DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Mark E. Henderson on May 20, 2021. 

The application has been amended as follows: 
1. (Currently Amended) A method comprising: 
	receiving, at a first microservice, non-anonymized first tenant data for a first tenant of a multitenant database system; 	
	storing, by the first microservice, the non-anonymized first tenant data in at least a portion of a first database defined for the first tenant, at least a portion of the first tenant data being stored as instances of a first entity comprising a plurality of attributes, at least one attribute of the plurality of attributes for the first entity being designated for anonymization but not being anonymized in the non-anonymized first tenant data;
, by a second microservice from the first microservice, an analysis request from a client, the analysis request being associated with a first tenant identifier identifying the first tenant;
	receiving, from the second microservice by the first microservice, non-anonymized second tenant data for a second tenant of the multitenant database system, the second tenant being different than the first tenant;
	in response to the analysis request, the second microservice:
	storing the non-anonymized second tenant data in at least a portion of a second database defined for the second tenant, wherein the second database is the first database or is a database different than the first database, and wherein the non-anonymized first tenant data and the non-anonymized second data are logically separated such that the first tenant cannot access the non-anonymized second tenant data and the second tenant cannot access the non-anonymized first tenant data;
	anonymizing at least a portion of the non-anonymized first tenant data to provide anonymized first tenant data wherein the anonymizing comprises protecting identifying information in the non-anonymized first tenant data by replacing values of the at least one attribute with an alias, the protecting comprising: generating a random alias for identifying information in the first tenant data; storing the random alias associated with the first tenant data in the first database; replacing the identifying information with the random alias in the anonymized first tenant data; and preventing sending of non-anonymized first tenant data to a third database;
the third database, the third database defined to store data for the first tenant and the second tenant, where the third database can be the first database or the second database, provided that the anonymized first tenant data is logically separated from any non-anonymized tenant data for the at least one attribute;
	anonymizing at least a portion of the non-anonymized second tenant data to provide anonymized second tenant data, wherein the anonymizing comprises protecting identifying information in the second tenant data by replacing values of the at least one attribute with an alias; 
	storing the anonymized second tenant data in the third database, wherein the anonymized first tenant data and the anonymized second tenant data are collectively made available for analysis requests associated with the first tenant or associated with the second tenant; 	
	aggregating the anonymized first tenant data and the anonymized second tenant data stored in the third database to provide aggregated, anonymized tenant data;
	in response to the analysis request, analyzing the aggregated, anonymized tenant data to generate a first result; and
	sending a second result to the client in response to the analysis request, wherein the second result is, the second result indicating a recommendation based on the aggregated, anonymized tenant data.



3. (Currently Amended) The method of claim 1, wherein anonymizing at least a portion of the non-anonymized first tenant data further comprises maintaining a correlation between the anonymized first tenant data and the first tenant, such that the anonymized first tenant data can still be identified as being first tenant data

4-6. Cancelled

7. (Currently Amended) One or more non-transitory computer-readable storage media storing computer-executable instructions for causing a computing system to perform operations comprising:
	receiving, at a first microservice, non-anonymized first tenant data for a first tenant of a multitenant database system; 
	storing, at a first microservice, the non-anonymized first tenant data in at least a portion of a first database defined for the first tenant, at least a portion of the non-anonymized first tenant data being stored as instances of a first entity comprising a plurality of attributes, at least one attribute of the plurality of attributes for the first entity being designated for anonymization but not being anonymized in the non-anonymized first tenant data; 
	receiving, by a second microservice from the first microservice, an analysis request from a client, the analysis request being associated with a first tenant identifier identifying the first tenant;
, from the second microservice by the first microservice, non-anonymized second tenant data for a second tenant of the multitenant database system, the second tenant being different than the first tenant; 
	in response to the analysis request, the second microservice:
			storing the non-anonymized second tenant data in at least a portion of a 			second database defined for the second tenant, wherein the second database is the 			first database or is a database different than the first database, and wherein the 			non-anonymized first 	tenant data and the nonanonymized second data are 				logically separated such that the first tenant cannot access the nonanonymized 			second tenant data and the second tenant cannot access the non-anonymized first 			tenant data;
	anonymizing the non-anonymized first tenant data, wherein the anonymizing comprises replacing values of the at least one attribute with a generated alias; 
		storing the anonymized first tenant data in at least a portion of a third 	database defined to store data for the first tenant and the second tenant, where the 	third database can be the first database or the second database, provided that the 	anonymized first tenant data is logically separated from any non-anonymized 	tenant data for the at least one attribute;
		anonymizing the non-anonymized second tenant data to provide 	anonymized second tenant data, wherein the anonymizing comprises protecting 	identifying information in the nonanonymized second tenant data by replacing 	values of the at least one attribute with an alias, the protecting comprising: generating a random alias for identifying information in the first tenant data; 	storing the random alias associated with the first tenant data in the first database; 	replacing the identifying information with the random alias in the anonymized 	first tenant data; and preventing sending of non-anonymized first tenant data to 	the third database;
			storing the anonymized second tenant data in the third database, wherein 			the anonymized first tenant data and the anonymized second tenant data are 			collectively made available for analysis requests associated with the first tenant or 		associated with the second tenant; 
			aggregating the anonymized first tenant data and the anonymized second 			tenant data stored in the third database to provide aggregated, anonymized tenant 			data;
			in response to the analysis request, analyzing the aggregated, anonymized 			tenant to generate a first result; and
			sending a second result to the client in response to the analysis request, 			wherein the second result , the second result indicating a recommendation based on the aggregated, 			anonymized tenant data.

8. Cancelled

9. The one or more non-transitory computer-readable storage media of claim 7, wherein anonymizing at least a portion of the non-anonymized first tenant data comprises maintaining a 

10-13.   Cancelled

14. (Currently Amended) A computing system comprising:
	one or more memories; 
	one or more processing units coupled to the one or more memories; and 
	one or more computer readable storage media storing instructions that, when loaded into the one or more memories, cause the one or more processing units to perform operations comprising:
	receiving , at a first microservice, non-anonymized first tenant data for a first tenant of a multitenant database system, the non-anonymized first tenant data comprising one or more profiles representing respective distinct entities; 
	storing, by the first microservice,  the non-anonymized first tenant data in at least a portion of a first database defined for the first tenant, at least a portion of the non-anonymized first tenant data being stored as instances of a first entity comprising a plurality of attributes, at least one attribute of the plurality of attributes for the first entity being designated for anonymization but not being anonymized in the non-anonymized first tenant data; 
	receiving, by a second microservice from the first microservice, an analysis request from a client, the analysis request being associated with a first tenant identifier identifying the first tenant;
, from the second microservice by the first microservice,  non-anonymized second tenant data for a second tenant of the multitenant database system, the second tenant being different than the first tenant; 
	in response to the analysis request, the second microservice:
		storing the non-anonymized second tenant data in at least a portion of a 	second database defined for the second tenant, wherein the second database is the 	first database or is a database different than the first database, and wherein the 	non-anonymized first 	tenant data and the non-anonymized second tenant data are 	logically separated such that 	the first tenant cannot access the non-anonymized 	second tenant data and the second tenant cannot access the nonanonymized 	first tenant data; 
		anonymizing at least a portion of the non-anonymized first tenant data to 	provide anonymized first tenant data, wherein the anonymizing comprises 	protecting identifying information of the entities in the one or more profiles by 	replacing values of the at least one attribute with an alias, the protecting 	comprising: generating a random alias for identifying information in the first 	tenant data; storing the random alias associated with the first tenant data in the 	first database; replacing the identifying information with the random alias in the 	anonymized first tenant data; and preventing sending of non-anonymized first 	tenant data to a third database;
			sending a sharing indicator for the first tenant to the third database;
			storing the anonymized first tenant data by profile in at least a portion of 			the third database, the third database defined to store data for the first tenant and 	
			anonymizing the non-anonymized second tenant data to provide 				anonymized second tenant data, wherein the anonymizing comprises protecting 			identifying information in the non-anonymized second tenant data by replacing 			values of the at least one attribute with an alias; 		
			storing the anonymized second tenant data in the third database, wherein 			the anonymized first tenant data and the anonymized second tenant data are 			collectively made available for analysis requests associated with the first tenant or 		associated with the second tenant;
			aggregating the anonymized first tenant data and the anonymized second 			tenant data stored in the third database to provide aggregated, anonymized tenant 			data;
			responsive to the analysis request, and the sharing indicator, analyzing at 			least the anonymized first tenant data to generate a first result, wherein, if the 			sharing indicator indicates no data sharing, the first result is generated based on 			one or more profiles of anonymized tenant data for the first tenant only and, if the 			sharing indicator indicates data sharing, the first result is generated based on 			aggregated profile data comprising one or more profiles of anonymized first 			tenant data and tenant data for other tenants of the plurality of tenants having 			sharing indicators that indicate data sharing; and
, 		the second result indicating a recommendation based on the aggregated, 				anonymized tenant data.

15. Cancelled

16. The system of claim 14, wherein anonymizing at least a portion of the non-anonymized first tenant data further comprises maintaining a correlation between the anonymized first tenant data and the first tenant, such that the anonymized first tenant data can still be identified as coming from the first tenant.

17. Cancelled

18. (Currently Amended) The system of claim 14, wherein the result is generated based on a subset of anonymized tenant data available in the third database, the subset being associated with tenants with a sharing indicator indicating data sharing.

19-20. Cancelled

21 (Previously Presented). The method of claim 1, wherein the second result comprises non-anonymized first tenant data.



23 (Previously Presented). The method of claim 1, wherein the anonymizing at least a portion of the non-anonymized first tenant data and the aggregating the anonymized first tenant data and the anonymized second tenant data are carried out by different, separate microservices.

24 (Previously Presented). The one or more non-transitory computer-readable storage media of claim 7, wherein the second result comprises non-anonymized first tenant data.

25 (Previously Presented). The one or more non-transitory computer-readable storage media of claim 7, wherein the first result comprises an identifier for associating the first result with nonanonymized first tenant data. 

26 (Previously Presented). The one or more non-transitory computer-readable storage media of claim 7, wherein the anonymizing at least a portion of the non-anonymized first tenant data and the aggregating the anonymized first tenant data and the anonymized second tenant data are carried out by different, separate microservices.

27 (Previously Presented). The system of claim 14, wherein the second result comprises nonanonymized first tenant data.



29 (Previously Presented). The system of claim 14, wherein the anonymizing at least a portion of the non-anonymized first tenant data and the aggregating the anonymized first tenant data and the anonymized second tenant data are carried out by different, separate microservices.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MELISSA A HEADLY whose telephone number is (571)272-1972.  The examiner can normally be reached on Monday- Friday 9-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to 

/LEWIS A BULLOCK  JR/Supervisory Patent Examiner, Art Unit 2199                                                                                                                                                                                                        
MELISSA A. HEADLY
Examiner
Art Unit 2199