DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted are is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-37 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-35 of U.S. Patent No. 11,212,096.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the patented claims in that the claims of the patent contain all of the limitations of the instant application.  Claims 1-37 of the instant application therefore are not patentably distinct from the earlier filed patented claims, and as such, is unpatentable under obvious-type double patenting.
17/542,233
1. A hosted secrets management transport system for managing secrets at one or more offsite locations, the system comprising: a server including one or more processors and a memory device storing a set of instructions that when executed by the one or more processors, causes the one or more processors to: define boundaries for two or more sovereignties that are larger functional groupings of components, each sovereignty having an independent master record, wherein each sovereignty includes two or more regions; access, within a primary region, a master record hardware security module that is a primary storage of secrets for that sovereignty; access, within the one or more secondary regions, a backup record hardware security module that is where data backups of the secrets from the master record hardware security module are created; execute live replication from the master record hardware security module to the backup record hardware security module that supports multi-tenancy secret management of multiple distinct companies at a same time; access, in each of the two or more regions, a primary cache hardware security module; access, in each of the two or more regions, a hardware security module cache pool; and receive a request for values at a software container; wherein, when a value is requested that is not present, the system looks up an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache hardware security module of the region in which the request originated, wherein the value is then distributed to the hardware security module cache pool via live replication.  
2. The system of claim 1, wherein the sovereignties are defined based on geopolitical boundaries, wherein the geopolitical boundaries include countries, unions of countries, or groups of countries, wherein the sovereignties are defined based arbitrarily to organize regions and keep secrets bound to a single group, company, or enterprise, wherein the regions are defined by real-world boundaries that include regional directions or countries within one of the sovereignties, wherein the regions are based on entirely unique datacenters that are contained within one or more of a same cloud provider, different cloud providers, on-premises systems, and private clouds, and wherein a secondary region provides for high availability in an event the entire primary region is rendered unavailable.  
3. The system of claim 1, wherein the master record is where all write actions occur.  
4. The system of claim 1, wherein no read actions occur on the master record except during emergency situations.  
5. The system of claim 1, wherein the backup record hardware security module keeps loads on the master record hardware security module as low as possible, to reduce or eliminate a possibility of a database lock occurring.  
6. The system of claim 1, wherein the primary cache hardware security module serves as a primary replication source for all cached values in its corresponding region.  
7. The system of claim 1, wherein the system securely distributes the replicated values amongst the sovereignties to provide reduced request latency, and distributes the replicated values through the primary cache hardware security modules 40and hardware security module cache pools while the master record hardware security modules of the corresponding sovereignties always contain original values.  
8. The system of claim 1, wherein each of the two or more regions include a database cluster, of which one is designated as the primary, wherein data is stored in the primary database cluster, and from the primary database cluster, the data is replicated globally to distributed replica databases.  
9. The system of claim 8, wherein the data stored in the primary database cluster is metadata of the secrets managed in the system including one or more of: name, internal name, version numbers, originating sovereignty, and security policies guarding where the values are able to be distributed.  
10. The system of claim 8, wherein the data is stored as a stream of events that are rendered to build a metadata entity, rather than storing the metadata as a single entity.  
11. The system of claim 10, wherein the stream of events provides a persistent audit log of all events that result in mutating actions being taken.  
12. The system of claim 11, wherein events in the persistent audit log are analyzed for anomalies and security issues using machine learning.  
13. The system of claim 1, wherein a client is created by a user and bound to a KeyRing, while restricting the client's access to values of a specific environment, which ensures that production and development values are not crossed.  
14. The system of claim 13, wherein the client is bound to the specific environment.  
15. The system of claim 13, wherein different types of specific environments include Production, Staging, Testing, and Development.  
16. The system of claim 1, wherein every region includes a private subnet that contains all of the components in the region, wherein all other systems in one of the regions are located in private subnets within various availability zones, which eliminates any possibility of a direct contact via an external connection to the Internet.  
