ADR-001: US-First Market Strategy
Status: Accepted Date: February 2026 Decision Maker: Jesse Torrence (Founder)
Context
The original Blueprint (V1, February 5, 2026) was written with a Europe-first strategy, assuming EU deployment from day one. After further analysis (Blueprint Supplement, February 18, 2026), this was corrected to US-first for practical market entry reasons.
ReGenesis's first target client is McKinsey, a US-headquartered firm. The founding team is US-based (Jesse in NYC, brother in DC, engineers in India). The legal entity will be a Delaware C-Corp.
Decision
Launch in the US market first, but build all systems to EU/GDPR standards as the design ceiling.
This means:
- Primary deployment in AWS
us-east-1 - SOC 2 certification before ISO 27001
- CCPA/CPRA compliance as the regulatory floor
- GDPR architecture as the design ceiling (data minimization, consent flows, deletion capabilities, DPA structure)
- Delaware C-Corp as initial legal entity
- EU entity established only when European market expansion begins
Alternatives Considered
Alternative 1: EU-First (Original Blueprint V1)
- Pro: GDPR is the strictest regime; launching there first means everything else is easier
- Con: Slower time to market, requires EU legal entity immediately, GDPR enforcement risk from day one, McKinsey is US-based, founding team is US-based
- Rejected because: Practical considerations outweigh theoretical purity
Alternative 2: Dual Launch (US + EU Simultaneously)
- Pro: Fastest global coverage
- Con: Doubles operational complexity, requires two data centers, two legal entities, two sets of compliance certifications from day one
- Rejected because: Resource-intensive for a startup; better to sequence
Alternative 3: US-First with US-Only Standards
- Pro: Fastest and cheapest launch
- Con: Would require significant re-architecture when expanding to EU; CCPA alone doesn't prepare for GDPR
- Rejected because: Short-term savings create long-term technical debt
Consequences
Positive
- Faster time to market for McKinsey engagement
- Lower legal/regulatory burden at launch
- GDPR-grade architecture means EU expansion is a deployment exercise, not a rebuild
- SOC 2 Type I achievable before ISO 27001 (more relevant to US enterprise buyers)
- Delaware C-Corp is standard for US enterprise SaaS
Negative
- Must maintain discipline to build to EU standards even though US doesn't require it
- Some GDPR features (like extensive data subject rights UI) may feel like over-engineering for US-only deployment
- EU prospects may ask "Why aren't you ISO 27001 certified?" — answer: "It's next in our roadmap after SOC 2 Type II"
Risks
- If a major EU client appears before expected, we may need to accelerate ISO 27001 and EU deployment
- US state privacy laws are fragmented (20+ states with different rules) — must comply with CCPA/CPRA as strictest