Glossary
A comprehensive reference of all technical, compliance, and domain terms used throughout the ReGenesis Trust Center. Hover over any underlined term throughout the portal to see its definition inline, or browse the full glossary below.
A
ABAC (Attribute-Based Access Control)
SecurityAttribute-Based Access Control is an advanced security model that evaluates multiple attributes (user role, data classification, time of day, location, etc.) to make access decisions. Unlike simpler models that just check "are you an admin?", ABAC can enforce rules like "coaches can only see insights tagged coach_only for their own clients during business hours." In ReGenesis, ABAC works alongside RBAC through four visibility tags: client_visible, coach_only, admin_aggregate, and system_internal.
ACL (Access Control List)
SecurityAn Access Control List is a table that tells the system who is allowed to do what with each resource. Each entry specifies a user or group and their permissions (read, write, delete, etc.). ACLs are one of the oldest and simplest forms of access control. ReGenesis uses more sophisticated models (RBAC + ABAC), but ACLs are still relevant in infrastructure components like S3 buckets and network firewalls.
AES-256 (Advanced Encryption Standard)
SecurityAES-256 is a symmetric encryption algorithm adopted by the US government and used worldwide. The "256" refers to the key length in bits — a 256-bit key has 2^256 possible combinations, making brute-force attacks computationally impossible. In ReGenesis, AES-256 encrypts all data at rest (stored data) via AWS-managed encryption keys. Data in transit is protected by TLS 1.2+. This dual encryption approach satisfies SOC 2, GDPR, and enterprise procurement requirements.
AI Insight
ProductIn ReGenesis, an AI insight is an observation, pattern, theme, or recommendation generated by Sasha from coaching session data. Insights are the primary output of Sasha's analysis engine and come in several types: session summaries, cross-session patterns, behavioral observations, development progress indicators, and suggested coaching questions. Every insight is structured as an Evidence Pack (L0 headline, L1 reasoning, L2 source evidence) and requires coach approval before the coachee can see it. Insights are stored with metadata including confidence score, generating model version, and provenance hash.
ALB (Application Load Balancer)
InfrastructureAn Application Load Balancer is an AWS Elastic Load Balancing service that operates at Layer 7 (HTTP/HTTPS) of the network stack. It distributes incoming traffic across multiple targets (such as ECS containers) based on content of the request, including URL path, host headers, and query parameters. In ReGenesis, the ALB sits behind the WAF and CloudFront, handling SSL termination, path-based routing (sending API requests to the backend service and web requests to the frontend), health checks, and connection draining during deployments.
Anomaly Detection
SecurityAnomaly detection is a monitoring technique that uses statistical analysis or machine learning to identify patterns that deviate significantly from expected behavior. In ReGenesis, anomaly detection monitors for: unusual authentication patterns (many failed logins, logins from new locations), abnormal data access (a user suddenly downloading large amounts of data), API usage spikes (potential denial-of-service), AI cost anomalies (unexpected token consumption), and cross-tenant access attempts. Alerts are routed to the on-call team for investigation. This is a key SOC 2 requirement for continuous monitoring.
Anthropic
AIAnthropic is an AI safety company founded in 2021 by former OpenAI researchers, including Dario and Daniela Amodei. They develop the Claude family of AI models using a technique called Constitutional AI, which makes models more aligned with human values and safety considerations. ReGenesis chose Anthropic as its primary LLM provider (see ADR-003) for three reasons: (1) Claude's reasoning quality is best-in-class for nuanced coaching insights, (2) Anthropic's enterprise Data Processing Agreement includes contractual no-training guarantees, and (3) the "no-training" API flag provides technical enforcement that customer data is never used to improve models.
API (Application Programming Interface)
TechnicalAn Application Programming Interface defines how software components interact. APIs specify what requests you can make, what data you need to include, and what responses you'll get back. ReGenesis uses RESTful APIs — a common pattern where each URL represents a resource (like /sessions or /insights) and you use standard HTTP methods (GET to read, POST to create, PUT to update, DELETE to remove). Every API call in ReGenesis is authenticated (you must prove who you are), authorized (the system checks if you're allowed), and logged (recorded for audit purposes).
APM (Application Performance Monitoring)
InfrastructureApplication Performance Monitoring is a category of tools that monitor and manage the performance and availability of software applications. APM solutions track metrics like response time, throughput, error rates, and resource consumption across all application components. In ReGenesis, APM provides visibility into: API endpoint latency (how fast each endpoint responds), database query performance (identifying slow queries), AI processing time (how long Sasha takes to analyze a session), error tracking (capturing and alerting on application errors), and user experience metrics. APM data is critical for maintaining SLA commitments and for SOC 2 availability criteria.
Artifact Store
ArchitectureThe Artifact Store is ReGenesis's file storage system built on AWS S3. It holds raw source materials: audio/video recordings, transcripts, uploaded coaching documents, and exported reports. Each artifact is encrypted at rest with AES-256, tagged with a tenant ID for isolation, and subject to lifecycle policies (automatically archived to cheaper storage after 90 days, deleted after the retention period expires). The Artifact Store is critical for Evidence Packs — L2 evidence links point to specific moments in these stored files.
AssemblyAI
InfrastructureAssemblyAI is a cloud-based speech-to-text API platform that provides automatic transcription, speaker diarization (identifying who said what), sentiment analysis, topic detection, and content moderation for audio and video files. Unlike real-time streaming services (like Deepgram), AssemblyAI excels at batch processing — uploading a complete recording and receiving a polished transcript with speaker labels, timestamps, and confidence scores. For ReGenesis, AssemblyAI could handle post-session transcription of coaching recordings: after a Zoom session ends, the recording is sent to AssemblyAI, which returns a structured transcript that Sasha then analyzes for insights. AssemblyAI's audio intelligence features (sentiment, topics) can supplement Sasha's own analysis.
Audit Log
SecurityAn audit log is an immutable, append-only record of system events. "Immutable" means once an event is recorded, it cannot be modified or deleted — even by system administrators. ReGenesis logs authentication events, data access, data modifications, AI operations (every LLM call), admin actions, and consent changes. Audit logs serve multiple purposes: SOC 2 compliance evidence, security incident investigation, GDPR accountability (proving you handled data correctly), and enterprise procurement requirements. ReGenesis stores audit logs in PostgreSQL with WORM (Write Once Read Many) policies and archives them to S3 Glacier for long-term retention.
Auth0
SecurityAuth0 (now part of Okta) is a cloud-based identity and access management platform that provides authentication, authorization, and user management as a service. It supports consumer-grade login (social logins, passwordless, email/password) and enterprise-grade identity (SAML SSO, OIDC, SCIM directory sync, MFA). For ReGenesis, Auth0 could handle the entire authentication layer: enterprise SSO for McKinsey employees, local accounts for independent coaches, MFA enforcement, token issuance and refresh, and brute-force protection. Auth0 is a broader platform than WorkOS (which focuses specifically on enterprise B2B features), making it suitable if ReGenesis needs both consumer and enterprise auth paths.
Authentication
SecurityAuthentication is the first step in any secure system: verifying a user's identity. ReGenesis supports multiple authentication methods: SSO (Single Sign-On) via SAML 2.0 or OIDC for enterprise users (so employees log in with their company credentials), local accounts with email/password plus MFA (Multi-Factor Authentication) for independent coaches, and API key authentication for system integrations. Authentication is different from authorization — authentication proves who you are, authorization determines what you're allowed to access.
Authorization
SecurityAuthorization determines what an authenticated user can access or modify. In ReGenesis, authorization operates at multiple levels: role-based (Coachee, Coach, Admin, Executive each have different permissions), field-level (visibility tags control which data fields each role can see), and tenant-level (Row-Level Security ensures you can only access your own organization's data). Even Sasha (the AI) has authorization boundaries — it can only access data within a specific coaching relationship's scope.
AWS (Amazon Web Services)
InfrastructureAmazon Web Services is a cloud computing platform offering over 200 services including computing power (EC2, ECS, Lambda), databases (RDS, ElastiCache), storage (S3), networking (VPC, CloudFront), security (KMS, WAF, Shield), and monitoring (CloudWatch, CloudTrail). ReGenesis uses AWS exclusively, deployed in the us-east-1 (Northern Virginia) region per ADR-006. This provides US data residency for CCPA compliance, access to all AWS services, and the strongest SLA guarantees. AWS's own compliance certifications (SOC 2, ISO 27001, FedRAMP, HIPAA) provide a foundation that ReGenesis builds upon.
B
BAA (Business Associate Agreement)
ComplianceA Business Associate Agreement is a legal contract required under HIPAA whenever a "business associate" (like ReGenesis) handles Protected Health Information on behalf of a "covered entity" (like a healthcare provider or health plan). The BAA specifies how PHI will be protected, what happens during a breach, and the business associate's obligations. ReGenesis does not currently require BAAs because professional coaching is not a covered healthcare activity, but if ReGenesis expands into therapy or clinical coaching, BAAs would become mandatory.