17. The system of claim 1, wherein all communication between regions and communication between sovereignties are handled by encrypted connections.  
18. A hosted secrets management transport method for managing secrets at one or more offsite locations, the method comprising: defining boundaries for two or more sovereignties that are larger functional groupings of components, each sovereignty having an independent master record, wherein each sovereignty includes two or more regions; defining a primary region within the two or more regions; defining one or more secondary regions that are not the primary region; accessing, within the one or more secondary regions, a backup record encrypted data store that is where data backups of the secrets from the master record encrypted data store are created; executing live replication from the master record encrypted data store to the backup record encrypted data store that supports multi-tenancy secret management of multiple distinct companies at the same time; and receiving a request for values at a software container; wherein, when a value is requested that is not present, the system looks up an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache encrypted data store of the region in 42which the request originated, wherein the value is then distributed to the encrypted data store cache pool via live replication.  
19. The method of claim 18, wherein the sovereignties are defined based on geopolitical boundaries, wherein the geopolitical boundaries includes countries, unions of countries, or groups of countries, wherein the sovereignties are defined based arbitrarily to organize regions and keep secrets bound to a single group, company, or enterprise, wherein the regions are defined by real-world boundaries that include regional directions or countries within one of the sovereignties, wherein the regions are based on entirely unique datacenters that are contained within one or more of a same cloud provider, different cloud providers, on-premises systems, and private clouds, wherein a secondary region provides for high availability in an event the entire primary region is rendered unavailable.  
20. The method of claim 18, wherein the master record is where all write actions occur.  
21. The method of claim 18, wherein no read actions occur on the master record except during emergency situations.  
22. The method of claim 18, wherein the backup record encrypted data store keeps loads on the master record encrypted data store as low as possible, to reduce or eliminate a possibility of a database lock occurring.  
23. The method of claim 18, wherein the primary cache encrypted data store serves as a primary replication source for all cached values in its corresponding region.  
24. The method of claim 18, wherein the method securely distributes the replicated values amongst the sovereignties to provide reduced request latency, and distributes the replicated values through the primary cache encrypted data stores and encrypted data store cache pools while the master record encrypted data stores of the corresponding sovereignties always contain original values.  
25. The method of claim 18, wherein one region is designated with a primary database cluster, wherein data is stored in the primary database cluster, and from the primary database cluster, the data is replicated globally to distributed replica databases located in each region.  
26. The method of claim 25, wherein the data stored in the primary database cluster is metadata of the secrets managed in the system including one or more of: name, internal name, version numbers, originating sovereignty, and security policies guarding where the values are able to be distributed.  
27. The method of claim 25, wherein the data is stored as a stream of events that are rendered to build a metadata entity, rather than storing the metadata as a single entity.  
28. The method of claim 27, wherein the stream of events provides a persistent audit log of all events that result in mutating actions being taken.  
29. The method of claim 28, wherein events in the persistent audit log are analyzed for anomalies and security issues using machine learning.  
30. The method of claim 18, wherein a client is created by a user and bound to a KeyRing, while restricting the client's access to values of a specific environment, which ensures that production and development values are not crossed.  
31. The method of claim 30, wherein the client is bound to the specific environment.  
32. The method of claim 30, wherein different types of specific environments include Production, Staging, Testing, and Development.  
33. The method of claim 18, wherein every region includes a private subnet that contains all of the components in the region, wherein all other systems in one of the regions are located in private subnets within various availability zones, which eliminates any possibility of a direct contact via an external connection to the Internet.  
34. The method of claim 23, wherein all communication between regions and communication between sovereignties are handled by encrypted connections.  
35. The method of claim 23, wherein the master record encrypted data store, the backup record encrypted data store, the primary cache encrypted data store, and the cache pool encrypted data store are each selected from one or more of a hardware security module or other storage medium where data is encrypted at rest.  
