Systems and methods for securely handling private data in a cloud environment

What is claimed is: 1. A method, comprising: obtaining, by an application executed on a network element, a product or service description from a first user, wherein the product or service description includes a combination of public data and encrypted private data based on a first encryption key; receiving, by the application, a query from an end device of a second user; retrieving, by the application, the product or service description from a memory; forwarding, by the application, the product or service description to a trusted execution environment (TEE) instance; decrypting, by the TEE instance, the encrypted private data of the product or service description; processing, by the TEE instance, the private data of the product or service description; re-encrypting, by the TEE instance and after the processing, the private data with a second encryption key; sending, by the TEE instance and to the application, the re-encrypted private data; assembling, by the application, the re-encrypted private data and the public data into a query response for presentation on the end device; and sending, by the application and to the end device, the query response including the re-encrypted private data and the public data. 2. The method of claim 1 , further comprising: storing, in the TEE instance, account information and the first encryption key associated with the first user; and storing, in the TEE instance, account information and the second encryption key associated with the second user, wherein decrypting the encrypted private data of the product or service description includes using the first encryption key, and wherein re-encrypting the private data includes using the second encryption key. 3. The method of claim 1 , further comprising: storing the first encryption key in the TEE instance, and storing a second encryption key in the TEE instance. 4. The method of claim 1 , further comprising: storing, by the application and in a memory outside of the TEE instance, the product or service description with other product or service descriptions from other users. 5. The method of claim 1 , further comprising: logging, by the TEE instance, sending of the re-encrypted private data; and sending, by the TEE instance and to the seller, an encrypted record of the logging. 6. The method of claim 1 , wherein the encrypted private data includes characteristics for the product or service, and wherein the re-encrypted private data includes modified characteristics. 7. The method of claim 1 , wherein processing the private data includes modifying a value associated with the product or service description based on instructions in the product or service description. 8. The method of claim 1 , wherein obtaining the product or service description further comprises: obtaining, from the seller, an indication of parties that are authorized to view the product or service description. 9. The method of claim 1 , wherein the TEE instance uses a separate memory and operating system from the application. 10. The method of claim 1 , wherein sending the query response further comprises: sending the query response to a client application on the end device that can decrypt the re-encrypted private data. 11. A network device, comprising: a first memory to store instructions for an application server; a second memory to store instructions for a trusted execution environment (TEE) instance; a first processor configured to execute instructions stored in the first memory to: obtain a product or service description from a first user, wherein the product or service description includes a combination of public data and encrypted private data based on a first encryption key, receive a query from an end device of a second user, retrieve, based on the query, the product or service description, and forward the product or service description to the TEE instance; and a second processor configured to execute instructions stored in a second memory to: decrypt the encrypted private data of the product or service description, process the private data of the product or service description, re-encrypt, after the processing, the private data with a second encryption key, and send, to the application, the re-encrypted private data, wherein the first processor is further configured to execute instructions stored in the first memory to: assemble the re-encrypted private data and the public data into a query response for presentation on the end device, and send, to the end device, the query response including the re-encrypted private data and the public data. 12. The network device of claim 11 , wherein, when decrypting the encrypted private data of the product or service description, the second processor is further configured to execute the instructions stored in the second memory to: retrieve the first encryption key stored in the TEE instance. 13. The network device of claim 11 , wherein, when re-encrypting private data, the second processor is further configured to execute the instructions stored in the second memory to: retrieve, from the second memory, the second encryption key, associated with the second user, in the TEE instance. 14. The network device of claim 11 , wherein the first processor is further configured to execute the instructions stored in the first memory to: store, in another memory outside the TEE instance, the product or service description with other product or service descriptions from other users. 15. The network device of claim 11 , wherein the second processor is further configured to execute the instructions stored in the second memory to: log the sending of the re-encrypted private data; and send, to the first user, an encrypted record of the logging. 16. The network device of claim 11 , wherein the encrypted private data includes characteristics of the product or service, and wherein the re-encrypted private data includes modified characteristics. 17. The network device of claim 11 , wherein, when processing the private data, the second processor is further configured to execute the instructions stored in the second memory to: modify a value associated with the product or service description based on instructions in the product or service description. 18. One or more non-transitory computer-readable medium storing instructions executable by a computational device to: obtain, by an application, a product or service description from a first user, wherein the product or service description includes a combination of public data and encrypted private data based on a first encryption key; receive, by the application, a query from an end device of a second user; retrieve, by the application and based on the query, the product or service description; forward the product or service description to a TEE instance for decryption of the encrypted private data, processing of the private data, and re-encryption of the private data with a second encryption key; receive, by the application, the re-encrypted private data from the TEE instance; assemble, by the application, the re-encrypted private data and the public data into a query response for presentation on the end device; and send, by the application and to the end device, the query response including the re-encrypted private data and the public data. 19. The non-transitory computer-readable medium of claim 18 , wherein the instructions are further executable by a computational device to: solicit, from the first user, an indication of authorized