Enterprise Procurement Packet

Executive Summary

Closing the Enterprise Deal

The procurement packet is the bundle of security documentation that enterprise buyers require before signing a contract. When a CISO or procurement team evaluates ReGenesis, they will request a standard set of documents: a security whitepaper, compliance certificates, a signed DPA, architectural diagrams, and evidence of security controls. The procurement packet pre-assembles all of these so that security questionnaires can be answered quickly and buyer concerns addressed proactively.

A well-prepared procurement packet dramatically compresses the enterprise sales cycle. Instead of spending weeks collecting documents in response to each buyer's security questionnaire, the packet provides a single, comprehensive package. For the McKinsey pilot, a preliminary packet is required; for GA, the full packet with SOC 2 Type II and ISO 27001 certificates will be the standard. Companies that have their procurement packet ready close enterprise deals 40-60% faster than those that scramble to assemble documents on demand.

The packet also serves as the single source of truth for answering the CAIQ (Consensus Assessments Initiative Questionnaire), SIG (Standardized Information Gathering), VSA (Vendor Security Alliance), and custom enterprise security questionnaires. By maintaining a living packet, the team can respond to new questionnaires by pulling from pre-written answers rather than starting from scratch each time.

Working Knowledge

What Goes in the Procurement Packet

Packet Contents

Document Details

1. Security Whitepaper

Purpose: High-level overview of ReGenesis security posture, suitable for CISO-level review.

Contents:

• Company overview and security mission
• Security team and governance structure
• Data classification and handling
• Encryption architecture (at rest, in transit, field-level)
• Identity and access management
• Infrastructure security
• AI security and responsible AI practices
• Compliance certifications and roadmap
• Incident response overview
• Contact information

Length: 10-15 pages Audience: CISO, Security Architecture Review Board, Procurement

Writing Style

The security whitepaper should be confident but honest. Claims should not be made about capabilities that are not yet implemented -- instead, frame them as roadmap items with dates. Enterprise security teams appreciate transparency far more than overselling. Example: "SOC 2 Type II is targeted for Q1 2027 (Type I completed Q3 2026)" is better than omitting that Type II is not yet done.

2. Compliance Certificates

Document	Stage Available	Format	Distribution
SOC 2 Type I Report	Pilot	PDF (NDA-gated)	On request with NDA
SOC 2 Type II Report	GA	PDF (NDA-gated)	On request with NDA
ISO 27001 Certificate	GA	PDF (public)	Freely available
Pen Test Attestation	Pilot	1-page letter (public)	Included in packet
Pen Test Executive Summary	Pilot	2-3 pages (NDA-gated)	On request with NDA
Full Pen Test Report	Never	Confidential	Internal only

SOC 2 Report Distribution

SOC 2 reports are confidential and should be shared under NDA. Never post the full SOC 2 report publicly. The ISO 27001 certificate, however, can be shared freely.

3. Data Processing Agreement

Pre-negotiated DPA with:

• Standard terms aligned to GDPR Article 28
• Complete subprocessor list (AWS, Anthropic, Stripe, etc.)
• Standard Contractual Clauses (Module 2 and Module 3)
• Technical and organizational measures annex

See Data Processing Agreements for full details.

4. Privacy Policy

Publicly available at regenesis.ai/privacy. Covers:

• What data is collected and why
• Legal bases for processing
• Data retention periods
• Data subject rights (access, deletion, portability, etc.)
• Third-party data sharing
• International data transfers
• Cookie policy
• Contact information for privacy inquiries

5. Incident Response Plan Summary

A non-confidential summary of the IR plan:

• Incident classification scheme (Severity 1-4)
• Response team roles and responsibilities
• Communication timelines (72-hour breach notification)
• Post-incident review process
• Contact information for reporting security concerns

The full IR plan is internal-only; the summary demonstrates that a plan exists and is operationally sound.