36. A hosted secrets management transport system for managing secrets at one or more offsite locations, the system comprising: two or more sovereignties that are larger functional groupings of components, each sovereignty with an independent master record, wherein each sovereignty includes two or more regions that further include at least a primary region and a secondary region; a master record encrypted data store, included in the primary region, that is a primary storage of secrets for that sovereignty; 45a backup record encrypted data store, included in one or more secondary regions that is not the primary region, that receives live replication from the master record encrypted data store that supports multi-tenancy secret management of multiple distinct companies at a same time, wherein the backup record encrypted data store is where data backups are created from the master record encrypted data store; a primary cache encrypted data store, contained in each of the two or more regions, that receives live replication from the backup record encrypted data store; an encrypted data store cache pool contained in each of the two or more regions; and a cluster of software containers and a software container management system included in each of the two or more regions; wherein, when a value is requested that is not present, the system identifies an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache encrypted data store of the region in which the request originated, wherein the value is then distributed to the encrypted data store cache pool via live replication.  
37. The system of claim 36, wherein the master record encrypted data store, the backup record encrypted data store, the primary cache encrypted data store, and the cache pool encrypted data store are each selected from one or more of a hardware security module or other storage medium where data is encrypted at rest.
U.S. Patent 11,212,096
1. A hosted secrets management transport system for managing secrets at one or more offsite locations, the system comprising:
a server including one or more processors and a memory device storing a set of instructions that when executed by the one or more processors, causes the one or more processors to:
define boundaries for two or more sovereignties that are larger functional groupings of components, each sovereignty having an independent master record, wherein each sovereignty includes two or more regions;
define a primary region within the two or more regions;
access, within the primary region, a master record hardware security module that is a primary storage of secrets for that sovereignty, wherein the master record hardware security module is a truth record for all actions on secrets within its corresponding sovereignty, the actions on the secrets including one or more of creation actions, update actions, and deletion actions;
define one or more secondary regions that are not the primary region;
access, within the one or more secondary regions, a backup record hardware security module that is where data backups of the secrets from the master record hardware security module are created;
execute live replication from the master record hardware security module to the backup record hardware security module that supports multi-tenancy secret management of multiple distinct companies at a same time;
access, in each of the two or more regions, a primary cache hardware security module that receives live replication from the backup record hardware security module;
access, in each of the two or more regions, a hardware security module cache pool, wherein the hardware security module cache pool is scalable to replicate from the primary cache hardware security module depending on traffic needs within a region;
access, in each of the two or more regions in a sovereignty, a cluster of software containers and a software container management system that ensures the software containers are available and operating properly; and
receive a request for values at a software container, wherein the request for values from the software containers in a cluster of a region are load balanced amongst the primary cache hardware security module and the hardware security module cache pool for all read actions;
wherein, when a value is requested that is not present, the system looks up an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache hardware security module of the region in which the request originated, wherein the value is then distributed to the hardware security module cache pool via live replication.
2. The system of claim 1, wherein the sovereignties are defined based on geopolitical boundaries, wherein the geopolitical boundaries include countries, unions of countries, or groups of countries, wherein the sovereignties are defined based arbitrarily to organize regions and keep secrets bound to a single group, company, or enterprise, wherein the regions are defined by real-world boundaries that include regional directions or countries within one of the sovereignties, wherein the regions are based on entirely unique datacenters that are contained within one or more of a same cloud provider, different cloud providers, on-premises systems, and private clouds, and wherein a secondary region provides for high availability in an event the entire primary region is rendered unavailable.
3. The system of claim 1, wherein the master record is where all write actions occur.
4. The system of claim 1, wherein no read actions occur on the master record except during emergency situations.
5. The system of claim 1, wherein the backup record hardware security module keeps loads on the master record hardware security module as low as possible, to reduce or eliminate a possibility of a database lock occurring.
6. The system of claim 1, wherein the primary cache hardware security module serves as a primary replication source for all cached values in its corresponding region.
7. The system of claim 1, wherein the system securely distributes the replicated values amongst the sovereignties to provide reduced request latency, and distributes the replicated values through the primary cache hardware security modules and hardware security module cache pools while the master record hardware security modules of the corresponding sovereignties always contain original values.
