What is a Policy?

A policy is a governing document describing what an organization does to ensure security and compliance. It outlines responsibilities and general procedures meant to implement and maintain specific security and compliance controls. An organization will generally outline specific procedures in separate procedure documents.

How to Create a new Policy

In the Secureframe dashboard, select Policies in the left side bar menu
then click Create Policy at the top right
Add Policy Name and Policy Owner
Paste in your policy text or Upload policy directly as a PDF. (Note: If you upload a PDF and leave the existing Text, personnel will have a tab and be able to see both Text and PDF.)
- If pasting in a policy: Use the built-in toolbar to adjust formatting, and the provided tokens from the menu on the side to auto-fill information such as Company Name, Date Modified, etc
- If uploading a policy directly as a PDF: Click the "Upload Policy" box from within a policy and select a PDF file. You may upload multiple PDF files if needed. To remove an uploaded PDF, click on the X next to the PDF file you previously uploaded. You may add additional free text along with the PDF file if desired, but also have the option to leave it blank.
Click Save if it needs to be reviewed, or click Save and publish if it's completed and ready for acknowledgement.

Note: If a policy is in draft and has no owner, any Admin can assign themselves as the owner and then publish it. Once a policy has an owner, only that policy owner can save and publish it. Click here to learn how.

How to edit an existing Policy

Locate the policy you'd like to edit from the list and click the three-dots icon to the right of that policy.
Click Edit Policy in the top right corner.
From here make any updates to the Title, Body, or features located on the right side panel.
Policy Groups – Located in the bottom right corner, select any groups that apply. This allows you to assign specific policies to a defined group of people. For example, a Change Management policy may only apply to your Development group rather than All Employees. (Note: If you have not created any groups yet, please see our Groups article for step-by-step instructions.)
If applicable, you can also Upload a PDF directly to the existing policy. (Note: If you upload a PDF and leave the existing Text, personnel will have a tab and be able to see both Text and PDF.)
Click Save if it needs to be reviewed, or click Save and publish if it's completed and ready for acknowledgement.
Note: Only policy owners can publish the policy. Click here to learn how.

Policy Writing Assistance using with Comply AI

Where: Policies → Open any policy → AI button in the editor toolbar

The policy editor includes a built-in AI writing assistant. Select any text and choose from a menu of AI-powered actions to improve your policy content instantly.

Click Edit Policy in the top right corner.
Click AI in the tool bar, or highlight a section of text and click AI to summarize, improve writing, change tone and more.

Action	Description
Summarize content	Extract key points from selected text
Improve writing	Fix grammar, spelling, and clarity
Simplify language	Reduce complexity for broader audiences
Expand upon	Add more depth and detail
Trim content	Remove redundancy and tighten prose
Change tone	Professional, Casual, Direct, Confident, Friendly
Change style	Business, Legal, Journalism, Medical, Poetic
Translate	Spanish, French, German, Italian, Dutch

Additional Policy Features

Pre-built Tokens to autofill your company's information such as company name, date modified, policy owner, and security email, etc.
Conditional Sections allow you to incorporate dynamic sections into your policies based on your connected integrations. Rather than just auto-filling a value like standard tokens, conditional sections can show or hide entire sections of policy content depending on your environment, such as which integrations you have connected or whether you're on a specific compliance plan. When creating or editing a policy, a Conditional Sections area will display a list of all detected integrations you can use as tags within your policy content. This is especially useful if you manage policies across multiple customers or want to maintain a single global policy that automatically adjusts its language based on each customer's setup.
PDF Upload feature if you already have your own policies created.
Require employee Acceptance for those important documents related to your compliance obligations.
Policy Groups will allow you to assign specific policies to a set group of people. Ex, A Change Management policy may only go to your Development Group rather than All Employees.
High Priority Vendors token is used in policies like the Business Continuity and Disaster Recovery Plan to display a list of your high-priority vendors {{high_priority_vendor_list}}
Default tokens such as Backup Frequency and Minimum Retention Period are available for specific policy types to auto-fill relevant configuration values.

Frequently Asked Questions

Who can publish a policy in Secureframe?

If a policy is in draft and does not yet have an owner, any Admin can assign themselves as the owner, make edits if needed, and then publish it.
Once a policy has an owner, however, only the assigned policy owner may publish it. If you need a policy published but are not the owner, you’ll need to either reassign ownership to yourself or request that the current owner publish it.

What happens if I upload a PDF to an existing Policy that already has text?

If you upload a PDF and leave the existing Text, personnel will have a tab and be able to see both Text and PDF. If you prefer the user to only see the PDF in this scenario, then delete all the text and leave only the PDF.
Accepting the policy applies to both the text and PDF versions, even if both are displayed.

If I were to make policy changes half way through the year, Is there a way to force users re-read and accept policies?

No, not at this time, but this is an active Feature Request.
Currently, employees are only required to read and accept policies on an annual basis. If you make additional changes those users will not be forced to review and acknowledge until the next year.

How can I update the values/variables of the tokens in policies?

The token values are automatically pulled from the Company Settings > Company Details page. To update them, navigate to this page and modify the relevant fields, such as company name, security email, and other company details. The changes will be reflected in the policies where these tokens are used.

I already have policies in another platform, can I link these policies to Secureframe via HTML?

We do not currently support HTML linking for Policies.
If you do not wish to utilize our pre-built policies, you can upload a PDF of your own in the Create Policy section located here.

All my acknowledgment tests are passing, as they should since everyone has accepted them according to them, but the tests themselves show up as "none" for accepted?

This is typically because the "require employee acceptance" button is NOT selected
while publishing the policies
Head to the Policy, click Edit, check the box, then save
Once you check that box in policy, the data will backfill correctly to the test.

Where can I set the {{backup_frequency}} token used in the Business Continuity and Disaster Recovery Plan?

The {{backup_frequency}} token is populated from the “Backup frequency” field in the Options section of your Business Continuity and Disaster Recovery Plan (BCDRP).

To set this value:

Go to your Policy page.
Select your Business Continuity and Disaster Recovery Plan policy.
Scroll to the Options section below the policy body.
Use the dropdown next to Backup frequency to select your desired value (e.g., Monthly, Weekly, etc.).

Once saved, the {{backup_frequency}} token will dynamically populate in the policy wherever it’s used.

What is an employee handbook in Secureframe?

An employee handbook in Secureframe is typically a collection of published policies that define company expectations, workplace conduct, and security requirements. Rather than being a single document, the handbook is often made up of multiple individual policies that employees acknowledge inside the platform.

Do I need a separate “employee handbook” document?

Not necessarily. Many companies use Secureframe policies instead of a traditional handbook PDF by publishing individual policies and assigning them to employees for acknowledgment. This approach makes it easier to: