Stage 4: Global Expansion & Regulated Hardening
Timeline: 2027+ (18-24+ months) Purpose: Expand into EU/UK/APAC markets, enter regulated verticals (healthcare, finance, government), and achieve the highest compliance certifications.
- Executive Summary
- Working Knowledge
- Technical Spec
Global Expansion takes ReGenesis from a US-focused enterprise platform to a worldwide service operating across multiple regulatory regimes. Key milestones: ISO 27001 certification, multi-region deployment for data residency requirements, EU AI Act compliance, and readiness for regulated verticals including healthcare (HIPAA) and potentially government (FedRAMP). This stage also prepares the foundation for the planned therapy market migration.
What Global Expansion Means
This is where the "EU-grade by design" strategy pays off. Because ReGenesis builds to GDPR standards from day one, expanding to Europe is not a rebuild — it is a deployment and certification exercise.
New Certifications Needed
| Certification | Required For | Timeline |
|---|---|---|
| ISO 27001 | European enterprise clients | Q2 2027 |
| ISO 42001 | AI management system (optional but differentiating) | Q4 2027 |
| ISO 27701 | Privacy information management | 2028 |
| HIPAA | US healthcare/therapy market | 2027-2028 |
| HITRUST | US healthcare (preferred by many) | 2028 |
| FedRAMP | US government | Only if strategic ROI |
| EU AI Act | EU market entry | 2027 |
Therapy Market Expansion
Long-term, ReGenesis plans to expand from coaching into the therapy market. This introduces additional compliance requirements:
- HIPAA compliance becomes mandatory (Business Associate Agreements, PHI handling)
- State licensure requirements for any therapy-adjacent features
- Clinical data classification — therapy notes are clinical records with higher protections
- Integration with EHR systems (Electronic Health Records)
- Insurance billing integration (CPT codes, etc.)
The architecture is being built with this in mind. The "regulated data mode" (separate encrypted storage, restricted access, field-level encryption) is designed to support therapy data when the time comes.
Multi-Region Architecture
EU clients' data stays in EU infrastructure. US clients' data stays in US. Cross-region data transfer is never automatic — it requires explicit SCC-backed legal agreement.
EU AI Act Considerations
ReGenesis likely qualifies as high-risk under Annex III, Category 4 (AI systems for employment, workers management). This means:
- Conformity assessment required before EU market entry
- Risk management system documentation
- Data governance with quality requirements
- Technical documentation (this architecture portal supports this requirement)
- Record-keeping of system operation
- Transparency and provision of information to users
- Human oversight design (the human-in-the-loop model supports this requirement)
- Accuracy, robustness, and cybersecurity requirements
Exit Criteria
This is an ongoing stage, but key milestones:
- ISO 27001 certification obtained
- Multi-region deployment operational (US + EU minimum)
- EU AI Act conformity assessment completed (if required)
- First EU enterprise client onboarded
- HIPAA controls implemented (if therapy market entry begins)
- Dedicated security personnel hired
- Annual security program review established