DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-4, 7-10, 13-15, 18-21 are pending.  Claims 5-6, 11-12, 16-17 are cancelled.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-2, 4, 7, 10, 13-15, 18, 20-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Calahan (PGPUB 2017/0206362), and further in view of Mohan et al (PGPUB 2017/0279689).

Regarding Claim 1:
Calahan teaches a computer program product tangibly embodied on a non-transitory computer-readable storage medium and comprising instructions that, when executed by at least one computing device, are configured to cause the at least one computing device to at least (paragraph 21, system including storage medium such as memory device and processor; paragraph 28, medium storing instructions for execution by server): 
(paragraph 17, a database system 16 (also referred to herein as a "cloud-based system"; paragraph 20, system implements web-based system including application servers for storing data/objects to and retrieving from database; paragraph 34, application server handles requests for any user; paragraph 43, encryption platform operating in database system; encryption platform may be plugin  to framework; paragraph 52, database system receives request from user system to read data from database; paragraph 69, encryption platform receives data from database system; paragraph 45, database storing objects for tenants, organizations, etc.; therefore, system is object-oriented system executing object-oriented applications; database storing objects can be considered storage layer), wherein the object-oriented application and the database are implemented within a multi-tenant architecture for providing instances of the object-oriented application to a plurality of tenants, and wherein data of the plurality of tenants is stored together within the database (paragraph 18, multi-tenant database system; database including multiple database objects; paragraph 34, Fig. 1G, each application server 100 is configured to handle requests for any user associated with any organization that is a tenant of the system 16; because it can be desirable to be able to add and remove application servers 100 from the server pool at any time and for various reasons, in some implementations there is no server affinity for a user or organization to a specific application server 100; in some such implementations, an interface system implementing a load balancing function is communicably coupled between the application servers 100 and the user systems 12 to distribute requests to the application servers 100); 
determine, at the object-oriented application, that field level data encryption is enabled for object data owned by the tenant (paragraph 69-70, encryption platform receives data from database system, e.g. user selects record for viewing; encryption platform determines if any of the data for the selected record includes encryption flag; encryption platform decrypts data that includes encryption flag; paragraph 55-58, encryption/encoding is done at field-level);
examine, at the object-oriented application and in response to the determination, an object metadata structure of the application object, including field level metadata defining an encryption attribute for a field of the application object (paragraph 69-72, encryption platform may have assigned encoding flag to ciphertext identifying encoding scheme used for encoding plaintext field value into byte array; encryption platform identifies encoding scheme from encoding flag, i.e. “metadata defining an encryption attribute”); and 
execute, at the object-oriented application and based on the encryption attribute, an encryption-related operation on field level data of the field of the application object, wherein the encryption-related operation comprises encryption of the field level data, decryption of the field level data, or a combination thereof (paragraph 69-72, encryption platform decrypts and decodes encrypted and encoded data into plaintext based on encryption flag and encoding flag, and sends decoded plaintext characters for the field value to the user system).
Calahan does not explicitly teach determining, at the object-oriented application based on a tenant table and based on a tenant identifier of a tenant of the plurality of tenants, that field level data encryption is enabled.
However, Mohan teaches the concept of a multi-tenant architecture (paragraph 9, multi-tenant environment which provides certain policies on a per-tenant basis, e.g. tenant requiring high level of security and/or encryption applied to network traffic and data); and
determining, at an application based on a tenant table and based on a tenant identifier of a tenant of the plurality of tenants, that data encryption is enabled (paragraph 9, multi-tenant environment; paragraph 24, tenant awareness module receives initialization packets and uses IP address as identifier of tenant using list or mapping of tenant IP addresses; paragraph 26, management module implements policy specific to tenant; each tenant may request a policy or policies such as tenant isolation, quality of service level, security policy, data encryption, etc. and the requested policies are stored as a list (i.e. a type of table) in memory used by management module; tenant awareness module identifies tenant based on received tagged initialization packet and looks up polices (stored in list) for the tenant and provides policies to that tenant; subsequent incoming packets received from identified tenant (as identified by IP address in received packets now known to match the tenant) can be processed according to tenant specific policies); and
Calahan teaches wherein the application is an object-oriented application (paragraph 45, database storing objects for tenants, organizations, etc.; therefore, system is object-oriented system executing object-oriented applications), and encryption is field level data encryption (paragraph 12-13, flag indicates if attribute of business object is critical or not, allowing selective encryption of individual fields of business objects; critical flag stored in business application metadata repository on level of business object data types; paragraph 22-23, data to be encrypted is determined; data comprises business object attribute data; data marked with flag for encryption; paragraph 35, determinator determines data to be encrypted on client device).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the tenant identifier table teachings of Mohan with the object field encryption teachings of Calahan.  A person of ordinary skill, faced with the problem of organizing data and related tenant preferences, would certainly consider the use of a table, as tables are one of the most basic and well known methods for logically maintaining information.  Therefore, using a table to organize tenant identifiers and the desired encryption policies of each respective tenant would provide the benefit of being efficient and simple for a maintainer/administrator to understand and/or program, as well as allowing each tenant to separately request desired security policies on an individual basis with respect to a particular tenant identifier.