Backend
TechnicalThe backend is the server-side layer of a web application. It handles business logic, database operations, authentication, API requests, and integrations with external services. In ReGenesis, the backend is where Sasha's AI processing happens, where Row-Level Security is enforced, where audit logs are written, and where data flows between the frontend (what users see) and the database (where data is stored). The backend can be built in TypeScript (Node.js) or Python (FastAPI) — both are excellent choices depending on the team's skills.
BCP (Business Continuity Plan)
ComplianceA Business Continuity Plan documents how an organization maintains essential functions during and after a disaster. For ReGenesis, the BCP covers scenarios like AWS regional outages, database corruption, ransomware attacks, and key personnel unavailability. It defines Recovery Time Objectives (how fast we restore service), Recovery Point Objectives (how much data loss is acceptable), communication protocols, and failover procedures. Enterprise procurement teams require a documented, tested BCP.
Breach Notification
ComplianceBreach notification is the legal obligation to inform regulatory authorities and affected individuals when a personal data breach occurs. GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach, and notification to affected individuals "without undue delay" if the breach poses a high risk. US state laws (like CCPA) have similar requirements with varying timelines. ReGenesis's breach notification plan includes: automated breach detection, severity assessment, authority notification templates, client notification procedures, and root cause analysis workflows.
BYOK (Bring Your Own Key)
SecurityBring Your Own Key is an advanced encryption model where enterprise customers supply their own encryption keys via their own Key Management Service (like Azure Key Vault or AWS KMS in their own account). With BYOK, the customer maintains full control over data encryption — if they revoke their key, their data becomes unreadable even to ReGenesis. This is a premium feature requested by the most security-conscious enterprises (banks, government contractors, defense). ReGenesis plans to offer BYOK at the Global Expansion stage.
C
Cache
InfrastructureA cache is a high-speed data storage layer that stores a subset of data, typically transient in nature, so that future requests for that data are served faster. ReGenesis uses Redis (via AWS ElastiCache) as its caching layer for: user session tokens (so you don't have to re-authenticate every request), rate limiting counters (tracking how many API calls each user has made), feature flags (toggling features on/off instantly), and frequently accessed configuration data. Caching dramatically improves performance — a cache lookup takes microseconds compared to a database query that takes milliseconds.
CCPA/CPRA (California Consumer Privacy Act)
ComplianceThe California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), is the most comprehensive US state privacy law. It provides California residents with rights to: access their personal data, delete it, opt out of its sale or sharing, correct inaccuracies, and limit use of sensitive personal information. Businesses that process data of California residents above certain thresholds must comply. ReGenesis complies by implementing data access/deletion APIs, maintaining a privacy policy, recording consent, and building data minimization into the platform. CCPA is the primary US privacy requirement for ReGenesis until federal legislation passes.
CDN (Content Delivery Network)
InfrastructureA Content Delivery Network is a geographically distributed network of servers that caches and delivers content to users from the nearest server location. When a user in London loads the ReGenesis app, static assets (JavaScript files, CSS, images) are served from a nearby CloudFront edge location rather than from the origin server in us-east-1. This reduces page load time from seconds to milliseconds. CDNs also provide DDoS protection (absorbing malicious traffic across their network) and reduce load on the origin server.
CI/CD (Continuous Integration / Continuous Deployment)
TechnicalContinuous Integration (CI) is the practice of automatically testing every code change — running unit tests, security scans, linting, and type checking as soon as code is pushed. Continuous Deployment (CD) extends this by automatically deploying code that passes all tests to production. ReGenesis uses GitHub Actions for CI/CD with a pipeline that includes: lint and type checking, unit tests, security scanning (Snyk/CodeQL), Docker image building, integration tests against a staging database, deployment to staging, smoke tests, manual approval gate, canary deployment (10% of traffic), and full rollout. This automation is also a SOC 2 requirement — demonstrating that changes go through a controlled, auditable process.
Circuit Breaker
ArchitectureA circuit breaker is a software design pattern that prevents an application from repeatedly calling a service that is likely to fail, avoiding cascading failures across the system. It works like an electrical circuit breaker: when failures exceed a threshold, the circuit "opens" and subsequent calls immediately return a fallback response without attempting the failing service. After a cooldown period, the circuit enters a "half-open" state and allows a test request through — if it succeeds, the circuit closes and normal operation resumes. For ReGenesis, circuit breakers protect against: LLM API outages (return cached or fallback responses instead of timing out), database connection exhaustion, and external service failures (Zoom, Recall.ai). This pattern is essential for maintaining system availability when any single dependency degrades.
Claude
AIClaude is Anthropic's family of large language models (LLMs). The current family includes Claude Opus (most capable, used for deep analysis), Claude Sonnet (balanced performance and cost, used for session analysis and insight generation), and Claude Haiku (fastest and cheapest, used for companion chat and classification tasks). ReGenesis uses Claude's API — meaning data is sent to Anthropic's servers for processing and the result is returned. Critically, Anthropic's API terms and the no-training flag guarantee that this data is never used to train or improve Claude. This is a key procurement requirement for enterprise clients who need assurance their coaching data remains private.
Cloud Computing
InfrastructureCloud computing is the delivery of computing resources — servers, databases, storage, networking, and more — over the internet on a pay-as-you-go basis. Instead of buying and maintaining physical servers, companies rent computing capacity from cloud providers like AWS, Google Cloud, or Microsoft Azure. Benefits include: instant scalability (add more servers in seconds), no upfront hardware costs, automatic redundancy and backup, and inheriting the cloud provider's security certifications. ReGenesis runs entirely on AWS cloud infrastructure, which means AWS handles the physical data center security, power, cooling, and hardware — while ReGenesis focuses on application-level security and functionality.
Coachee
DomainA coachee is the individual receiving professional coaching services. In the ReGenesis platform, coachees are typically employees of enterprise clients (like McKinsey consultants receiving leadership coaching). Coachees have access to: session summaries approved by their coach, AI companion chat (Sasha in companion mode), their development goals and progress tracking, and Evidence Pack insights that their coach has chosen to share. Importantly, coachees never see the coach's private notes, raw AI analysis, or other clients' data. The visibility tag system ensures coachees only see data marked client_visible.
Constitutional AI
AIConstitutional AI (CAI) is Anthropic's proprietary approach to AI alignment. Instead of relying only on human feedback to train the model, CAI gives the model a set of principles (a "constitution") and trains it to critique and revise its own outputs based on those principles. The result is an AI that is more thoughtful, more cautious about harmful outputs, and more transparent about its reasoning. For ReGenesis, this means Claude is naturally more careful with sensitive coaching content — it's less likely to generate clinical diagnoses, more likely to flag concerning content, and better at maintaining appropriate boundaries.
Context Window
AIThe context window is the maximum input size a language model can process in a single request, measured in tokens (roughly 0.75 words per token). Claude's 200K token context window (~150,000 words) is one of the largest available. This matters enormously for coaching: a 60-minute session transcript is typically 8,000-15,000 words. With a large context window, Sasha can process the entire transcript at once, maintaining coherence and identifying patterns across the full session. Models with smaller context windows would need to split the transcript into chunks, losing cross-section context and producing less accurate insights.
Cross-Tenant
SecurityCross-tenant refers to any interaction or data leakage between different enterprise clients (tenants) sharing the same platform. In a multi-tenant system like ReGenesis, McKinsey's coaching data must be completely invisible to Google's coaching data, even though both are stored in the same database. A cross-tenant data leak — where one client accidentally sees another client's data — is a critical security incident that could result in immediate contract termination, regulatory fines, and reputational damage. ReGenesis prevents this through PostgreSQL Row-Level Security (every query is automatically filtered by tenant ID), vector database namespace isolation, and context assembly validation.
D
Dashboard
ProductA dashboard is a graphical user interface that displays key metrics, status information, and actionable items in a consolidated view. ReGenesis provides role-specific dashboards: Coach Dashboard (active clients, upcoming sessions, pending AI insights to review, session preparation tools), Coachee Dashboard (session summaries, AI companion access, goals and progress), Admin Dashboard (program metrics, user management, compliance status), and Executive Dashboard (anonymized aggregate outcomes, ROI metrics, program health). Dashboards are built with Next.js and update in real-time as data changes.
Data at Rest
SecurityData at rest refers to data that is stored persistently — in databases, file systems, backups, and archives. This contrasts with "data in transit" (being transmitted over a network) and "data in use" (being processed in memory). ReGenesis encrypts all data at rest using AES-256 via AWS Key Management Service (KMS). This includes PostgreSQL database files, S3 objects (transcripts, recordings), Redis cache snapshots, and backup archives. Encryption at rest is a fundamental requirement for SOC 2, GDPR, and every enterprise procurement questionnaire.
Data in Transit
SecurityData in transit refers to data actively moving between locations — from a user's browser to the ReGenesis API, from the API to the database, or from the API to Anthropic's Claude service. ReGenesis encrypts all data in transit using TLS (Transport Layer Security) version 1.2 or 1.3. TLS ensures that even if someone intercepts network traffic, they cannot read the contents. This applies to all connections: browser to server, server to database, server to Redis cache, server to S3, and server to external APIs (Anthropic, Zoom, Google, etc.).