6. BCP/DR Summary

One-page summary covering:

• Recovery objectives (RPO, RTO)
• Backup strategy and frequency
• Multi-AZ architecture
• Cross-region backup replication
• Provider failover strategy
• DR testing schedule and results
• Status page URL

7. Architecture Diagram

A sanitized architecture diagram showing:

• High-level system components (web app, API, database, AI engine)
• Data flow paths
• Encryption points
• Network boundaries (VPC, subnets)
• Third-party integrations
• Security controls at each layer

Do NOT Include

Architecture diagrams shared externally should NOT include:

• Internal IP addresses or CIDR ranges
• Specific AWS account IDs
• Credential store locations
• Detailed vulnerability scan configurations
• Internal tool names and versions (when the version could reveal vulnerabilities)

8. Security Policies Summary

A summary document listing all security policies in force:

Policy	Status	Last Reviewed
Information Security Policy	Active	Annually
Access Control Policy	Active	Annually
Acceptable Use Policy	Active	Annually
Data Classification Policy	Active	Annually
Encryption Policy	Active	Annually
Incident Response Policy	Active	Annually
Business Continuity Policy	Active	Annually
Vendor Management Policy	Active	Annually
Change Management Policy	Active	Annually
Data Retention & Disposal Policy	Active	Annually
Remote Work Security Policy	Active	Annually
Physical Security Policy	Active	Annually

Full policies are available on request under NDA.

9. Employee Training & Background Checks

Evidence of security hygiene:

• All employees complete security awareness training at onboarding
• Annual security training refresher
• Phishing simulation exercises (quarterly)
• Developers receive secure coding training
• Background checks performed on all employees with data access
• Confidentiality/NDA agreements signed by all employees

10. Cyber Insurance Certificate

Certificate of insurance showing:

• Cyber liability coverage ($5M+)
• Data breach response coverage
• Business interruption coverage
• Regulatory defense coverage
• Policy number and expiration date
• Insurer name and rating

11. Vulnerability Management Policy

Summary of:

• Scanning tools and frequency
• Remediation SLAs by severity
• Dependency management process
• Patch management cadence
• Exception process for deferred fixes

12. Compliance Roadmap

Visual timeline showing:

• Current certifications and their expiry dates
• Planned certifications and target dates
• Framework mapping (how certifications overlap)
• Annual renewal schedule

Document Summary Table

#	Document	Who Writes It	When Needed	Current Status	Tips
1	Security Whitepaper	Security Officer + CTO	Pilot (draft), GA (final)	Not started	Lead with three-tier data model and AI governance -- that is the differentiator
2	SOC 2 Report	CPA audit firm (external)	Type I: Pilot, Type II: GA	Not started (auditor selection Q2 2026)	Share under NDA only; Type I is sufficient for pilot conversations
3	Pen Test Attestation	Pen test firm (external)	Pilot	Not started (firm selection Q2 2026)	Share attestation letter, not full report; emphasize AI-specific testing
4	DPA Template	Legal counsel + Security Officer	Pilot	Template in progress	Expect McKinsey to negotiate from their template; know your non-negotiables
5	Privacy Policy	Legal counsel	MVP0 (basic), Pilot (GDPR)	Not started	Publish at regenesis.ai/privacy; include AI data processing specifics
6	IR Plan Summary	Security Officer	Pilot	Not started	3-5 pages maximum; show maturity, not perfection
7	BCP/DR Summary	DevOps + Security Officer	Pilot (draft), GA (tested)	Draft in progress	Include RPO/RTO targets and Claude API failure contingency
8	Architecture Diagram	CTO / Lead Architect	Pilot	Diagrams exist in portal	Sanitize before sharing (no IPs, account IDs, or specific versions)
9	CAIQ Pre-filled	Security Officer + CTO + Legal	GA (having early is competitive advantage)	Not started	40-80 hours initial; use architecture portal as source of truth
10	Compliance Roadmap	Security Officer	Pilot (essential for "we do not have X yet" questions)	Content exists in portal	Always frame gaps as roadmap items with dates, never as missing

---

Procurement Response Templates

These are the recommended responses for common questions from enterprise security teams during procurement evaluation.

"Do you have SOC 2 Type II?"

Before Type I is complete:

"We are on the path to SOC 2 Type I, which we expect to complete by Q3 2026. We have engaged [auditor firm] and are using [Vanta/Drata] for continuous compliance monitoring. Our Type II observation period will begin immediately after Type I, with the Type II report expected by Q1 2027. In the meantime, I can share our Security Whitepaper and compliance roadmap, which document the controls we have in place today."