Regarding Claim 2:
Calahan in view of Mohan teaches the computer program product of claim 1.  In addition, Calahan teaches wherein the object-oriented application includes a mapping engine, a metadata examination engine, and an encryption engine, the mapping engine configured to initiate the transfer of the object data in response to the user request, the metadata examination engine configured to determine that field level data encryption is enabled for the object data owned by the tenant, and the encryption engine configured to execute the encryption-related operation on the field level data of the field of the application object in conjunction with the transfer of the object data (paragraph 34, application server handles requests for any user; paragraph 37, application server receives user request and generates SQL statement to access desired information; application server therefore comprises mapping engine; paragraph 43, encryption platform operating in database system; encryption platform may be plugin to framework; paragraph 69, encryption platform determines if data for selected record includes encryption flag; encryption platform therefore comprises metadata examination engine; paragraph 52, database system receives request from user system to read data from database; paragraph 69, encryption platform receives data from database system; paragraph 53, encryption platform uses identified encoding scheme to decode byte array back into plaintext; database system then sends decrypted and decoded plaintext for field value to user system; encryption platform therefore comprises encryption engine).

Regarding Claim 4:
Calahan in view of Mohan teaches the computer program product of claim 1.  In addition, Calahan teaches wherein the transfer of object data is from the object-oriented application to the database (paragraph 48, encryption platform monitors requests from user system to save field values; paragraph 50, encryption platform encrypts byte array and stores the encrypted byte array in database), and further wherein the encryption of the field level data is for population of the object data and stored within the database (paragraph 42, encryption platform encodes data for objects, records, fields, and any combination thereof; paragraph 48, user system may send a request to database system to save the name Bill Smith; encryption platform may check an encryption configuration file to determine if name field was previously selected for encryption; encryption platform may encode and encrypt name when field for contacts object is identified in encryption configuration file).

Regarding Claim 7:
Calahan in view of Mohan teaches the computer program product of claim 1.  In addition, Calahan teaches wherein the object metadata structure is modified during runtime of the object-oriented application to include the field level metadata (paragraph 51, encryption platform assigns encoding flag and encryption flag to encrypted byte array), and in response to the modification, the field of the application object, corresponding to the field level metadata, is added to the application object and populated with the field level data during runtime (paragraph 42, encryption platform encodes data for objects, records, fields, and any combination thereof; paragraph 48, user system may send a request to database system to save the name Bill Smith; paragraph 50, encryption platform encrypts byte array and stores in database).