Data Minimization
ComplianceData minimization is a fundamental principle of data protection law (GDPR Article 5(1)(c)). It requires that personal data be "adequate, relevant and limited to what is necessary" for the stated purpose. For ReGenesis, this means: only collect coaching data necessary for delivering coaching services, don't retain data longer than needed (automatic retention policies), strip unnecessary PII before AI processing (pseudonymization), aggregate data for analytics rather than using individual records, and give users tools to delete their data. Data minimization reduces risk — the less data you hold, the less damage a breach can cause.
Data Sovereignty
ComplianceData sovereignty is the concept that data is subject to the laws and governance structures of the nation in which it is collected, stored, or processed. This has significant implications for cloud-based platforms like ReGenesis: US enterprise clients may require data to stay within the United States, EU clients may require data to stay within the EU (per GDPR), and certain industries (healthcare, finance, government) have specific data residency requirements. ReGenesis addresses data sovereignty by hosting primarily in AWS us-east-1 (Northern Virginia) for US clients, with the architecture designed to support EU-region deployment when needed for global expansion.
Database
InfrastructureA database is a structured system for storing, organizing, and retrieving data. ReGenesis uses PostgreSQL as its primary relational database, meaning data is organized into tables with defined relationships (a session belongs to a coach and coachee, an insight belongs to a session, etc.). PostgreSQL provides features critical for ReGenesis: Row-Level Security for tenant isolation, JSONB for flexible data like Evidence Packs, full-text search, and the pgvector extension for AI embeddings. The database runs on AWS RDS (Relational Database Service), which handles automated backups, failover, patching, and encryption.
DDoS (Distributed Denial of Service)
SecurityA Distributed Denial of Service attack overwhelms a target system with traffic from many sources simultaneously, making the service unavailable to legitimate users. DDoS attacks can target network bandwidth (volumetric), server resources (protocol), or application logic (application-layer). ReGenesis defends against DDoS through multiple layers: AWS Shield Standard (automatic protection against common network-layer attacks), AWS Shield Advanced (available for enhanced protection with 24/7 DDoS response team), CloudFront CDN (absorbs traffic at edge locations worldwide), WAF rate-based rules (blocking IPs that exceed request thresholds), and auto-scaling infrastructure that can absorb traffic spikes.
Dead Letter Queue
InfrastructureA Dead Letter Queue (DLQ) is a special message queue that receives messages that could not be successfully processed after a configured number of retry attempts. Without a DLQ, failed messages would either be lost (data loss) or retry indefinitely (wasting resources). With a DLQ, the system moves the problematic message aside, continues processing other messages normally, and alerts the engineering team to investigate. For ReGenesis, DLQs are critical for ensuring no coaching data is lost: if a transcript fails to process (malformed audio, AI service error, temporary database issue), the message lands in the DLQ where engineers can diagnose the issue and reprocess it manually or automatically.
Deepgram
InfrastructureDeepgram is an AI-powered speech recognition platform optimized for real-time streaming transcription. Unlike batch transcription services (which process a complete audio file after the fact), Deepgram processes audio as it streams, delivering transcript text with sub-300ms latency — fast enough for live coaching assistance. For ReGenesis, Deepgram is a strong candidate for powering Sasha Live: as the coaching conversation happens on Zoom or Teams, audio streams through Recall.ai to Deepgram, which produces real-time transcript segments that Sasha analyzes on the fly to suggest questions and surface relevant context. Deepgram supports speaker diarization (identifying who is speaking), punctuation, and custom vocabulary.
Defense-in-Depth
SecurityDefense-in-depth is a security strategy that deploys multiple layers of defensive controls throughout an information system. The principle is that no single control is sufficient — if an attacker bypasses one layer, subsequent layers still protect the system. ReGenesis implements defense-in-depth across: network layer (VPC isolation, security groups, WAF), transport layer (TLS encryption, certificate pinning), application layer (input validation, output encoding, OWASP protections), data layer (AES-256 encryption, Row-Level Security, field-level RBAC), AI layer (prompt injection defenses, output validation, safety guardrails), and monitoring layer (SIEM, anomaly detection, audit logging). This multi-layered approach is a core principle of enterprise security architecture.
DEK (Data Encryption Key)
SecurityA Data Encryption Key is used in envelope encryption — a two-layer approach where data is encrypted with a DEK, and the DEK itself is encrypted with a master key (CMK) stored in AWS KMS. When the system needs to read data, it first asks KMS to decrypt the DEK, then uses the decrypted DEK to decrypt the data. This approach is more secure than using a single key and enables per-tenant encryption: each tenant can have their own DEK, and revoking it makes all their data unreadable. ReGenesis plans per-tenant DEKs at the GA stage.
DPA (Data Processing Agreement)
ComplianceA Data Processing Agreement is a contract required by GDPR Article 28 between a data controller (the enterprise client who owns the data) and a data processor (ReGenesis, who processes the data on their behalf). The DPA specifies: categories of personal data processed, purposes of processing, security measures implemented, sub-processor list (like Anthropic, AWS), data transfer mechanisms, breach notification procedures, data deletion obligations, and audit rights. Every enterprise client will require a signed DPA before their data enters the platform. ReGenesis maintains a template DPA that can be customized per client.
DPIA (Data Protection Impact Assessment)
ComplianceA Data Protection Impact Assessment is a process required by GDPR Article 35 when data processing is likely to result in high risk to individuals' rights and freedoms. This is triggered by: systematic evaluation of personal aspects (AI analysis of coaching behavior), processing of sensitive data (emotional content in coaching), and large-scale processing. ReGenesis's DPIA documents: the necessity and proportionality of processing, risks to data subjects, mitigation measures (pseudonymization, encryption, access controls, human oversight), and the Data Protection Officer's opinion. The DPIA must be completed before the pilot stage and updated when processing changes.
E
ECS Fargate
InfrastructureAmazon ECS (Elastic Container Service) Fargate is a serverless compute engine for containers. With Fargate, you package your application in a Docker container, define its resource requirements (CPU and memory), and AWS handles everything else: provisioning servers, scaling up or down based on demand, applying security patches, and distributing containers across Availability Zones for high availability. ReGenesis uses ECS Fargate to run its backend API services. Each service (auth, sessions, insights, admin) runs as a separate container that can be deployed and scaled independently. Fargate eliminates the operational burden of managing EC2 instances while providing the isolation and reproducibility benefits of containerized deployment.
Encryption
SecurityEncryption is the process of transforming readable data (plaintext) into unreadable ciphertext using a mathematical algorithm and a secret key. Only someone with the correct decryption key can reverse the process. ReGenesis applies encryption at every layer: data at rest (AES-256 via AWS KMS), data in transit (TLS 1.2+), database connections (SSL), and API communications. Encryption is not optional — it's a baseline requirement for every compliance framework (SOC 2, GDPR, ISO 27001) and every enterprise procurement review.
Endpoint
TechnicalAn API endpoint is a specific URL that represents a resource or action in a web API. In ReGenesis's REST API, endpoints follow a consistent pattern: GET /api/v1/tenants/{tenantId}/sessions (list sessions), POST /api/v1/tenants/{tenantId}/sessions (create a session), GET /api/v1/tenants/{tenantId}/sessions/{id}/insights (get insights for a session). Each endpoint has authentication requirements, authorization rules (which roles can access it), rate limits, and audit logging. The API design document specifies all endpoints, their request/response formats, and error handling.
EU AI Act
ComplianceThe EU AI Act is the world's first comprehensive AI regulation, expected to fully apply by 2026-2027. It creates a risk-based classification system: unacceptable risk (banned), high-risk (heavy regulation), limited risk (transparency obligations), and minimal risk (no restrictions). AI systems used in employment contexts — like coaching and evaluating employees — may fall under high-risk (Annex III, Category 4), requiring conformity assessments, transparency documentation, human oversight mechanisms, and ongoing monitoring. ReGenesis's Evidence Packs, coach approval workflow, and AI risk register are specifically designed to satisfy these requirements.
Evidence Pack
ProductEvidence Packs are ReGenesis's core differentiator — a multi-level AI explainability system that ensures every AI-generated insight is traceable back to source evidence. L0 (Headline): A concise insight statement. L1 (Reasoning): The AI's analytical reasoning explaining how it reached this conclusion, including confidence score and methodology. L2 (Source Evidence): Direct references to source material — transcript excerpts with timestamps, video jump links, document citations — with provenance metadata (which model generated it, when, and from what input). The coach reviews each Evidence Pack and approves it before the coachee sees it. This system transforms AI output from "trust the black box" to "verify every claim." See ADR-005 for the architectural decision.
F
Fallback
ArchitectureA fallback is a backup mechanism that maintains service when the primary system fails. ReGenesis implements fallbacks at multiple levels: LLM provider (OpenAI GPT-4o as fallback for Anthropic Claude), database (Multi-AZ deployment means automatic failover to a standby database), cache (application can operate without Redis, just slower), and CDN (origin server serves requests if CloudFront has issues). The LLM adapter pattern (ADR-003) enables seamless provider switching — the application code doesn't know which LLM provider is responding, so switching is transparent.
