — auditors see it as the published policy.
ArchivedSuperseded by a newer version or retired. Kept for audit history but no longer in force.
ExpiredPast its review date and not yet reviewed/re-approved. Acts as a flag that the policy is overdue for review.
Moving a policy backward in the lifecycle (e.g., from Approved back to Draft) is allowed. This is useful when an active policy needs significant revisions.

Separation of duties — author cannot self-approve

Regentra enforces a separation-of-duties (SoD) rule on policy approval: the person who last edited a version’s content cannot approve that same version. The system tracks lastContentAuthorId per version and blocks the Approve action if the requesting user matches. This is a hard server-side check — not a UI suggestion — and matches the SOC 2 / ISO 27001 / HIPAA expectation that author and approver are different individuals.
ScenarioBehavior
Author submits the policy for review, a different approver approvesApproval succeeds
Author submits, then approves their own versionBlocked with “You cannot approve your own edits — another approver must review”
Author edits, a second person edits, second person approvesBlocked — the second person is now the lastContentAuthorId
Same person edits in Draft, makes no further edits in Review, then approvesBlocked — they are the last content author
To unblock, either (a) a different approver reviews and approves the existing version, or (b) the original author hands the draft to a co-author who makes a substantive edit and submits, after which the original author may approve.

Per-requirement applicability badges

Compliance programs vary by organization type — a non-clearinghouse covered entity does not need to satisfy §164.308(a)(4)(ii)(A), and an org that doesn’t operate in the EU has no GDPR Article 27 representative obligations. Regentra surfaces this on each framework requirement directly. On any framework detail page (Compliance → Frameworks → [framework]), requirements that apply only to specific organizational roles render with an applicability badge — for example clearinghouse only or controller only. Hover the badge for the long-form explanation. If the role does not match your org, mark the corresponding control N/A with a one-line justification.
The badges are a heads-up, not an auto-N/A. Auditors generally accept an N/A on a flagged requirement as long as the justification names the role mismatch — “we are not a clearinghouse” is sufficient.

Version History

Regentra maintains a complete version history for every policy. Each time a policy is updated and re-published, a new version is created.
  • View previous versions and compare changes
  • Track who made edits and when
  • Auditors can see the full history of policy evolution
  • Previous versions remain accessible even after new versions are published

Signature Campaigns

Signature campaigns let you send policies to employees for formal acknowledgment.
1

Create a campaign

From the policy detail page, click Create Campaign. Select the policy and choose your target audience — all employees, a specific department, or individual users.
2

Configure the campaign

Set a deadline for signatures and customize the notification message. You can require employees to confirm they have read the full document.
3

Launch the campaign

Click Send. Each recipient gets a notification (email and in-app) with a link to review and sign the policy.
4

Track completion

Monitor the campaign dashboard to see who has signed, who has not, and overall completion percentage.

Campaign Tracking and Reminders

The campaign dashboard shows real-time completion status:
  • Signed — employees who have reviewed and acknowledged the policy
  • Pending — employees who have not yet responded
  • Overdue — employees who have missed the deadline
You can send manual reminders to pending employees or configure automatic reminders at intervals you define (e.g., 3 days before deadline, 1 day after deadline).
Completed signature records are stored as compliance evidence and can be attached to relevant controls. This creates a direct audit trail from framework requirement to policy to employee acknowledgment.