POLICY AUTHORING + ATTESTATION

How PolicyDesk works

Internal policy authoring with AI-assisted drafting, multi-stage review, employee attestation, version history, substantive-change detection, and audit-evidence packets — for compliance, HR, legal, and security.

What it solves

Compliance teams write policies in docs, send them by email, chase attestations in spreadsheets, and pray the audit asks for last year's version — not the one being rewritten right now. When the auditor shows up, no one can prove who attested to what version on what date.

PolicyDesk centralizes AI-assisted authoring, multi-stage review, employee attestation, version history, expiry reminders, and substantive-change detection in one workflow. Every policy change tracks whether re-attestation is required; every attestation produces audit evidence.

Why this is hard: Substantive changes mean re-attestation (cosmetic edits don't), regulated policies need legal + security sign-off, audiences shift constantly (new hires, role changes, country expansion), and the audit will ask for evidence of every step.

Who uses it

Policy author

Drafts, edits, summarizes, and updates policies with AI assist.

First action: Open Policies → My drafts

Reviewer

Performs SME, legal, HR, security, or compliance review.

First action: Open Reviews → My queue

Executive approver

Grants final approval before publication.

First action: Open Reviews → Executive queue

Employee

Reads and attests to assigned policies.

First action: Open Attestations → My inbox

Compliance officer

Tracks attestation coverage, overdue, expiry, and audit packets.

First action: Open Compliance dashboard

HR / People Ops

Assigns policy audiences by team, location, or country.

First action: Open Admin → Audiences

Auditor

Read-only access to policies, versions, attestations, and evidence exports.

First action: Open Audit trail

Admin

Override-everywhere demo persona for screenshots and walkthroughs.

First action: Open Admin

Workflow at a glance

happyHappy path

Policy author drafts a policy (with AI-suggested summary and change-impact analysis). Required reviewers approve in sequence. Executive grants final approval. The policy publishes; the assigned audience (rule-driven) receives an attestation task. Compliance dashboard tracks coverage in real time.

exceptionException path

Author updates a published policy. AI flags the change as substantive (e.g., the data-retention period changed from 30 to 90 days). All previously-attested employees are reset to "Pending"; previous attestations are marked "Superseded" but preserved in history.

approvalApproval path

Policies in restricted categories cannot move to executive approval without explicit legal and security sign-off. Attempting to publish without those reviews is blocked at the action layer and logged as an audit event.

reportingReporting

Attestation coverage by policy and team, overdue attestations by team and policy, policy expiry calendar, change frequency by policy area, and one-click audit-evidence exports roll up on the compliance dashboard.

What it produces

Published policy (PDF)
Attestation report (per policy / employee / team)
Audit-evidence packet
Change history export
Expiry calendar export
Coverage report (CSV)

Industry terms

Attestation: An employee's timestamped acknowledgment that they have read and understood a specific policy version. The atomic unit of compliance evidence.
Substantive change: A policy edit that alters obligations or rights (vs. cosmetic). Substantive changes invalidate prior attestations and trigger re-attestation.
Version lock: When a policy version publishes, it freezes — any edit creates a new version. Prior versions remain queryable forever for audit purposes.
Expiry rule: A rule that flags a policy for review after a configurable window (annual review, regulatory cycle). Drives the expiry calendar.
Audience rule: A predicate (by team, location, hire date, role) that determines who must attest to a given policy. Re-evaluated on each org change.
Evidence packet: A point-in-time bundle the auditor receives: policy version, attestation roster, reviewer chain, and audit trail — all timestamped and immutable.
Re-attestation: The workflow triggered when a substantive change supersedes prior attestations. Prior attestors are re-prompted; non-responders show as overdue.
Audit-evidence export: On-demand CSV/PDF bundle a compliance officer can hand an auditor: who attested, when, to which version, and why others did not.
AI summary: A model-generated plain-language summary of a policy or version diff. Always cites the source clauses; never replaces the underlying policy text.
Change impact: AI assessment of an edit's scope: cosmetic, substantive, or major. The author confirms or overrides; the decision is recorded.

Data model (for technical evaluators)

The app is built on a relational schema (Neon Postgres + Prisma). Entities:

Policy · PolicyVersion · PolicyCategory · ReviewStep · ReviewDecision · ApprovalDecision · Audience · AssignmentRule · Employee · Attestation · ExpiryRule · ChangeImpact · AuditEvent