Regarding Claim 10:
	Calahan teaches a method of executing instructions stored on a non-transitory computer-readable storage medium using at least one processor (paragraph 21, system including storage medium such as memory device and processor; paragraph 28, medium storing instructions for execution by server), the method comprising: 
(paragraph 17, a database system 16 (also referred to herein as a "cloud-based system"; paragraph 20, system implements web-based system including application servers for storing data/objects to and retrieving from database; paragraph 34, application server handles requests for any user; paragraph 43, encryption platform operating in database system; encryption platform may be plugin  to framework; paragraph 52, database system receives request from user system to read data from database; paragraph 69, encryption platform receives data from database system; paragraph 45, database storing objects for tenants, organizations, etc.; therefore, system is object-oriented system executing object-oriented applications; database storing objects can be considered storage layer), wherein the object-oriented application and the database are implemented within a multi-tenant architecture for providing instances of the object- oriented application to a plurality of tenants, and wherein data of the plurality of tenants is stored together within the database (paragraph 18, multi-tenant database system; database including multiple database objects; paragraph 34, Fig. 1G, each application server 100 is configured to handle requests for any user associated with any organization that is a tenant of the system 16; because it can be desirable to be able to add and remove application servers 100 from the server pool at any time and for various reasons, in some implementations there is no server affinity for a user or organization to a specific application server 100; in some such implementations, an interface system implementing a load balancing function is communicably coupled between the application servers 100 and the user systems 12 to distribute requests to the application servers 100); 
determining, at the object-oriented application, that field level data encryption is enabled for object data owned by the tenant (paragraph 69-70, encryption platform receives data from database system, e.g. user selects record for viewing; encryption platform determines if any of the data for the selected record includes encryption flag; encryption platform decrypts data that includes encryption flag; paragraph 55-58, encryption/encoding is done at field-level); 
examining, at the object-oriented application and in response to the determining, an object metadata structure of the application object, including field level metadata defining an encryption attribute for a field of the application object (paragraph 69-72, encryption platform may have assigned encoding flag to ciphertext identifying encoding scheme used for encoding plaintext field value into byte array; encryption platform identifies encoding scheme from encoding flag, i.e. “metadata defining an encryption attribute”); and 
executing, at the object-oriented application and based on the encryption attribute, an encryption-related operation on field level data of the field of the application object, in conjunction with the transfer of the object data, wherein the encryption-related operation comprises encryption of the field level data, decryption of the field level data, or a combination thereof (paragraph 69-72, encryption platform decrypts and decodes encrypted and encoded data into plaintext based on encryption flag and encoding flag, and sends decoded plaintext characters for the field value to the user system).
Calahan does not explicitly teach determining, at the object-oriented application based on a tenant table and based on a tenant identifier of a tenant of the plurality of tenants, that field level data encryption is enabled.
However, Mohan teaches the concept of a multi-tenant architecture (paragraph 9, multi-tenant environment which provides certain policies on a per-tenant basis, e.g. tenant requiring high level of security and/or encryption applied to network traffic and data); and
determining, at an application based on a tenant table and based on a tenant identifier of a tenant of the plurality of tenants, that data encryption is enabled (paragraph 9, multi-tenant environment; paragraph 24, tenant awareness module receives initialization packets and uses IP address as identifier of tenant using list or mapping of tenant IP addresses; paragraph 26, management module implements policy specific to tenant; each tenant may request a policy or policies such as tenant isolation, quality of service level, security policy, data encryption, etc. and the requested policies are stored as a list (i.e. a type of table) in memory used by management module; tenant awareness module identifies tenant based on received tagged initialization packet and looks up polices (stored in list) for the tenant and provides policies to that tenant; subsequent incoming packets received from identified tenant (as identified by IP address in received packets now known to match the tenant) can be processed according to tenant specific policies); and
Calahan teaches wherein the application is an object-oriented application (paragraph 45, database storing objects for tenants, organizations, etc.; therefore, system is object-oriented system executing object-oriented applications), and encryption is field level data encryption (paragraph 12-13, flag indicates if attribute of business object is critical or not, allowing selective encryption of individual fields of business objects; critical flag stored in business application metadata repository on level of business object data types; paragraph 22-23, data to be encrypted is determined; data comprises business object attribute data; data marked with flag for encryption; paragraph 35, determinator determines data to be encrypted on client device).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the tenant identifier table teachings of Mohan with the object field encryption teachings of Calahan.  A person of ordinary skill, faced with the problem of organizing data and related tenant preferences, would certainly consider the use of a table, as tables are one of the most basic and well known methods for logically maintaining information.  Therefore, using a table to organize tenant identifiers and the desired encryption policies of each respective tenant would provide the benefit of being efficient and simple for a maintainer/administrator to understand and/or program, 

