ReGenesis Architecture Overview
ReGenesis is an AI-powered coaching platform that transforms how enterprise coaching programs operate. At its core, Sasha — an "invisible intelligence" — observes coaching sessions, generates evidence-backed insights, and provides 24/7 companion support to coachees, all while maintaining the highest standards of data privacy, security, and regulatory compliance.
Three-Layer Architecture
The entire platform is organized into three interdependent layers, each addressing a different dimension of enterprise readiness:
- Executive Summary
- Working Knowledge
- Technical Spec
What ReGenesis Is
ReGenesis is an enterprise SaaS platform for AI-augmented executive coaching. It processes coaching session transcripts, generates evidence-backed insights, and provides a 24/7 AI companion (Sasha) to support coachees between sessions.
Market Strategy
- US-first launch targeting Fortune 500 and top consulting firms (McKinsey initial target)
- EU-grade compliance built from day one as design ceiling
- SOC 2 → ISO 27001 certification sequence (not parallel)
- Four-stage rollout: MVP0 Demo → Pilot → GA → Global Expansion
Key Differentiators
- Evidence Packs (L0→L1→L2): Every AI insight links back to source material with transcript/video jump links
- Human-in-the-loop: Coaches review and approve all AI outputs before client delivery
- Field-level RBAC/ABAC: Four visibility tags (
client_visible,coach_only,admin_aggregate,system_internal) ensure data access is precisely controlled - Therapy-ready architecture: Built to handle deep personal/emotional content with appropriate safeguards, not to avoid it
Compliance Posture
| Framework | Status | Target |
|---|---|---|
| SOC 2 Type I | Planned | Q3 2026 |
| SOC 2 Type II | Planned | Q1 2027 |
| ISO 27001 | Planned | 2027 |
| GDPR | By design | Day 1 |
| CCPA/CPRA | By design | Day 1 |
| EU AI Act | Monitoring | 2027+ |
| HIPAA | Roadmap | 2027+ |
How the Layers Connect
Think of the three layers as a funnel:
- Layer A (Legal) sets the rules — what we must do to comply with privacy laws, AI regulations, and employment data protections
- Layer B (Enterprise) translates those rules into what enterprises expect to see — certifications, security controls, audit evidence, procurement packets
- Layer C (Product) implements everything as actual code, data flows, and architecture — the concrete system that engineers build
Every decision flows top-down: a GDPR requirement (Layer A) creates an enterprise expectation (Layer B) that becomes a technical control (Layer C).
US-First, EU-Grade
This is the single most important strategic decision. We launch in the US market first (McKinsey, Fortune 500) but build everything to EU/GDPR standards. Why?
- US is faster to market: No GDPR enforcement agency breathing down your neck at launch, fewer bureaucratic requirements
- EU standards are stricter: Building to GDPR means we automatically exceed CCPA, CPRA, and other US state laws
- Global-ready from day one: When we expand to EU/UK/APAC, we don't have to re-architect
- Enterprise trust signal: "We build to GDPR standards" is a powerful statement to any security review team
The Sasha Permission Model
Sasha has three operational modes, each requiring escalating consent:
- Observe: Listen to/receive session transcripts (requires participant consent)
- Analyze: Process data and suggest insights (relatively low-risk, output is in-app only)
- Act: Schedule meetings, send emails, create tasks (HIGH-RISK — requires explicit user confirmation for every action by default)
Data Visibility Tags
Every piece of data in the system has one of four visibility tags:
| Tag | Who Sees It | Example |
|---|---|---|
client_visible | Coachee + Coach | Approved session summaries, action items |
coach_only | Coach only | Private coaching notes, draft insights |
admin_aggregate | Enterprise admin (anonymized) | "80% improved leadership scores" |
system_internal | System only | Raw embeddings, AI intermediate outputs |
Therapy Territory — The Decision
The coaching WILL handle deep personal, emotional, and mental health content. This is not a limitation — it's a feature. The architecture must:
- Handle special category data (health-like) with appropriate GDPR safeguards
- Implement escalation protocols for crisis situations (self-harm, etc.)
- Use AI safety guardrails that contain without blocking
- Build toward eventual therapy market expansion
- Frame legally as "coaching with deep personal development support" until regulatory clarity
What This Portal Contains
| Section | Contents |
|---|---|
| Privacy | Privacy principles, consent architecture, data minimization, cross-border transfers, breach notification, employment data, health/therapy data, automated decisions, privacy by design, US state privacy laws, data model, data lifecycle |
| Security | Infrastructure security, encryption & KMS, DevSecOps, monitoring, disaster recovery, Sasha AI engine, Sasha Live, integration security, mobile security, API design, tech stack |
| Compliance | SOC 2/ISO 27001, DPAs, RBAC/SSO/MFA/SCIM, logging & auditing, stage gates, procurement packet, evidence packs, compliance roadmap |
| AI Governance | Responsible AI framework, AI risk register |
| Resources | Roles & access, architecture decision records, vision & strategy, audience guide, glossary |