FastAPI
ArchitectureFastAPI is a modern, high-performance Python web framework for building APIs. It leverages Python type hints to automatically generate OpenAPI documentation, validate incoming requests, and serialize responses — eliminating entire categories of bugs. FastAPI's async support makes it efficient for I/O-heavy workloads like calling LLM APIs, processing transcripts, and querying databases. If ReGenesis uses a Python backend, FastAPI would serve as the API layer, paired with SQLAlchemy for database access and Pydantic for data validation. FastAPI's automatic OpenAPI spec generation is particularly valuable for enterprise clients who review API documentation during procurement.
Fastify
ArchitectureFastify is a high-performance web framework for Node.js, designed from the ground up for speed and developer experience. It is significantly faster than Express.js (the most common Node.js framework) due to its efficient JSON serialization and schema-based request/response validation. Fastify's plugin architecture encourages clean code organization, and its built-in schema validation (using JSON Schema) catches malformed requests before they reach application logic — a security benefit. If ReGenesis uses a TypeScript/Node.js backend, Fastify would serve as the HTTP layer, paired with Prisma for database access. Its schema validation integrates with OpenAPI spec generation for automatic API documentation.
FedRAMP (Federal Risk and Authorization Management Program)
ComplianceThe Federal Risk and Authorization Management Program is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is based on NIST SP 800-53 controls and is required for any cloud service used by federal agencies. While not on the immediate roadmap, FedRAMP authorization would open ReGenesis to government coaching contracts. The SOC 2 and ISO 27001 foundations provide significant overlap with FedRAMP requirements.
Frontend
TechnicalThe frontend is the client-side layer of a web application — everything the user sees and interacts with in their browser. ReGenesis's frontend is built with Next.js 14+ (a React framework) using TypeScript. It provides role-specific interfaces: the Coach Dashboard for managing clients and reviewing AI insights, the Coachee Portal for viewing summaries and chatting with Sasha, the Admin Panel for user management and compliance monitoring, and the Executive Dashboard for aggregate program outcomes. The frontend communicates with the backend via REST API calls over HTTPS.
G
GA (General Availability)
ProductGeneral Availability is the deployment stage when a product is ready for broad commercial use. For ReGenesis, GA represents the transition from a single-pilot client to serving multiple enterprise customers simultaneously. GA requirements include: SOC 2 Type II certification (proving controls work over time), SCIM provisioning (automated user management), complete admin dashboard, procurement packet (pre-filled security questionnaires), multi-tenant performance validation, and 99.9% uptime SLA. GA is planned for Phase 2 of the roadmap.
GDPR (General Data Protection Regulation)
ComplianceThe General Data Protection Regulation is the EU's comprehensive data protection law that took effect in May 2018. It establishes rights for individuals (access, deletion, portability, rectification, objection), obligations for organizations (lawful basis, data minimization, breach notification, DPAs, DPIAs), and significant penalties (up to 4% of global revenue or €20M). ReGenesis builds to GDPR standards even for US-first deployment (per ADR-001) because: McKinsey and Fortune 500 clients operate globally and expect GDPR-grade protections, GDPR compliance makes future EU expansion seamless, and US state privacy laws are converging toward GDPR-like requirements.
H
Hallucination
AIIn AI, a hallucination occurs when a language model generates content that is factually incorrect, fabricated, or not supported by the input data. This is a fundamental limitation of current AI technology — models generate plausible-sounding text based on patterns, not truth. For coaching, hallucination is especially dangerous: an AI that fabricates a quote ("the coachee said they feel overwhelmed by their manager") could damage the coaching relationship and violate trust. ReGenesis mitigates hallucination through Evidence Packs (every claim must link to source material), cross-validation (automated checking of AI quotes against transcripts), confidence scoring (flagging low-confidence outputs), and mandatory coach review (no AI insight reaches the coachee without human approval).
HIPAA (Health Insurance Portability and Accountability Act)
ComplianceHIPAA is the US federal law that establishes standards for protecting Protected Health Information (PHI). It applies to healthcare providers, health plans, and their business associates. HIPAA requires: administrative safeguards (policies, training, risk assessments), physical safeguards (facility access controls), technical safeguards (encryption, access controls, audit logs), and Business Associate Agreements. Professional executive coaching is not currently a HIPAA-covered activity, but the line between coaching and therapy can blur. If ReGenesis enters therapy-adjacent or clinical coaching markets, HIPAA compliance would require additional controls including PHI-specific access rules, 6-year minimum audit log retention, and BAAs with all sub-processors.
HSTS (HTTP Strict Transport Security)
SecurityHTTP Strict Transport Security is a web security policy mechanism where a web server declares that browsers should only interact with it using secure HTTPS connections, never plain HTTP. When a browser receives an HSTS header, it will automatically convert any insecure HTTP links to HTTPS before making the request, preventing man-in-the-middle attacks that try to downgrade the connection. ReGenesis enforces HSTS on all endpoints with a long max-age directive, ensuring that even if a user types "http://" the browser upgrades to HTTPS automatically.
Human-in-the-Loop
AIHuman-in-the-loop (HITL) is a design principle where AI systems require human oversight, review, and approval before their outputs are acted upon. In ReGenesis, HITL is a core safety mechanism: Sasha generates insights and Evidence Packs, but a coach must review, edit if needed, and explicitly approve each one before it becomes visible to the coachee. This prevents hallucinated or inappropriate AI outputs from reaching clients, maintains the coach's professional authority, and satisfies the EU AI Act's requirement for "meaningful human oversight" of high-risk AI systems. HITL also provides valuable feedback — coach edits and rejections train the team to improve Sasha's prompts and safety filters.
I
IaC (Infrastructure as Code)
TechnicalInfrastructure as Code is the practice of managing and provisioning computing infrastructure through machine-readable configuration files rather than manual processes. ReGenesis uses Terraform as its IaC tool. Every piece of AWS infrastructure — VPCs, databases, load balancers, encryption keys — is defined in Terraform code, stored in Git, and deployed through CI/CD. Benefits include: reproducibility (spin up identical environments for staging and production), version control (every change is tracked in Git), audit trail (who changed what and when), peer review (infrastructure changes go through pull requests), and disaster recovery (rebuild the entire infrastructure from code).
IdP (Identity Provider)
SecurityAn Identity Provider is a service that creates, maintains, and manages identity information and provides authentication services. Common enterprise IdPs include Azure Active Directory (Microsoft), Okta, OneLogin, and Google Workspace. When an enterprise client deploys ReGenesis, their IT team configures their IdP to trust ReGenesis as a service provider. Users then log in through their company's login page (SSO), and the IdP sends an authentication token (via SAML 2.0 or OIDC) to ReGenesis confirming the user's identity and attributes. This means employees don't need a separate ReGenesis password and IT can centrally manage access.
Incident Response
SecurityIncident response is the systematic approach to handling security breaches, data leaks, system compromises, and other security events. An effective incident response plan defines: detection mechanisms (how incidents are identified), classification (severity levels and escalation paths), containment (stopping the incident from spreading), eradication (removing the root cause), recovery (restoring normal operations), and lessons learned (post-mortem analysis and process improvements). ReGenesis maintains documented runbooks for common incident types and conducts regular tabletop exercises. SOC 2 requires a documented and tested incident response plan.
Input Validation
SecurityInput validation is a security control that verifies all data received from external sources (user input, API requests, file uploads, webhook payloads) conforms to expected formats before processing. Validation includes type checking (is this a number?), range checking (is this within acceptable bounds?), format checking (is this a valid email address?), length checking (is this within size limits?), and allowlist checking (is this one of the permitted values?). In ReGenesis, input validation is enforced at the API layer using schema validation (Zod or Pydantic) and at the database layer using column constraints. This is a primary defense against injection attacks in the OWASP Top 10.
ISO 27001
ComplianceISO/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). While SOC 2 is the primary US certification, ISO 27001 is widely recognized globally, especially in Europe. Certification requires: documented security policies, risk assessment methodology, Statement of Applicability (mapping all 114 controls), internal audits, management review, and external audit by an accredited certification body. ReGenesis targets ISO 27001 certification at the Global Expansion stage (Phase 3), following SOC 2 Type II at GA. The two frameworks overlap significantly, so SOC 2 preparation provides a strong foundation for ISO 27001.
J
JWT (JSON Web Token)
SecurityA JSON Web Token is a compact, URL-safe means of representing claims between two parties. In ReGenesis, JWTs are issued after successful authentication and contain: user ID, tenant ID, role, and expiration time. The JWT is digitally signed (so it can't be tampered with) and sent with every API request in the Authorization header. The server verifies the signature and extracts the user's identity and permissions without needing to look up a session in the database. JWTs are stateless (the server doesn't store them), short-lived (typically 15 minutes), and paired with refresh tokens for seamless session management.
K
KMS (Key Management Service)
SecurityKey Management Service is a managed service for creating, storing, and controlling cryptographic keys. ReGenesis uses AWS KMS, which stores master keys (Customer Master Keys / CMKs) in FIPS 140-2 validated Hardware Security Modules (HSMs). KMS features include: automatic key rotation (annually), detailed audit logging of every key usage via CloudTrail, fine-grained access policies (which services and users can use each key), and integration with all AWS services (RDS, S3, ECS). ReGenesis uses separate KMS keys for different purposes: database encryption, artifact storage encryption, and audit log encryption.