Regarding Claim 13:
Calahan in view of Mohan teaches the method of claim 10.  In addition, Calahan teaches wherein the transfer of object data is from the database to the object-oriented application (paragraph 34, application server handles requests for any user; paragraph 43, encryption platform operating in database system; encryption platform may be plugin to framework; paragraph 52, database system receives request from user system to read data from database; paragraph 69, encryption platform receives data from database system), 
and wherein the decryption of the field level data is for population of a field within a live instance of the application object within the object-oriented application (paragraph 53, encryption platform uses identified encoding scheme to decode byte array back into plaintext; database system then sends decrypted and decoded plaintext for field value to user system).

Regarding Claim 14:
Calahan in view of Mohan teaches the method of claim 10.  In addition, Calahan teaches wherein the object metadata structure is modified during runtime of the object-oriented application to include the field level metadata(paragraph 51, encryption platform assigns encoding flag and encryption flag to encrypted byte array), and in response to the modification, the field of the application object, corresponding to the field level metadata, is added to the application object and populated with the field level data during runtime (paragraph 42, encryption platform encodes data for objects, records, fields, and any combination thereof; paragraph 48, user system may send a request to database system to save the name Bill Smith; paragraph 50, encryption platform encrypts byte array and stores in database).

Regarding Claim 15:
	Calahan teaches a system comprising: 
at least one processor and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the system to at least (paragraph 21, system including storage medium such as memory device and processor; paragraph 28, medium storing instructions for execution by server): 
initiate, at an object-oriented application, a transfer of object data for an application object between the object oriented application and a database at a storage layer (paragraph 17, a database system 16 (also referred to herein as a "cloud-based system"; paragraph 20, system implements web-based system including application servers for storing data/objects to and retrieving from database; paragraph 34, application server handles requests for any user; paragraph 43, encryption platform operating in database system; encryption platform may be plugin  to framework; paragraph 52, database system receives request from user system to read data from database; paragraph 69, encryption platform receives data from database system; paragraph 45, database storing objects for tenants, organizations, etc.; therefore, system is object-oriented system executing object-oriented applications; database storing objects can be considered storage layer), wherein the object-oriented application and the database are implemented within a multi-tenant architecture for providing instances of the object-oriented application to a plurality of tenants, and wherein data of the plurality of tenants is stored together within the database (paragraph 18, multi-tenant database system; database including multiple database objects; paragraph 34, Fig. 1G, each application server 100 is configured to handle requests for any user associated with any organization that is a tenant of the system 16; because it can be desirable to be able to add and remove application servers 100 from the server pool at any time and for various reasons, in some implementations there is no server affinity for a user or organization to a specific application server 100; in some such implementations, an interface system implementing a load balancing function is communicably coupled between the application servers 100 and the user systems 12 to distribute requests to the application servers 100);  
determine, at the object-oriented application, that field level data encryption is enabled for object data owned by the tenant (paragraph 69-70, encryption platform receives data from database system, e.g. user selects record for viewing; encryption platform determines if any of the data for the selected record includes encryption flag; encryption platform decrypts data that includes encryption flag; paragraph 55-58, encryption/encoding is done at field-level);
examine, at the object-oriented application and in response to the determination, an object metadata structure of the application object, including field level metadata defining an encryption attribute for a field of the application object (paragraph 69-72, encryption platform may have assigned encoding flag to ciphertext identifying encoding scheme used for encoding plaintext field value into byte array; encryption platform identifies encoding scheme from encoding flag, i.e. “metadata defining an encryption attribute”); and 
execute, at the object-oriented application and based on the encryption attribute, an encryption-related operation on field level data of the field of the application object in conjunction with the transfer of the object data, wherein the encryption-related operation comprises encryption of the field level data, decryption of the field level data, or a combination thereof (paragraph 69-72, encryption platform decrypts and decodes encrypted and encoded data into plaintext based on encryption flag and encoding flag, and sends decoded plaintext characters for the field value to the user system).