After Type I, before Type II:

"We have our SOC 2 Type I report, which I can share under NDA. Our Type II observation period is underway, with the report expected by [date]. Type I confirms our controls are designed correctly; Type II will confirm they operate effectively over time. We also have our annual pen test attestation available."

"Are you HIPAA compliant?"

"ReGenesis is not currently HIPAA compliant, and our coaching platform does not handle Protected Health Information as defined by HIPAA. Our data model explicitly excludes medical diagnoses, treatment plans, and clinical records. We position ReGenesis as an executive coaching and professional development platform, not a healthcare or therapy tool. If we expand into health and wellness coaching in the future, HIPAA compliance is on our roadmap. We are happy to discuss the specific data types your use case would involve."

"Where is our data stored?"

"All data is stored in AWS us-east-1 (Northern Virginia) using encrypted storage -- AES-256 at rest, TLS 1.2+ in transit. We do not replicate data outside the US. Our DR backup copies go to us-west-2 (Oregon), also within the US. We have built our architecture to EU/GDPR standards from day one, so when we expand to EU data residency, we can deploy to eu-west-1 (Ireland) without re-architecture. All subprocessors are documented in our DPA."

"What happens to our data if we cancel?"

"Upon contract termination, we follow a documented data return and deletion process. Within 30 days, we export all your organization's data in a standard format and make it available for download. After you confirm receipt, we permanently delete all data from production systems within 30 days. Backup copies are deleted within 90 days as they rotate out. We also offer crypto-shredding -- we can delete the encryption keys for your tenant's data, rendering it permanently unreadable even in backups."

"Does our coaching data train your AI models?"

"No. ReGenesis uses the Anthropic Claude API for our AI coaching engine (Sasha). Under our API agreement with Anthropic, no customer data is used to train or fine-tune AI models. Each coaching session uses a fresh context window, and data from one coachee never enters another coachee's context. We enforce strict context boundaries at the application level. We can share our AI Governance documentation that details these controls."

"Can we audit your systems?"

"Yes. Our DPA includes audit rights. We support audit in three ways: first, our SOC 2 report provides an independent third-party audit; second, we provide access to our compliance dashboard showing real-time control status; third, for clients with specific requirements, we can arrange on-site or remote audit access with reasonable advance notice."

"What if Anthropic has a breach?"

"Anthropic is a subprocessor listed in our DPA. If Anthropic experiences a breach affecting ReGenesis data, our incident response plan includes immediate investigation, impact assessment, and notification within 72 hours per GDPR. We can disable all AI features instantly via feature flags while we investigate. Human coaching sessions continue unaffected. Our architecture ensures that even if the AI provider is compromised, they do not have access to decrypted coaching transcripts -- only the prompts and responses flowing through the API."

---

Handling Enterprise Security Questionnaires

Enterprise buyers will send custom security questionnaires, often containing 100-500+ questions. Common questionnaire formats:

Format	Full Name	Typical Length	Source
CAIQ	Consensus Assessments Initiative Questionnaire	~300 questions	Cloud Security Alliance
SIG	Standardized Information Gathering	~800 questions	Shared Assessments
VSA	Vendor Security Alliance	~150 questions	VSA consortium
Custom	Company-specific questionnaire	50-500 questions	Each enterprise has their own

Strategy for efficient response:

1. Pre-fill common questionnaires -- Answer CAIQ and VSA once and maintain them
2. Build an answer library -- Categorize all questionnaire answers by topic, reuse for new questionnaires
3. Map to compliance reports -- Reference SOC 2 sections and ISO 27001 clauses instead of re-explaining controls
4. Use compliance platform -- Vanta/Drata can auto-generate questionnaire responses
5. Assign an owner -- One person (Security Officer) owns questionnaire responses to ensure consistency

Time Investment

The first enterprise security questionnaire takes 40-80 hours to complete thoroughly. Each subsequent questionnaire should take 10-20 hours by reusing the answer library. The procurement packet cuts questionnaire response time by 50%+ because answers can reference enclosed documents.

Technical Spec