L
L0 / L1 / L2 (Evidence Pack Levels)
ProductL0, L1, and L2 refer to the three levels of ReGenesis's Evidence Pack system. L0 (Headline): A concise, human-readable insight statement, e.g., "Coachee demonstrated improved conflict resolution skills." L1 (Reasoning): The AI's analytical chain of thought — how it reached this conclusion, what patterns it observed, cross-session comparisons, and a confidence score (0.0-1.0). L2 (Source Evidence): Direct, verifiable references to source material — exact transcript quotes with timestamps, video jump links to the specific moments, document citations with page numbers. The three levels serve different audiences: executives read L0, coaches review L1, and anyone who wants to verify a claim checks L2.
Lambda (AWS Lambda)
InfrastructureAWS Lambda is a serverless compute service that runs code in response to events — such as an API request, a file upload to S3, a message arriving in SQS, or a scheduled timer. With Lambda, there are no servers to manage: AWS automatically provisions compute resources, executes the function, scales to handle any volume of requests, and charges only for the actual compute time consumed (billed per millisecond). For ReGenesis, Lambda is well-suited for event-driven workflows like processing webhook notifications from Zoom, triggering transcript ingestion when a new recording arrives, running scheduled cleanup tasks, and lightweight data transformations. Lambda pairs naturally with SQS, S3, and API Gateway.
LLM (Large Language Model)
AIA Large Language Model is a type of artificial intelligence trained on massive amounts of text data that can understand, generate, and reason about human language. LLMs work by predicting the most likely next tokens (word pieces) given a context. Modern LLMs like Claude and GPT-4 can perform sophisticated tasks: summarization, analysis, question-answering, code generation, and creative writing. ReGenesis uses LLMs through API calls — sending coaching transcripts and structured prompts, and receiving back insights, summaries, and analysis. The LLM does not "know" about the coaching context from training; it learns from the information provided in each specific API call.
M
MDM (Mobile Device Management)
SecurityMobile Device Management is a type of security software used by enterprise IT departments to monitor, manage, and secure employees' mobile devices (smartphones, tablets) across multiple operating systems. MDM platforms like Microsoft Intune, VMware Workspace ONE, and MobileIron can enforce security policies (password complexity, encryption, screen lock timeout), deploy and manage applications, separate work and personal data (containerization), and remotely wipe company data if a device is lost, stolen, or when an employee leaves. ReGenesis supports MDM integration to ensure the mobile coaching experience meets enterprise security requirements.
Message Queue
ArchitectureA message queue is a middleware pattern where application components communicate by sending messages to a shared queue rather than calling each other directly. The sender places a message (e.g., "process this transcript") in the queue and continues working immediately; a separate worker picks up the message and processes it asynchronously. If the worker is busy or temporarily down, messages wait safely in the queue until they can be processed. This decoupling improves reliability (no data loss during failures), scalability (add more workers to handle spikes), and responsiveness (the user doesn't wait for background processing). ReGenesis uses message queues for transcript processing, AI insight generation, notification delivery, and other workflows that don't need to happen instantly.
MFA (Multi-Factor Authentication)
SecurityMulti-Factor Authentication requires users to provide two or more verification factors to gain access. The factors are typically: something you know (password), something you have (phone with authenticator app), and something you are (fingerprint or face). ReGenesis supports TOTP-based MFA (Time-based One-Time Password via authenticator apps like Google Authenticator or Authy) for local accounts. Enterprise SSO users get MFA from their Identity Provider. MFA is mandatory for admin and system admin roles and strongly recommended for all users. MFA dramatically reduces the risk of account compromise — even if a password is stolen, the attacker can't log in without the second factor.
Microservice
ArchitectureA microservice is a small, independently deployable service that handles a specific business capability. Instead of one large application (monolith), a microservice architecture splits the system into focused services: Auth Service, Session API, Insight API, Admin API, etc. Each can be developed, deployed, and scaled independently. ReGenesis starts with a modular monolith (all services in one codebase but logically separated) and can extract into true microservices as the team and traffic grow. This approach avoids premature complexity while maintaining a clean architecture.
Multi-AZ (Multiple Availability Zones)
InfrastructureMulti-AZ deployment is an AWS high-availability strategy where resources are deployed across multiple Availability Zones — physically separate data centers within a region that have independent power, cooling, and networking. If one AZ experiences a failure (hardware issue, power outage, natural disaster), services automatically fail over to healthy AZs. ReGenesis deploys its database (RDS Multi-AZ), cache (ElastiCache Multi-AZ), and compute (ECS across multiple AZs) using this strategy. Multi-AZ is a baseline requirement for production enterprise applications and is expected in SOC 2 audits and procurement questionnaires.
Multi-Tenant
ArchitectureMulti-tenancy is an architecture where a single instance of software serves multiple customers (tenants), with each tenant's data logically isolated from others. This is more cost-effective than giving each client their own servers (single-tenant), but requires careful isolation. ReGenesis implements multi-tenancy through: a tenant_id column on every database table, PostgreSQL Row-Level Security (RLS) that automatically filters every query by tenant, vector database namespace isolation, and application-layer tenant context enforcement. The key principle: even a bug in the application code cannot leak data across tenants because isolation is enforced at the database level.
MVP (Minimum Viable Product)
ProductA Minimum Viable Product is the most basic version of a product that can be released to early users for validation and feedback. For ReGenesis, MVP0 is the demo stage: functional coaching workflows, AI analysis with Evidence Packs, real encryption and data security, but without formal certifications (SOC 2, ISO 27001) or enterprise features (SCIM provisioning, SAML SSO). The goal of MVP0 is to demonstrate the platform's capabilities and value proposition to McKinsey and other potential enterprise clients, gathering feedback that shapes the pilot phase.
N
Next.js
TechnicalNext.js is a React framework developed by Vercel that provides server-side rendering (SSR), static site generation, API routes, and optimized performance out of the box. It's the most popular React framework as of 2026, with the largest hiring pool. ReGenesis uses Next.js for its entire frontend: the Coach Dashboard, Coachee Portal, Admin Panel, and Executive Dashboard are all served from a single Next.js application with role-based routing. Next.js's server-side rendering improves initial page load performance and SEO, while its built-in API routes can serve as a lightweight backend-for-frontend layer.
NIST (National Institute of Standards and Technology)
ComplianceThe National Institute of Standards and Technology is a US federal agency that develops technology standards and guidelines. In cybersecurity, NIST publications are foundational: NIST SP 800-53 defines the most comprehensive catalog of security and privacy controls, the NIST Cybersecurity Framework (CSF) provides an industry-standard risk management approach, and NIST SP 800-171 governs protection of controlled unclassified information. While ReGenesis does not currently require NIST compliance directly, many SOC 2 controls map to NIST standards, and enterprise procurement teams increasingly reference NIST frameworks in security questionnaires.
Node.js
ArchitectureNode.js is a JavaScript runtime built on Chrome's V8 engine that allows JavaScript and TypeScript to run on the server side — outside the browser. This means a team can use the same language for both the frontend (React/Next.js) and the backend (API server), reducing context switching and enabling code sharing. Node.js uses an event-driven, non-blocking I/O model that makes it efficient for handling many concurrent connections — ideal for real-time features like Sasha Live. Combined with TypeScript (for type safety) and frameworks like Fastify or Express, Node.js is one of the two primary backend options for ReGenesis (the other being Python with FastAPI).
O
OAuth 2.0
SecurityOAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on third-party services. Instead of sharing passwords, users authorize specific permissions through a consent screen. ReGenesis uses OAuth 2.0 for: Zoom integration (retrieving session recordings and transcripts), Google Workspace (calendar, Gmail, Drive), Microsoft 365 (Outlook, Teams), and Slack (messaging). Each OAuth connection is scoped to minimum required permissions, tokens are stored encrypted, and users can revoke access at any time.
OIDC (OpenID Connect)
SecurityOpenID Connect is an identity authentication protocol built on top of OAuth 2.0. While OAuth 2.0 handles authorization (what you can access), OIDC adds authentication (who you are). OIDC is simpler to implement than SAML and is increasingly preferred by modern enterprise Identity Providers. ReGenesis supports both SAML 2.0 and OIDC for enterprise SSO, giving clients flexibility to use whichever protocol their Identity Provider supports.
OpenAPI
ArchitectureOpenAPI (formerly known as Swagger) is the industry-standard specification for describing RESTful APIs. An OpenAPI spec is a YAML or JSON file that defines every API endpoint, its request parameters, request body schema, response formats, authentication requirements, and error codes. From this single spec file, tools can automatically generate: interactive API documentation (Swagger UI), client SDKs in any language, server stubs, request validation middleware, and automated test suites. For ReGenesis, maintaining an OpenAPI spec ensures the API contract between frontend and backend is always documented and consistent, speeds up onboarding for new engineers, and satisfies enterprise procurement teams who want to review API security boundaries.
ORM (Object-Relational Mapping)
TechnicalAn Object-Relational Mapper is a library that creates a "virtual object database" that maps programming language objects to database tables. Instead of writing raw SQL like "SELECT * FROM sessions WHERE tenant_id = 'abc'", developers write code like "Session.findMany({ where: { tenantId: 'abc' } })". The ORM translates this to SQL, handles type conversion, and returns typed objects. ReGenesis recommends Prisma (for TypeScript stacks) or SQLAlchemy (for Python stacks). ORMs improve developer productivity, reduce SQL injection risks, and provide type safety.