However, Mohan teaches the concept of a multi-tenant architecture (paragraph 9, multi-tenant environment which provides certain policies on a per-tenant basis, e.g. tenant requiring high level of security and/or encryption applied to network traffic and data); and
determining, at an application based on a tenant table and based on a tenant identifier of a tenant of the plurality of tenants, that data encryption is enabled (paragraph 9, multi-tenant environment; paragraph 24, tenant awareness module receives initialization packets and uses IP address as identifier of tenant using list or mapping of tenant IP addresses; paragraph 26, management module implements policy specific to tenant; each tenant may request a policy or policies such as tenant isolation, quality of service level, security policy, data encryption, etc. and the requested policies are stored as a list (i.e. a type of table) in memory used by management module; tenant awareness module identifies tenant based on received tagged initialization packet and looks up polices (stored in list) for the tenant and provides policies to that tenant; subsequent incoming packets received from identified tenant (as identified by IP address in received packets now known to match the tenant) can be processed according to tenant specific policies); and
Calahan teaches wherein the application is an object-oriented application (paragraph 45, database storing objects for tenants, organizations, etc.; therefore, system is object-oriented system executing object-oriented applications), and encryption is field level data encryption (paragraph 12-13, flag indicates if attribute of business object is critical or not, allowing selective encryption of individual fields of business objects; critical flag stored in business application metadata repository on level of business object data types; paragraph 22-23, data to be encrypted is determined; data comprises business object attribute data; data marked with flag for encryption; paragraph 35, determinator determines data to be encrypted on client device).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the tenant identifier table teachings of Mohan with the object field encryption teachings of Calahan.  A person of ordinary skill, faced with the problem of organizing data and related tenant preferences, would certainly consider the use of a table, as tables are one of the most basic and well known methods for logically maintaining information.  Therefore, using a table to organize tenant identifiers and the desired encryption policies of each respective tenant would provide the benefit of being efficient and simple for a maintainer/administrator to understand and/or program, as well as allowing each tenant to separately request desired security policies on an individual basis with respect to a particular tenant identifier.

Regarding Claim 18:
Calahan in view of Mohan teaches the system of claim 15.  In addition, Calahan teaches wherein the transfer of object data is from the database to the object-oriented application (paragraph 34, application server handles requests for any user; paragraph 43, encryption platform operating in database system; encryption platform may be plugin  to framework; paragraph 52, database system receives request from user system to read data from database; paragraph 69, encryption platform receives data from database system), and wherein the decryption of the field level data is for population of a field within a live instance of the application object within the object-oriented application (paragraph 53, encryption platform uses identified encoding scheme to decode byte array back into plaintext; database system then sends decrypted and decoded plaintext for field value to user system).

Claim 20:
Calahan in view of Mohan teaches the system of claim 15.  In addition, Calahan teaches wherein the object metadata structure is modified during runtime of the object-oriented application to include the field level metadata (paragraph 51, encryption platform assigns encoding flag and encryption flag to encrypted byte array), and in response to the modification, the field of the application object, corresponding to the field level metadata, is added to the application object and populated with the field level data during runtime (paragraph 42, encryption platform encodes data for objects, records, fields, and any combination thereof; paragraph 48, user system may send a request to database system to save the name Bill Smith; paragraph 50, encryption platform encrypts byte array and stores in database).

Regarding Claim 21:
	Calahan in view of Mohan teaches the computer program product of claim 1.  In addition, Calahan teaches wherein the transfer of object data is from the database to the object-oriented application (paragraph 34, application server handles requests for any user; paragraph 43, encryption platform operating in database system; encryption platform may be plugin  to framework; paragraph 52, database system receives request from user system to read data from database; paragraph 69, encryption platform receives data from database system), and further wherein the decryption of the field level data is for population of a field within a live instance of the application object within the object-oriented application (paragraph 53, encryption platform uses identified encoding scheme to decode byte array back into plaintext; database system then sends decrypted and decoded plaintext for field value to user system).

Claim(s) 3, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Calahan in view of Mohan, and further in view of Narayanaswamy et al (PGPUB 2016/0277368).

Regarding Claim 3:
Calahan in view of Mohan teaches the computer program product of claim 2. 
Neither Calahan nor Mohan explicitly teaches wherein application instances of the object-oriented application are shared among multiple tenants having data stored within the database, and the decrypting is executed in conjunction with tenant-specific bootstrap operations for a particular tenant mapped to a particular application instance.
However, Narayanaswamy teaches the concept wherein application instances of an object-oriented application are shared among multiple tenants having data stored within a database (paragraph 94, object oriented database, multi-tenant database), and decrypting is executed in conjunction with tenant-specific bootstrap operations for a particular tenant mapped to a particular application instance (paragraph 270-272, tenant identifier used as part of triplet linked to generation of keys, which can be seen as an initialization or “bootstrapping” operation; keys tailored to different application instances of individual organizations; paragraph 282-283, decryption based on triplet-key identifier).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the tenant-specific application key teachings of Narayanaswamy with the object field encryption teachings of Calahan in view of Mohan, in order to improve individual user/tenant security by creating individual key instances which are tied to application instances, thereby limiting the damage to other users of other application instances in the event a single application instance key is inadvertently stolen or leaked.

Claim 19:
Calahan in view of Mohan teaches the system of claim 18.  
Neither Calahan nor Mohan explicitly teaches wherein application instances of the object-oriented application are shared among multiple tenants having data stored within the database, and the decrypting is executed in conjunction with tenant-specific bootstrap operations for a particular tenant mapped to a particular application instance.
However, Narayanaswamy teaches the concept wherein application instances of an object-oriented application are shared among multiple tenants having data stored within a database (paragraph 94, object oriented database, multi-tenant database), and decrypting is executed in conjunction with tenant-specific bootstrap operations for a particular tenant mapped to a particular application instance (paragraph 270-272, tenant identifier used as part of triplet linked to generation of keys, which can be seen as an initialization or “bootstrapping” operation; keys tailored to different application instances of individual organizations; paragraph 282-283, decryption based on triplet-key identifier).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the tenant-specific application key teachings of Narayanaswamy with the object field encryption teachings of Calahan in view of Mohan, in order to improve individual user/tenant security by creating individual key instances which are tied to application instances, thereby limiting the damage to other users of other application instances in the event a single application instance key is inadvertently stolen or leaked.

Claim(s) 8-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Calahan in view of Mohan, and further in view of Raundahl Gregersen et al (PGPUB 2011/0283256), hereinafter Raundahl.

Claim 8:
Calahan in view of Mohan teaches the computer program product of claim 1.
Neither Calahan nor Mohan explicitly teaches wherein the field level metadata includes a complex field type identifying a second application object having second field level metadata defining a second encryption attribute for a second field thereof.
However, Raundahl teaches the concept wherein field level metadata includes a complex field type identifying a second application object (abstract, shared object identity between objects of a former version and a new version of a class; paragraph 82, reference to target object kept in every instance of an updateable class by code-generated instance field); and
Calahan teaches the second application object having second field level metadata defining a second encryption attribute for a second field thereof (paragraph 69-72, encryption platform may have assigned encoding flag to ciphertext identifying encoding scheme used for encoding plaintext field value into byte array; encryption platform identifies encoding scheme from encoding flag, i.e. “metadata defining an encryption attribute”; this would apply to any and all fields of any of a plurality of objects, i.e. “second object” and “second field”).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the shared object identity teachings of Raundahl with the object field encryption teachings of Calahan in view of Mohan, in order to create a system which allows transparent non-blocking dynamic updating of software objects without requiring system restarts or losing runtime state of software as a consequence of updating objects (Raundahl, paragraph 18).

Regarding Claim 9:

examine an object metadata structure of the application object including performing the encryption-related operation on second field level data of the second field in response to determining that the complex field type is identified as encryptable (paragraph 42, encryption platform encodes data for objects, records, fields, and any combination thereof; paragraph 48, user system may send a request to database system to save the name Bill Smith; encryption platform may check an encryption configuration file to determine if name field was previously selected for encryption; encryption platform may encode and encrypt name when field for contacts object is identified in encryption configuration file).

Response to Arguments

Applicant's arguments filed 9/18/2020 have been fully considered but they are not persuasive.

