Stage 2: Pilot (McKinsey)
Timeline: Q2-Q3 2026 (3-9 months) Purpose: First real enterprise engagement with actual employee data. Must pass enterprise vendor security assessment.
- Executive Summary
- Working Knowledge
- Technical Spec
The Pilot stage represents ReGenesis's first engagement with real enterprise data. Before any employee data enters the system, we must clear a vendor security assessment — typically a 200-300 question questionnaire covering encryption, access controls, incident response, and compliance posture.
Key deliverables: SOC 2 Type I audit (controls designed and in place), SSO/MFA integration, signed Data Processing Agreement, completed penetration test, and documented Incident Response Plan. By the end of the pilot stage, the platform should be able to pass any enterprise security review.
What Pilot Means for Enterprise Clients
When an enterprise client runs a pilot, their security team gets involved. Typical evaluation process:
- Security questionnaire (200-300 questions, often CAIQ or custom spreadsheet)
- SOC 2 report request (or evidence of audit in progress)
- DPA review (Data Processing Agreement -- what happens to their data)
- Independent penetration test of the application
- Architecture review call with the CTO/security lead for detailed questions
Required Before Pilot Kickoff
| Document | Status | Notes |
|---|---|---|
| SOC 2 Type I | In progress (minimum) | Engage auditor by month 2, complete by month 6 |
| DPA (signed) | Required | Template ready by month 3, customize for McKinsey |
| Privacy Policy | Required | Full GDPR-grade, covers data handling |
| Incident Response Plan | Required | Even if lightweight — shows you have a plan |
| Security Policies | Required | Access control, change management, acceptable use |
| Subprocessor List | Required | AWS, Anthropic, Google APIs, etc. with their certs |
| Pen Test Results | Scheduled or completed | Engage firm by month 5 |
| DPIA | Completed | Data Protection Impact Assessment for coaching AI |
Recommended Response: "Do You Have SOC 2 Type II?"
"ReGenesis has completed SOC 2 Type I and is in the observation period for Type II, expected by Q1 2027. The Type I report and penetration test summary are available for review."
Most enterprises will accept a Type I for a pilot engagement, especially when a credible path to Type II is demonstrated.
SSO Integration
McKinsey uses Azure AD. The platform must support SAML 2.0 at minimum. When asked "Does the platform support SSO?", the answer is: "Yes, ReGenesis supports SAML 2.0 and integrates with Azure AD/Okta/OneLogin."
What Changes from Demo to Pilot
| Aspect | Demo | Pilot |
|---|---|---|
| Data | Fictional | Real employee data |
| Users | Internal test accounts | Actual coaches and coachees |
| Security | Basic encryption + RBAC | SSO, MFA, full audit logging |
| Legal | Verbal agreements | Signed DPA, Privacy Policy |
| Duration | Hours/days | Weeks/months |
| Compliance | Roadmap shown | SOC 2 Type I in progress |
| Deletion | Post-demo certificate | Configurable retention policies |
Exit Criteria
Before moving to GA stage:
- SOC 2 Type I report obtained
- At least one enterprise pilot completed successfully
- No critical security incidents during pilot
- Penetration test completed with all critical/high findings resolved
- SSO integration tested with at least one real enterprise IdP
- Enterprise security questionnaire answered completely
- DPA signed and subprocessor list maintained
- Pilot client feedback incorporated into product and security roadmap