Skip to main content

Managing Compliance Policies and Signatures in Google Workspace and Microsoft 365

Best practices for keeping policy evidence current in Strike Graph using automated collection

Written by Micah Spieler
Updated this week

It's considered best practice to identify a centralized location to store and manage your internal policies, procedures, and other operational-related documentation. Many organizations have access to Google Workspace or Microsoft 365 and already use it for most of their critical business applications, so why not also use it for policy management?

Strike Graph's Google Drive and Microsoft 365 integrations let you pull documents directly from your existing document repositories, and paired with automated collection, you can keep your policy evidence current without ongoing manual effort.

This article covers two common policy evidence workflows and how to set them up effectively:

  1. Collecting your most recent policy document on a recurring schedule

  2. Collecting signed policy acknowledgements from employees

Collecting your most recent policy document

How it works

Lucky for us, Google Docs and Microsoft 365 Word documents both do a great job of logging activity and behavior, such as maintaining a record of changes and version history. This means it's easy to continue iterating on a single policy document over time without managing multiple copies.

When you set up automated collection and point it at that document (or the folder it lives in), Strike Graph will re-collect the most recent version on a schedule, keeping your evidence current without you needing to manually re-attach it each time.

Option 1: Collect a specific file

If you prefer to collect one designated policy document, you can configure automated collection to always pull that specific file.

For Google Drive:

  1. Navigate in Strike Graph to the evidence item where you want to collect the policy.

  2. Click Automated Collection and select your Google Drive integration.

  3. When the Google Picker opens, navigate to and select the specific policy document.

  4. Confirm the collection setup.

Strike Graph will re-collect this file on a regular cadence before the attachment expires, ensuring you always have a current copy on file.

For Microsoft 365:

  1. Navigate in Strike Graph to the evidence item where you want to collect the policy.

  2. Click Automated Collection and select your Microsoft 365 integration.

  3. In the Type dropdown, select Specific file.

  4. Paste the share URL for the document.

  5. Click Attach to save the configuration.

Tip: Use the Share button in Microsoft 365 to generate a shareable link for the file. Make sure the link grants at least read access.

Option 2: Collect the most recently modified file in a folder

If you want to create archival snapshots of your policies — or if your workflow involves saving new versions as separate files — storing policy documents in a dedicated folder and using the Most recently modified in folder option is an efficient approach. Each time automated collection runs, it pulls the file in that folder that was most recently updated, giving you a timestamped record of the latest version at the time of collection.

This option is currently available for Microsoft 365. To set it up:

  1. Create a dedicated folder in SharePoint or OneDrive for the policy (e.g., "Acceptable Use Policy").

  2. Save the most current version of the document to that folder when updates are made.

  3. In Strike Graph, navigate to the evidence item and click Automated Collection, then select your Microsoft 365 integration.

  4. In the Type dropdown, select Most recently modified in folder.

  5. Paste the SharePoint share URL for the folder.

  6. Click Attach to save the configuration.

For Google Drive, you can select a folder using the Google Picker during automated collection setup. Strike Graph will collect the most recently modified file from that folder on each collection run.

Capturing who last edited the document

For some compliance frameworks, you may need to demonstrate not just that a policy exists, but that it has been reviewed or updated by a responsible party. Both Google Docs and Microsoft 365 Word track last-editor information natively, but this metadata is not always visible in the document content itself.

One approach is to include a simple "Document History" or "Revision Log" table within the policy document itself, where the editor records their name and the date when making updates. Because Strike Graph collects the file content, this information will be captured as part of the evidence attachment and will be readable by auditors.

Collecting signed policy acknowledgements

Demonstrating that employees have read and acknowledged key policies is a common requirement across frameworks like SOC 2, ISO 27001, and HIPAA. Both Google Workspace and Microsoft 365 offer native eSignature capabilities that pair well with Strike Graph's folder-based collection to automate this process.

Using Google eSignature

Google eSignature is available for select Google Workspace plans (Business Standard and above) and allows you to send signature requests directly from Google Docs or PDFs stored in Google Drive.

Setting up a policy acknowledgement workflow:

  1. Prepare your policy document in Google Docs or as a PDF in Google Drive.

  2. Use Tools > eSignature (or the eSignature option from the Drive menu for PDFs) to add the appropriate signature fields.

  3. Send the eSignature request to your employees. Each signer will receive an email and can sign directly in their browser — no additional software required.

  4. Once all parties have signed, Google saves a completed PDF copy to the same folder as the original document. This completed PDF includes an audit trail page with timestamps and identifying information for each signer.

Connecting to Strike Graph with automated collection:

  1. Create a dedicated folder in Google Drive where completed, signed acknowledgement PDFs will be stored.

  2. In your Google eSignature settings, confirm that signed documents are saved to that folder (note: Google saves to the original file's folder by default, so organizing your source documents into a dedicated folder per policy works well here).

  3. In Strike Graph, navigate to the evidence item for policy acknowledgements and configure Automated Collection with your Google Drive integration.

  4. Select the folder containing completed signed acknowledgements.

  5. Strike Graph will periodically pull the most recently modified file from that folder, capturing a current signed acknowledgement as evidence.

Using Microsoft 365 eSignature

Microsoft 365 eSignature is available as a pay-as-you-go service and lets you request electronic signatures from within SharePoint or Microsoft Word. It also supports integration with Adobe Acrobat Sign and DocuSign if your organization already uses those platforms.

Setting up a policy acknowledgement workflow:

  1. Upload your policy document to SharePoint.

  2. Use the eSignature feature to request signatures from employees. Signers receive an email with a link and can sign without leaving their browser.

  3. Once signing is complete, the signed PDF is stored securely within your Microsoft 365 environment — in SharePoint or OneDrive, depending on your configuration.

Connecting to Strike Graph with automated collection:

  1. Designate a SharePoint folder where completed signed acknowledgement PDFs are stored.

  2. In Strike Graph, navigate to the evidence item for policy acknowledgements and configure Automated Collection using your Microsoft 365 integration.

  3. Set the Type to Most recently modified in folder and provide the SharePoint share URL for the folder.

  4. Strike Graph will collect a recent signed acknowledgement from that folder on each collection run.

Note: For sampling purposes — for example, pulling one acknowledgement per quarter to demonstrate an ongoing acknowledgement process — this setup works well out of the box. If your framework requires collecting acknowledgements from all employees, you may want to supplement with a full export from your HR or training system.

General tips

  • Use Automated Collection wherever possible. Automated Collection re-collects evidence on a schedule before it expires, keeping your compliance program in an audit-ready state without ongoing manual effort. Read more about Automated Collection.

  • Point Verify AI at your policy evidence. Once automated collection is running, consider enabling Verify AI on the evidence item. The Description check can confirm that the attachment contents align with what you'd expect for that evidence — a useful safety net if a document is accidentally replaced or moved. Read more about Verify AI.

  • Keep policy folders organized. The "most recently modified in folder" collection method works best when only relevant documents are stored in the target folder. Avoid storing unrelated files in the same location.

Did this answer your question?