Regarding the rejection of claims under 35 USC 103:
Applicant’s arguments: The Examiner takes a fairly broad and unfair reading of what Calahan and Mohan actually teach and ignores, as explained below, features expressly recited in the claims. Although the broadest reasonable interpretation of the claims is considered a standard patent office practice, broadly reading disclosures fail to provide the documentary evidence required for a rejection. 
Calahan generally addresses the problem of reducing the size of encryption schemes when encoding text. Calahan, para. 4. To that end, Calahan picks which of a plurality of encryption algorithms most efficiently stores that text. Calahan, para. 41. Calahan's FIG. 2 (which is reproduced below) 
In stark contrast to Calahan, claim 1 operates at the application layer rather than the storage (or database layer). Specifically, the claim 1 "initiate," "determine, "examine," and "execute" are "at the object-oriented application," rather than the storage layer as in Calahan. By encrypting and performing other operations at the storage layer of the database rather than the application layer, Calahan takes a very different and opposite approach to what is consistent with claim 1. 
In view of the foregoing, Calahan fails to disclose or suggest at least the claim 1 "initiate, at an object-oriented application, a transfer of object data for an application object between the object-oriented application and a database at a storage layer, wherein the object-oriented application and the database are implemented within a multi-tenant architecture for providing instances of the object-oriented application to a plurality of tenants, and wherein data of the plurality of tenants is stored together within the database." 
It also follows Calahan fails to disclose or suggest at least the claim 1 "determine, at the object- oriented application based on a tenant table and based on a tenant identifier of a tenant of the plurality of tenants, that field level data encryption is enabled for object data owned by the tenant; examine, at the object-oriented application and in response to the determination, an object metadata structure of the application object, including field level metadata defining an encryption attribute for a field of the application object; and execute, at the object-oriented application and based on the encryption attribute, an encryption-related operation on field level data of the field of the application object in 

Examiner’s response: Applicant asserts that claim 1 operates at the application layer rather than the storage (or database layer).  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., the object-oriented application functioning at the application layer) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Applicant’s claim 1 makes only a single reference to the abstraction of “layers” (i.e. “database at a storage layer”).  It is therefore unnecessary for the references to show the object-oriented application functioning in the “application layer”.  The object-oriented application could function within the storage layer with the database and still conform to the limitations of claim 1.  As Calahan teaches the other elements of claim 1 (i.e. "initiate," "determine, "examine," and "execute" are "at the object-oriented application"), Calahan therefore teaches said object-oriented application for at least this reason.
In addition, Calahan discloses a system for picking and applying encryption algorithms to text based on efficiency.  As the reason for encryption of the object data is not a requirement of claim 1, Calahan therefore applies to claim 1.  Further, while Applicant asserts that Calahan does not teach the requisite application operating at the “application layer”, and instead operating at the “storage layer”, Examiner points to Fig. 1B-2 of Calahan, and paragraphs 17, 30-33.  Paragraphs 17, 30-33 make it clear that system 16 refers to the database system.  Fig. 1B shows the database system 16 comprising an interface/application frontend (e.g. elements application server 100, API 32, UI 30, application platform 18) and database storage backend (e.g. elements tenant DB 22, System DB 24).  Fig. 2 further shows the and a separate database storage 190 comprising the object data storage.  The separate database storage of system 16 could therefore be considered the data storage layer, and the separate encryption/application platforms could be considered part of a separable application layer.  Therefore, as the terms “application layer” and “storage layer” have broad meanings within the art, and the claims fail to further limit them, Calahan can be seen as teaching the object-oriented application operating at an application layer, and the database operating at a storage layer.
For all of the above reasons, Applicant’s arguments that Examiner has ignored features expressly recited in the claims are not persuasive, as the claims do not recite elements which are argued by the Applicant, and the references can also be seen to teach the argued features in any case.

Applicant further argues that Mohan does not cure the deficiencies of Calahan.  However, as noted above, Calahan is not deficient.

	Applicant’s arguments with regard to independent claims 10 and 15 are similar to those regarding claim 1 and are therefore responded to in a similar way.
	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814.  The examiner can normally be reached on 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491