Output Encoding
SecurityOutput encoding (also called output escaping) is a security control that converts potentially dangerous characters into safe representations before rendering them in a web page. For example, the character "<" is encoded as "<" so the browser displays it as text rather than interpreting it as an HTML tag. Without output encoding, an attacker could store malicious JavaScript in a database field (like a coaching note) and have it execute when another user views that data — a cross-site scripting (XSS) attack. ReGenesis applies context-appropriate output encoding for HTML, JavaScript, CSS, and URL contexts using framework-provided encoding functions.
Output Validation
AIOutput validation is the practice of examining and filtering AI-generated content before delivering it to end users. For ReGenesis, this is critical because Sasha processes sensitive coaching data and generates insights that influence professional development decisions. Output validation checks include: clinical language detection (preventing Sasha from using diagnostic terms), harmful content filtering (blocking inappropriate or dangerous advice), prompt injection detection (identifying signs that the AI's instructions were manipulated), confidence scoring (flagging low-confidence outputs for additional review), and format validation (ensuring Evidence Packs have proper L0/L1/L2 structure). This is a key OWASP LLM Top 10 defense.
OWASP (Open Web Application Security Project)
SecurityThe Open Web Application Security Project is a nonprofit foundation that produces guidelines, tools, and resources for web application security. Their OWASP Top 10 is the industry standard reference for critical web security risks (injection, broken access control, XSS, etc.), and their OWASP LLM Top 10 is the equivalent for AI-powered applications (prompt injection, insecure output handling, training data poisoning, etc.). ReGenesis's security design addresses both lists comprehensively. The AI Risk Register maps every identified risk to the relevant OWASP category with specific mitigations.
P
Penetration Testing
SecurityPenetration testing (pen testing) is a security assessment technique where authorized testers simulate real-world attacks against a system to identify exploitable vulnerabilities. Unlike automated scanning, penetration testing involves creative, human-driven attack techniques. ReGenesis conducts penetration testing covering: web application testing (OWASP Top 10), API security testing (authentication bypass, injection, rate limit evasion), AI-specific testing (prompt injection, data extraction, model manipulation), infrastructure testing (network segmentation, cloud misconfiguration), and social engineering assessment. Testing is performed by CREST or OSCP-certified firms and findings are remediated before production deployment.
PII (Personally Identifiable Information)
CompliancePersonally Identifiable Information is any data that can be used to identify a specific individual, either directly (name, email, social security number) or indirectly (IP address, device ID, or a combination of non-unique attributes). In the coaching context, PII extends to: session recordings and transcripts (identifiable by voice or name mentions), coaching notes, goals, feedback, behavioral assessments, and AI-generated insights about specific individuals. ReGenesis protects PII through encryption, role-based access controls, pseudonymization before AI processing, data minimization, and retention policies that automatically delete data after the specified period.
Pilot
ProductA pilot is a controlled deployment with a limited number of users (typically one enterprise client) to validate the platform in a real-world environment before broader release. ReGenesis's pilot phase includes: deployment with McKinsey (or first enterprise client), real coaching sessions processed through Sasha, SOC 2 Type I certification during this period, SAML SSO integration with the client's Identity Provider, coach and coachee feedback collection, AI quality benchmarking, and security validation. The pilot is expected to last 4-6 months and its success is the gate to GA (General Availability).
PostgreSQL
InfrastructurePostgreSQL is an advanced open-source relational database management system with over 35 years of active development. It's used by companies from startups to NASA. ReGenesis chose PostgreSQL for several critical features: Row-Level Security (RLS) for multi-tenant data isolation at the database level, JSONB columns for flexible storage of Evidence Packs and dynamic content, the pgvector extension for AI embedding similarity search, built-in full-text search (eliminating the need for Elasticsearch at pilot scale), and enterprise trust (every procurement team approves PostgreSQL). PostgreSQL runs as a managed service on AWS RDS, which handles automated backups, failover, patching, and encryption.
Prisma
ArchitecturePrisma is a modern ORM for TypeScript and Node.js that provides type-safe database access, automated migrations, and an intuitive data modeling language. Unlike traditional ORMs that map classes to tables, Prisma uses a schema file to define the data model and generates a fully typed client — meaning the TypeScript compiler catches invalid queries before the code even runs. For ReGenesis (if using a TypeScript/Node.js backend), Prisma would handle all PostgreSQL interactions: CRUD operations on sessions, insights, and user profiles, complex joins across coaching relationships, JSONB operations for Evidence Packs, and schema migrations during deployment. Prisma's generated types flow through the entire application, reducing runtime errors.
Prompt
AIA prompt is the text input sent to a large language model to elicit a response. In ReGenesis, prompts are carefully engineered structured instructions that include: a system prompt (Sasha's identity, rules, and boundaries), context (the coaching transcript, session history, coachee profile), and a specific task instruction (generate insights, summarize the session, identify patterns). Prompt engineering is a critical skill — the quality of AI output depends heavily on prompt design. ReGenesis's prompts include explicit safety instructions (no clinical language, crisis detection, confidentiality rules) and are version-controlled for reproducibility and audit purposes.
Prompt Injection
SecurityPrompt injection is an attack technique where malicious instructions are embedded in user-provided input to override the AI model's system prompt. It's analogous to SQL injection but targets language models instead of databases. Direct injection: a coachee says "ignore your previous instructions" during a session. Indirect injection: malicious text is embedded in a document or profile field that the AI later reads. ReGenesis mitigates prompt injection through: system prompt hardening (strong instruction boundaries), input sanitization (filtering known injection patterns), content delimiters (XML-like tags separating instructions from user content), output validation (detecting signs of successful injection), and quarterly red-team testing.
Pseudonymization
SecurityPseudonymization is the process of replacing directly identifying information with artificial identifiers. In ReGenesis, before a coaching transcript is sent to the LLM for analysis, all PII is detected and replaced: names become "Person A," "Person B"; email addresses become "[email]"; company names become "[Organization]." The mapping table (Person A = John Smith) is stored separately from the pseudonymized data and never sent to the LLM. This means even if there were an AI data leak, no real identities would be exposed. Pseudonymization is required by GDPR as a data protection measure and is a key differentiator in enterprise procurement discussions.
R
Rate Limiting
SecurityRate limiting controls the number of requests a client can make to an API within a defined time window. ReGenesis implements rate limiting at multiple levels: per-user (prevent one user from overwhelming the system), per-tenant (prevent one client from consuming all resources), per-endpoint (AI-heavy endpoints have stricter limits), and global (overall system protection). Rate limiting prevents abuse, protects against denial-of-service attacks, controls LLM API costs (each AI call costs money), and ensures fair resource allocation. Limits are tracked in Redis for sub-millisecond enforcement.
RBAC (Role-Based Access Control)
SecurityRole-Based Access Control assigns permissions to roles rather than individual users. ReGenesis defines six roles: Coachee (sees own session summaries, AI companion), Coach (manages clients, reviews AI insights, private notes), Admin (user management, aggregate reports, compliance monitoring), Executive (anonymized program outcomes, ROI metrics), Sasha/AI (scoped access per coaching relationship), and System Admin (infrastructure management, audit log access). Each role has a specific set of permissions defining which API endpoints, data fields, and features they can access. RBAC is combined with ABAC (visibility tags) for fine-grained field-level access control.
Recall.ai
InfrastructureRecall.ai is a specialized infrastructure service that provides virtual meeting bots capable of joining video calls on Zoom, Microsoft Teams, and Google Meet. The bot joins a scheduled meeting, captures the raw audio stream, and forwards it to ReGenesis for real-time or post-session processing. This eliminates the need for ReGenesis to build and maintain separate integrations with each meeting platform — a significant engineering effort given the frequent API changes these platforms make. Recall.ai handles bot management, platform authentication, audio streaming, and recording compliance notifications, while ReGenesis focuses on transcript processing, AI analysis, and insight generation.
Redis
InfrastructureRedis is an open-source, in-memory data structure store used as a cache, message broker, and streaming engine. "In-memory" means data is stored in RAM rather than on disk, providing microsecond response times. ReGenesis uses Redis (via AWS ElastiCache) for: session token caching (avoiding database lookups on every request), rate limiting counters (tracking API usage per user/tenant), feature flags (toggling functionality instantly), and temporary data (partial form submissions, real-time processing state). Redis data is encrypted at rest and in transit, with automatic failover in production.
Redis Streams
InfrastructureRedis Streams is a data structure within Redis designed for real-time event streaming and message queue workloads. It provides an append-only log with consumer groups — meaning multiple worker processes can read from the same stream, with Redis tracking which messages each consumer has processed. If a consumer crashes mid-processing, the message is automatically reassigned to another consumer. For ReGenesis, Redis Streams could handle real-time events like live session processing, Sasha Live suggestions, and notification delivery — all with sub-millisecond latency since Redis operates entirely in memory. Redis Streams is lighter-weight than SQS for internal, high-speed messaging.
