How attestation, read receipts, and audit trails work

When an employee opens a policy, a read receipt is automatically captured, including timestamp, device type, and employee profile details. This happens passively without any employee action. The read event is recorded the moment policy content loads. Acknowledgment actions (Understood, Accept, Not Clear, e-sign) are additional, layered on top. Two-layer approach: exposure (did they see it?) and acceptance (did they confirm it?) are tracked separately.

A Read Receipt records that an employee opened the policy, passive, automatic, no employee action needed. An Attestation is an active confirmation: "Understood" (simple acknowledgment), "Accept" (formal agreement to comply), "Not Clear" (flags a comprehension issue), Aadhaar-based e-sign (biometric-linked signature), or AD password signature. For most HR policies, read receipt + "Understood" is sufficient. For AML, code of conduct, and InfoSec policies, Aadhaar e-sign creates a legally defensible record.

Layered escalation workflow: Step 1: automated email notification on publish. Step 2: mobile push notification for non-openers within a set timeframe. Step 3: admin filters "Unread Only" and resends with a single click to that specific cohort. Step 4: for critical policies, minimum scroll percentage required before action buttons appear. Step 5: compliance dashboard flags non-readers by department and designation, enabling line managers to be looped in.

Yes. All read receipt and attestation data is exportable as reports: by policy, by employee, by department, by time period. Reports include: employee name, department, designation, policy title, publish date, read date, time taken, action taken, e-sign record. For RBI, SEBI, IRDAI, internal audit, or external auditor reviews, this provides a complete, timestamped, tamper-evident record of organizational policy awareness.

Admin-controlled. When publishing a new version, admins choose: require re-attestation from all employees, only from those who attested the previous version, or only from those who didn't. Previous version's attestation records are preserved separately, and the audit trail shows distinct compliance records per version. Critical for regulatory contexts where a policy change (e.g., revised AML procedure) requires documented re-acknowledgment.

The platform integrates with Aadhaar-based e-sign APIs compliant with the IT Act 2000 and MeitY's eSign framework. When an employee e-signs, they authenticate using their Aadhaar OTP, linking the signature to their biometric-verified national identity. The resulting signature is legally valid under Indian law. For RBI-regulated banks, insurance, and capital market organizations, this creates a level of attestation defensibility that a checkbox or "I Agree" button cannot provide.

An alternative to Aadhaar e-sign: employees re-enter their Active Directory (corporate login) password to confirm policy acceptance. Leverages existing corporate identity infrastructure without requiring Aadhaar enrollment, suitable for organizations where not all employees have linked Aadhaar to their professional profile, or for international contexts. The AD password step creates an enterprise-identity-linked authentication record.

"Action Buttons" is the admin-configurable employee response layer: Understood (simple acknowledgment), Accept (active agreement to comply), Not Clear (employee flags a comprehension issue, which triggers a question collation for admin). When clicked, the timestamp, button chosen, and employee profile are recorded. A high rate of "Not Clear" responses on a specific policy is a leading indicator of a comprehension problem or genuine policy ambiguity.

PolicyCentral.ai supports future employee targeting: when publishing a policy, admins flag it to be automatically distributed to employees who join in the future and match specified profile criteria. When a new joiner is added to HRMS and synced to PolicyCentral.ai, they automatically receive all relevant pending policies for their role, without any manual admin action. Onboarding compliance becomes systematic rather than checklist-dependent.