8. The system of claim 1, wherein each of the two or more regions include a database cluster, of which one is designated as the primary, wherein data is stored in the primary database cluster, and from the primary database cluster, the data is replicated globally to distributed replica databases.
9. The system of claim 8, wherein the data stored in the primary database cluster is metadata of the secrets managed in the system including one or more of: name, internal name, version numbers, originating sovereignty, and security policies guarding where the values are able to be distributed.
10. The system of claim 8, wherein the data is stored as a stream of events that are rendered to build a metadata entity, rather than storing the metadata as a single entity.
11. The system of claim 10, wherein the stream of events provides a persistent audit log of all events that result in mutating actions being taken.
12. The system of claim 11, wherein events in the persistent audit log are analyzed for anomalies and security issues using machine learning.
13. The system of claim 1, wherein a client is created by a user and bound to a KeyRing, while restricting the client's access to values of a specific environment, which ensures that production and development values are not crossed.
14. The system of claim 13, wherein the client is bound to the specific environment.
15. The system of claim 13, wherein different types of specific environments include Production, Staging, Testing, and Development.
16. The system of claim 1, wherein every region includes a private subnet that contains all of the components in the region, wherein all other systems in one of the regions are located in private subnets within various availability zones, which eliminates any possibility of a direct contact via an external connection to the Internet.
17. The system of claim 1, wherein all communication between regions and communication between sovereignties are handled by encrypted connections.
18. A hosted secrets management transport method for managing secrets at one or more offsite locations, the method comprising:
defining boundaries for two or more sovereignties that are larger functional groupings of components, each sovereignty having an independent master record, wherein each sovereignty includes two or more regions;
defining a primary region within the two or more regions;
accessing, within the primary region, a master record hardware security module that is a primary storage of secrets for that sovereignty, wherein the master record hardware security module is a truth record for all actions on secrets within its corresponding sovereignty, the actions on the secrets including one or more of creation actions, update actions, and deletion actions;
defining one or more secondary regions that are not the primary region;
accessing, within the one or more secondary regions, a backup record hardware security module that is where data backups of the secrets from the master record hardware security module are created;
executing live replication from the master record hardware security module to the backup record hardware security module that supports multi-tenancy secret management of multiple distinct companies at the same time;
accessing, in each of the two or more regions, a primary cache hardware security module that receives live replication from the backup record hardware security module;
accessing, in each of the two or more regions, a hardware security module cache pool, wherein the hardware security module cache pool is scalable to replicate from the primary cache hardware security module depending on traffic needs within a region;
accessing, in each of the two or more regions in a sovereignty, a cluster of software containers and a software container management system that ensures the software containers are available and operating properly; and
receiving a request for values at a software container, wherein the request for values from the software containers in a cluster of a region are load balanced amongst the primary cache hardware security module and the hardware security module cache pool for all read actions;
wherein, when a value is requested that is not present, the system looks up an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache hardware security module of the region in which the request originated, wherein the value is then distributed to the hardware security module cache pool via live replication.
19. The method of claim 18, wherein the sovereignties are defined based on geopolitical boundaries, wherein the geopolitical boundaries includes countries, unions of countries, or groups of countries, wherein the sovereignties are defined based arbitrarily to organize regions and keep secrets bound to a single group, company, or enterprise, wherein the regions are defined by real-world boundaries that include regional directions or countries within one of the sovereignties, wherein the regions are based on entirely unique datacenters that are contained within one or more of a same cloud provider, different cloud providers, on-premises systems, and private clouds, wherein a secondary region provides for high availability in an event the entire primary region is rendered unavailable.
20. The method of claim 18, wherein the master record is where all write actions occur.
21. The method of claim 18, wherein no read actions occur on the master record except during emergency situations.
22. The method of claim 18, wherein the backup record hardware security module keeps loads on the master record hardware security module as low as possible, to reduce or eliminate a possibility of a database lock occurring.
23. The method of claim 18, wherein the primary cache hardware security module serves as a primary replication source for all cached values in its corresponding region.
24. The method of claim 18, wherein the method securely distributes the replicated values amongst the sovereignties to provide reduced request latency, and distributes the replicated values through the primary cache hardware security modules and hardware security module cache pools while the master record hardware security modules of the corresponding sovereignties always contain original values.
25. The method of claim 18, wherein one region is designated with a primary database cluster, wherein data is stored in the primary database cluster, and from the primary database cluster, the data is replicated globally to distributed replica databases located in each region.
26. The method of claim 25, wherein the data stored in the primary database cluster is metadata of the secrets managed in the system including one or more of: name, internal name, version numbers, originating sovereignty, and security policies guarding where the values are able to be distributed.
27. The method of claim 25, wherein the data is stored as a stream of events that are rendered to build a metadata entity, rather than storing the metadata as a single entity.
28. The method of claim 27, wherein the stream of events provides a persistent audit log of all events that result in mutating actions being taken.
29. The method of claim 28, wherein events in the persistent audit log are analyzed for anomalies and security issues using machine learning.
30. The method of claim 18, wherein a client is created by a user and bound to a KeyRing, while restricting the client's access to values of a specific environment, which ensures that production and development values are not crossed.
31. The method of claim 30, wherein the client is bound to the specific environment.
32. The method of claim 30, wherein different types of specific environments include Production, Staging, Testing, and Development.
33. The method of claim 18, wherein every region includes a private subnet that contains all of the components in the region, wherein all other systems in one of the regions are located in private subnets within various availability zones, which eliminates any possibility of a direct contact via an external connection to the Internet.
34. The method of claim 23, wherein all communication between regions and communication between sovereignties are handled by encrypted connections.
35. A hosted secrets management transport system for managing secrets at one or more offsite locations, the system comprising:
two or more sovereignties that are larger functional groupings of components, each sovereignty with an independent master record, wherein each sovereignty includes two or more regions that further include at least a primary region and a secondary region;
a master record hardware security module, included in the primary region, that is a primary storage of secrets for that sovereignty, wherein the master record hardware security module is a truth record for all actions on secrets within its corresponding sovereignty, the actions on secrets including one or more of creation actions, update actions, and deletion actions;
a backup record hardware security module, included in one or more secondary regions that is not the primary region, that receives live replication from the master record hardware security module that supports multi-tenancy secret management of multiple distinct companies at a same time, wherein the backup record hardware security module is where data backups are created from the master record hardware security module;
a primary cache hardware security module, contained in each of the two or more regions, that receives live replication from the backup record hardware security module;
a hardware security module cache pool contained in each of the two or more regions, wherein each hardware security module cache pool is scalable to replicate from its corresponding primary cache hardware security module depending on traffic needs within a region; and
a cluster of software containers and a software container management system included in each of the two or more regions, wherein the software container management system ensures the software containers are available and operating properly, wherein requests from software containers in a cluster of a region are load balanced amongst the primary cache hardware security module and the hardware security module cache pool for all read actions;
wherein, when a value is requested that is not present, the system identifies an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache hardware security module of the region in which the request originated, wherein the value is then distributed to the hardware security module cache pool via live replication.


Allowable Subject Matter
Claims 1-37 are allowed, however they are currently rejected under obvious-type patenting requiring the filing of a terminal disclaimer.
The following is a statement of reasons for the indication of allowable subject matter:
The closest prior art teachings of Cabrera et al, US 2016/0156671 discloses of automatically analyzing data security jurisdiction zones to determine allowed secret data with respect to the data security jurisdiction zone of the resource, and the determined allowed secret data, see paragraph 0016.
Another closely related teachings by Shiell et al, US 2021/0182310 is relied upon for disclosing of updating a new key-value from an older key-value version, which includes caching, see paragraph 0080.
Kuang et al, 2021/0200771 is relied upon for disclosing of same region key value caching operations to replicate the same region key value cache operation to a second authorized region, see paragraph 0008.


It was not found to be taught in the prior art at least for:

1. A hosted secrets management transport system for managing secrets at one or more offsite locations, the system comprising:
a server including one or more processors and a memory device storing a set of instructions that when executed by the one or more processors, causes the one or more processors to:
define boundaries for two or more sovereignties that are larger functional groupings of components, each sovereignty having an independent master record, wherein each sovereignty includes two or more regions;
access, within a primary region, a master record hardware security module that is a primary storage of secrets for that sovereignty;
access, within the one or more secondary regions, a backup record hardware security module that is where data backups of the secrets from the master record hardware security module are created;
execute live replication from the master record hardware security module to the backup record hardware security module that supports multi-tenancy secret management of multiple distinct companies at a same time;
access, in each of the two or more regions, a primary cache hardware security module;
access, in each of the two or more regions, a hardware security module cache pool; and
receive a request for values at a software container;
wherein, when a value is requested that is not present, the system looks up an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache hardware security module of the region in which the request originated, wherein the value is then distributed to the hardware security module cache pool via live replication.

18. A hosted secrets management transport method for managing secrets at one or more offsite locations, the method comprising:
defining boundaries for two or more sovereignties that are larger functional groupings of components, each sovereignty having an independent master record, wherein each sovereignty includes two or more regions;
defining a primary region within the two or more regions;
defining one or more secondary regions that are not the primary region;
accessing, within the one or more secondary regions, a backup record encrypted data store that is where data backups of the secrets from the master record encrypted data store are created;
executing live replication from the master record encrypted data store to the backup record encrypted data store that supports multi-tenancy secret management of multiple distinct companies at the same time; and
receiving a request for values at a software container;
wherein, when a value is requested that is not present, the system looks up an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache encrypted data store of the region in 42which the request originated, wherein the value is then distributed to the encrypted data store cache pool via live replication.

36. A hosted secrets management transport system for managing secrets at one or more offsite locations, the system comprising:
two or more sovereignties that are larger functional groupings of components, each sovereignty with an independent master record, wherein each sovereignty includes two or more regions that further include at least a primary region and a secondary region;
a master record encrypted data store, included in the primary region, that is a primary storage of secrets for that sovereignty;
45a backup record encrypted data store, included in one or more secondary regions that is not the primary region, that receives live replication from the master record encrypted data store that supports multi-tenancy secret management of multiple distinct companies at a same time, wherein the backup record encrypted data store is where data backups are created from the master record encrypted data store;
a primary cache encrypted data store, contained in each of the two or more regions, that receives live replication from the backup record encrypted data store;
an encrypted data store cache pool contained in each of the two or more regions; and
a cluster of software containers and a software container management system included in each of the two or more regions;
wherein, when a value is requested that is not present, the system identifies an originating sovereignty of the value and, if different than the request originating sovereignty and permissible, makes a request to the originating sovereignty for the value, which is then cached in the primary cache encrypted data store of the region in which the request originated, wherein the value is then distributed to the encrypted data store cache pool via live replication.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Balasubramianian et al, US 2022/0311757 is relied upon for disclosing of a first vault in a first region of a cloud, replicating data in a second vault in a second region within the cloud, see paragraph 0006.  Customer keys are replicated from a primary region to a secondary region, see paragraph 0025.
Ponnuswamy et al, US 2022/0060317 is relied upon for disclosing of a data encryption key encrypted with a master key that is stored at a backup location, see paragraph 0082.
D’Halluin et al, US 2019/0057028 is relied upon for disclosing of storing key entries in a first location, storing second key entries at a second location, replicating the first key entries and second key entries, see paragraph 0009.
Reid et al, US 2018/0232526 is relied upon for disclosing replicating encrypted files for a vault token in multiple locations, wherein a primary copy may reside in a cloud and a secondary copy resides on a workstation, see paragraph 0493.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431