REST API
TechnicalA RESTful API (Representational State Transfer) is an architectural style for web APIs where resources are identified by URLs, manipulated using standard HTTP methods, and represented in standard formats (usually JSON). ReGenesis's REST API follows patterns like: GET /api/v1/tenants/{tenantId}/sessions (list sessions), POST /api/v1/sessions/{id}/insights (create insight), PUT /api/v1/insights/{id}/approval (approve insight). REST APIs are stateless (each request contains all needed information), cacheable, and layered. This is the most common API style in modern web development, well-understood by developers and security teams.
RLS (Row-Level Security)
SecurityRow-Level Security is a PostgreSQL feature that restricts which rows a user can access based on security policies defined at the database level. In ReGenesis, every table has an RLS policy that filters rows by tenant_id: when McKinsey's users query the sessions table, they only see McKinsey's sessions — the database physically cannot return another tenant's rows. This is enforced by the database engine itself, meaning even a bug in the application code cannot cause a cross-tenant data leak. RLS is set per-request by the API middleware, which sets the current tenant context before each query executes. This is ReGenesis's primary defense against cross-tenant data leakage.
RPO (Recovery Point Objective)
InfrastructureRecovery Point Objective is the maximum acceptable amount of data loss measured in time. If the RPO is 1 hour and the database fails, the most recent recoverable backup is at most 1 hour old — meaning up to 1 hour of data could be lost. RPO is determined by backup frequency: hourly backups = 1 hour RPO, continuous replication = near-zero RPO. ReGenesis targets RPO of 1 hour at pilot (hourly backups) and near-zero at GA (continuous replication). RPO is a key metric in enterprise procurement questionnaires and disaster recovery planning.
RTO (Recovery Time Objective)
InfrastructureRecovery Time Objective is the maximum acceptable downtime after a disaster or major failure. If the RTO is 4 hours, the engineering team commits to restoring full service within 4 hours of the incident. RTO includes: detecting the issue, diagnosing the cause, executing the recovery procedure, and validating the system is operational. ReGenesis targets RTO of 4 hours at pilot stage and 1 hour at GA, achieved through: AWS Multi-AZ deployments (automatic database failover), Infrastructure as Code (rebuild from Terraform in minutes), container-based deployment (spin up new instances quickly), and documented runbooks for common failure scenarios.
S
SaaS (Software as a Service)
ProductSoftware as a Service is a software delivery model where applications are hosted in the cloud and accessed over the internet, typically via a web browser. Users pay a subscription fee rather than purchasing and installing software. SaaS benefits include: no installation required, automatic updates, accessible from any device, and scalable pricing. ReGenesis is a B2B (Business-to-Business) SaaS platform — enterprise clients subscribe and their coaches/coachees access the platform through the web application. Enterprise SaaS procurement involves security reviews, DPAs, SSO integration, and compliance verification.
Safety Guardrails
AISafety guardrails are automated controls built into an AI system to prevent harmful outputs. In ReGenesis, Sasha's safety guardrails include: clinical language prevention (the AI never uses diagnostic terms like "depression" or "anxiety disorder"), crisis detection and escalation (flagging mentions of self-harm, abuse, or immediate danger), the no-diagnosis rule (Sasha never diagnoses conditions or recommends treatment), confidentiality enforcement (never revealing one client's data to another), boundary detection (alerting coaches when conversations approach therapy territory), and content filtering (blocking inappropriate, discriminatory, or harmful content). These guardrails operate at both the prompt level (system instructions) and the output validation level (post-generation filtering).
SAML 2.0 (Security Assertion Markup Language)
SecuritySAML 2.0 is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). In practice: a McKinsey employee clicks "Login" on ReGenesis, gets redirected to McKinsey's IdP (e.g., Azure AD), authenticates there, and the IdP sends a signed SAML assertion to ReGenesis confirming the user's identity, role, and attributes. SAML is the most widely supported enterprise SSO protocol. ReGenesis must support SAML 2.0 by the pilot stage because enterprise clients require SSO integration — they will not allow employees to create separate passwords for each vendor.
Sasha
ProductSasha is ReGenesis's AI engine — a carefully designed intelligence layer built on Anthropic's Claude. Sasha operates in three modes: Observe (monitoring live sessions, flagging key moments), Analyze (processing transcripts to generate insights, patterns, and Evidence Packs after sessions), and Act (responding to coachee questions in companion mode, suggesting questions to coaches in Sasha Live mode). Sasha has its own role in the RBAC system with scoped data access per coaching relationship. All Sasha outputs go through safety checks (clinical language detection, crisis escalation, content filtering) and require coach approval before reaching coachees.
Sasha Live
ProductSasha Live is the real-time component of the Sasha AI engine, delivered via a browser extension (Chrome Extension, planned). During a live coaching session (typically on Zoom or Teams), Sasha Live provides the coach with: real-time suggested questions based on the conversation, relevant context from previous sessions ("last time, the coachee mentioned X"), sentiment and energy indicators, therapy territory alerts (flagging when the conversation approaches clinical boundaries), and session timer with milestone prompts. Sasha Live is visible only to the coach — the coachee does not know it's active. All real-time assistance requires the coach to actively choose whether to use it.
SAST (Static Application Security Testing)
SecurityStatic Application Security Testing analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. SAST is a "shift-left" security practice — finding vulnerabilities during development rather than in production. ReGenesis integrates SAST tools (such as CodeQL, Semgrep, or SonarQube) into its CI/CD pipeline, automatically scanning every pull request for: injection vulnerabilities, insecure cryptographic usage, hardcoded secrets, authentication flaws, and insecure configurations. SAST is complemented by DAST (Dynamic Application Security Testing) which tests the running application, and SCA (Software Composition Analysis) which checks third-party dependencies.
SBOM (Software Bill of Materials)
SecurityA Software Bill of Materials is a formal, machine-readable inventory of all software components, libraries, and dependencies used in an application. SBOMs have become an industry standard following high-profile supply chain attacks (Log4j, SolarWinds). ReGenesis generates SBOMs automatically during CI/CD using tools like Syft or CycloneDX, listing every npm package, container base image, and system dependency with version numbers. When a new CVE (Common Vulnerabilities and Exposures) is published, the SBOM enables immediate assessment of whether ReGenesis is affected. SBOM generation is increasingly required by enterprise procurement and is a SOC 2 best practice.
SCIM (System for Cross-domain Identity Management)
SecuritySCIM is a standard protocol for automating user provisioning and deprovisioning between an Identity Provider and cloud applications. When integrated with SCIM: new employees are automatically created in ReGenesis when added to the enterprise IdP, role changes in the IdP are automatically reflected in ReGenesis, departing employees are automatically deactivated (preventing orphaned access), and group memberships (coaching cohorts) can be managed centrally. SCIM is planned for GA stage and is a common enterprise procurement requirement — IT teams need automated lifecycle management rather than manual account creation.
SDLC (Secure Development Lifecycle)
TechnicalThe Secure Development Lifecycle is a systematic approach to integrating security into every phase of software development. ReGenesis follows an SDLC that includes: threat modeling during design (identifying potential attack vectors before writing code), secure coding standards (OWASP guidelines, input validation patterns), automated security testing in CI/CD (SAST, dependency scanning, secret detection), code review with security focus (mandatory review for security-sensitive changes), penetration testing before releases, and security monitoring in production. This approach is required by SOC 2 and expected by enterprise procurement teams who want evidence that security is built in, not bolted on.
SIEM (Security Information and Event Management)
SecuritySecurity Information and Event Management is a security solution that provides real-time analysis of security alerts generated by network hardware, applications, and infrastructure. A SIEM collects logs from all sources (application servers, databases, firewalls, identity providers, cloud services), correlates events across sources to detect complex attack patterns, triggers alerts for suspicious activity, and provides dashboards for security operations teams. ReGenesis uses AWS-native SIEM capabilities (CloudWatch, CloudTrail, Security Hub) at the pilot stage, with plans to integrate a dedicated SIEM solution (such as Datadog Security or Splunk) at GA. SIEM is a key SOC 2 requirement for continuous monitoring.
SOC 2 (Service Organization Control 2)
ComplianceSOC 2 is an auditing standard developed by the AICPA (American Institute of Certified Public Accountants) for service organizations. It evaluates controls related to five Trust Service Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. Type I: an auditor reviews your controls at a single point in time ("are they well-designed?"). Type II: an auditor reviews your controls over a 6-12 month period ("do they actually work consistently?"). SOC 2 is table stakes for enterprise SaaS — McKinsey and virtually every Fortune 500 company require it. ReGenesis targets SOC 2 Type I during the pilot phase and Type II by GA. Evidence is collected automatically via Vanta.
SQLAlchemy
ArchitectureSQLAlchemy is the most widely used Object-Relational Mapper for Python, providing a full suite of enterprise-grade persistence patterns. It maps Python classes to database tables and Python objects to table rows, translating method calls into optimized SQL. SQLAlchemy supports two main usage styles: the ORM layer (high-level, object-oriented) and the Core layer (lower-level, SQL-expression-based). If ReGenesis uses a Python backend (FastAPI), SQLAlchemy would serve as the primary database access layer, handling query construction, connection pooling, transactions, and schema migrations. It integrates cleanly with PostgreSQL features like JSONB and Row-Level Security.
SQS (Amazon Simple Queue Service)
InfrastructureAmazon Simple Queue Service is a fully managed message queue service that enables decoupling of application components. SQS guarantees message delivery: if a consumer service is temporarily down, messages wait in the queue until the service recovers. SQS supports two queue types: Standard (best-effort ordering, at-least-once delivery, nearly unlimited throughput) and FIFO (strict ordering, exactly-once processing, 300 messages/second). For ReGenesis, SQS could handle async workflows like transcript processing, insight generation, and notification delivery — ensuring no coaching data is lost even during traffic spikes or service disruptions. SQS pairs naturally with Lambda for serverless event processing.
SSO (Single Sign-On)
SecuritySingle Sign-On allows users to authenticate once through their enterprise Identity Provider and gain access to multiple applications without re-entering credentials. SSO improves security (fewer passwords to manage, centralized access control), user experience (one login for everything), and IT governance (centralized access revocation). ReGenesis supports SSO via SAML 2.0 and OIDC protocols. Enterprise SSO is required for the pilot stage because enterprise IT teams mandate it — they need centralized control over which employees can access which vendor applications.
T
Tenant
ArchitectureIn multi-tenant software, a tenant is an individual customer organization. Each tenant gets a logically isolated environment within the shared platform — their own users, data, configurations, and billing, even though the underlying infrastructure is shared. In ReGenesis, a tenant is an enterprise client (e.g., McKinsey). Every database row is tagged with a tenant_id, and Row-Level Security ensures complete data isolation. Tenants can customize certain settings (retention policies, notification preferences, SSO configuration) without affecting other tenants.
Terraform
TechnicalTerraform is an open-source Infrastructure as Code tool by HashiCorp. It uses a declarative configuration language (HCL) to define cloud resources: VPCs, databases, load balancers, encryption keys, IAM policies, and more. Benefits for ReGenesis: all infrastructure is version-controlled in Git (audit trail of every change), environments are reproducible (staging matches production), disaster recovery is simplified (rebuild from code), and changes go through code review (preventing misconfigurations). Terraform is also a SOC 2 compliance requirement — auditors want to see that infrastructure changes are controlled and auditable.
Therapy Territory
DomainTherapy territory refers to the boundary between professional coaching and therapy/clinical practice. Coaching focuses on performance, goals, and professional development; therapy addresses mental health conditions, trauma, and clinical diagnoses. However, in practice, coaching conversations often approach this boundary — a coachee discussing workplace stress might reveal anxiety symptoms, or a leadership conversation might surface personal trauma. ReGenesis doesn't shy away from this reality (see ADR-004: Therapy Territory). Instead, it implements: clinical language detection (preventing Sasha from using diagnostic terms), therapy territory flagging (alerting coaches when conversations approach the boundary), crisis escalation (detecting self-harm or abuse indicators), and the No-Diagnosis Rule (Sasha never diagnoses or recommends treatment).
TLS (Transport Layer Security)
SecurityTransport Layer Security is a cryptographic protocol that provides secure communication over a network. TLS encrypts data in transit between two endpoints (e.g., your browser and the ReGenesis server), preventing eavesdropping, tampering, and message forgery. TLS 1.2 and 1.3 are the current secure versions — older versions (SSL, TLS 1.0, TLS 1.1) have known vulnerabilities and are disabled. ReGenesis requires TLS for all connections: browser to server, server to database, server to Redis, server to S3, and server to external APIs. This is enforced at the infrastructure level through AWS security groups and load balancer configuration.
Token (AI)
AIIn the context of AI language models, a token is the basic unit of text processing. Tokens are typically word fragments: "coaching" might be one token, "un-break-able" might be three tokens. On average, one token is about 0.75 English words. Token counts matter because: LLM APIs charge per token (input and output separately), context windows have token limits (Claude supports 200K tokens), and processing time scales with token count. A typical 60-minute coaching transcript is 10,000-20,000 tokens. Sasha's monthly token consumption determines the largest variable infrastructure cost line item, which is why ReGenesis implements per-tenant token budgets and cost monitoring.
V
Vector Database
AIA vector database stores high-dimensional numerical representations (embeddings) of data and enables similarity search — finding items that are semantically similar even if they don't share the same keywords. In ReGenesis, coaching transcripts, session notes, and insights are converted into embedding vectors using AI models. When Sasha needs to find relevant context across sessions, it searches the vector database for semantically similar content. For example, searching for "delegation challenges" would find sessions that discuss "handing off tasks" or "letting go of control" even without those exact words. ReGenesis starts with pgvector (PostgreSQL extension) for the pilot and plans to migrate to Pinecone (managed vector database) at GA scale.
Visibility Tag
SecurityVisibility tags are ReGenesis's field-level access control mechanism. Every data record is tagged with one of four visibility levels: client_visible (the coachee and coach can see it — approved insights, session summaries), coach_only (only the coach — private notes, raw AI analysis, unapproved insights), admin_aggregate (enterprise admins see anonymized/aggregated versions — program-level metrics without individual details), and system_internal (only the system — audit logs, AI model parameters, internal processing data). The RBAC middleware checks visibility tags on every API request, ensuring users only see data at or below their authorization level. See ADR-007 for the architectural decision.
VPC (Virtual Private Cloud)
InfrastructureA Virtual Private Cloud is a logically isolated section of the AWS cloud where an organization can launch resources in a virtual network that they define. ReGenesis runs all infrastructure within a VPC that includes: public subnets (for load balancers and NAT gateways only), private subnets (for application servers, databases, and caches — not directly accessible from the internet), security groups (virtual firewalls controlling traffic at the instance level), and network ACLs (additional firewall rules at the subnet level). The VPC ensures that even if an attacker compromises one layer, they cannot directly access the database or internal services. VPC architecture is a fundamental enterprise security requirement.
W
WAF (Web Application Firewall)
SecurityA Web Application Firewall monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. It protects against common web attacks listed in the OWASP Top 10: SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and more. ReGenesis uses AWS WAF, which is configured with: managed rule groups (pre-built protections against common attacks), rate-based rules (blocking IPs that send too many requests), geographic restrictions (optional, for data sovereignty), and custom rules (specific to ReGenesis's application patterns). WAF is deployed at the CloudFront CDN edge, meaning malicious traffic is blocked before it ever reaches the application servers.
Webhook
TechnicalA webhook is a mechanism where one application sends an automatic HTTP notification to another when a specific event occurs. Unlike traditional polling (repeatedly asking "is there anything new?"), webhooks push updates in real-time. ReGenesis uses webhooks for: Zoom (new recording available, transcript ready), Google Workspace (calendar event created/updated), Slack (new message in coaching channel), and internal events (session analysis complete, insight approved). Incoming webhooks are validated (signature verification), rate-limited, and logged for audit purposes.
Whisper
InfrastructureWhisper is an open-source automatic speech recognition (ASR) model developed by OpenAI, trained on 680,000 hours of multilingual and multitask supervised data. It excels at handling diverse accents, background noise, and emotional speech — all common in coaching sessions. Whisper can be self-hosted (giving full data control) or accessed via OpenAI's API. For ReGenesis, Whisper's accuracy on emotionally inflected speech is a key advantage: coaching conversations involve subtle tone shifts, hesitations, and emphasis that less capable models miss. Whisper can be used alongside or as a fallback to streaming services like Deepgram.
WorkOS
SecurityWorkOS is an enterprise identity platform purpose-built for B2B SaaS companies. It provides drop-in integrations for SAML SSO, OIDC SSO, SCIM directory sync, MFA, and organization management — the exact features enterprise clients like McKinsey require before deploying any vendor tool. Instead of building and maintaining individual integrations with Azure AD, Okta, OneLogin, Google Workspace, and dozens of other identity providers, ReGenesis can use WorkOS as a unified layer that handles all of them. WorkOS is an alternative to Auth0 with a sharper focus on enterprise B2B use cases, including automatic SCIM provisioning and deprovisioning.
WORM (Write Once Read Many)
SecurityWrite Once Read Many is a data storage policy that allows data to be written once and then prevents any modification or deletion for a specified retention period. WORM is essential for audit log integrity — if an attacker or malicious insider could modify audit logs, they could cover their tracks. ReGenesis applies WORM policies to: audit logs in PostgreSQL (append-only tables with deletion protection), archived logs in S3 (Object Lock with compliance mode), and backup records. WORM compliance is a SOC 2 requirement for audit log integrity and a common question in enterprise procurement security questionnaires.
Z
Zero-Trust
SecurityZero-trust is a security framework that eliminates implicit trust from an organization's network architecture. The core principle is "never trust, always verify" — every access request is fully authenticated, authorized, and encrypted regardless of where it originates. Traditional security assumes everything inside the corporate firewall is safe; zero-trust assumes breach and verifies each request as though it comes from an untrusted network. ReGenesis implements zero-trust principles through: mutual TLS between services, JWT verification on every API call, Row-Level Security at the database, field-level access controls (visibility tags), and continuous monitoring. Zero-trust architecture is increasingly required by enterprise security teams.