Methods for managing user permissions
US-2022179986-A1 · Jun 9, 2022 · US
Dynamic, control-sensitive data management platform
US12445281B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12445281-B2 |
| Application number | US-202519200398-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 6, 2025 |
| Priority date | Apr 14, 2023 |
| Publication date | Oct 14, 2025 |
| Grant date | Oct 14, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A network system to allow global usage of data while allowing regional jurisdictions control over sensitive data. Different jurisdictions may declare different types of data as sensitive data that is not to be discoverable by another party. The system may receive data that includes encoded data at a first device from a second device (e.g., associated with a remote datacenter). The system may store the data at the first device. In response to receiving a request from a third entity, the system may request a cryptographic key for decoding one or more data fields of the encoded data. Based on decoding the associated field data, the system may transmit a response to the data request that includes the decoded data.
First claim
Opening claim text (preview).
What is claimed is: 1. A system for providing data protection, the system comprising: one or more processors; and a non-transitory, computer-readable storage medium storing instructions, which, when executed by the one or more processors cause the one or more processors to: receive data at a first device located in a first datacenter in a first jurisdiction from a second device located in a second datacenter in a second jurisdiction, wherein the data comprises a plurality of data fields, and wherein the plurality of data fields comprises a first set of fields encrypted into a corresponding token representing corresponding field data and a second set of fields not encrypted into the corresponding token, and wherein the first set of fields comprises sensitive data to be controlled by the second device in the second jurisdiction; store the data in the first jurisdiction; receive, at the first device from a third device, a data request, wherein the data request comprises a request for one or more data fields from the first set of fields encrypted into the corresponding token; in response to receiving the data request from the third device, request by the first device, from the second device, a cryptographic key for decrypting the one or more data fields; upon receiving the cryptographic key from the second jurisdiction, decrypt by the first device, using the cryptographic key, field data within the one or more data fields to obtain one or more decrypted data fields; transmit, by the first device, to the third device, a response to the data request comprising the one or more decrypted data fields; based on a rule change within the second jurisdiction, receive, by the first device from the second jurisdiction, a command to disable access to the first set of fields encrypted into the corresponding token representing the corresponding field data; and in response to receiving the command, erase, by the first device, each corresponding token representing the corresponding field data stored in the first jurisdiction, restricting the first jurisdiction rom storing the sensitive data. 2. The system of claim 1 , wherein the instructions further cause the one or more processors to: based on a new rule change within the second jurisdiction, receive, by the first device from the second device, an instruction to encrypt a field of the second set of fields into the corresponding token, wherein the field that has not been designated sensitive previously and has now been designated as sensitive; encrypt, by the first device, value data within the field of the second set of fields into one or more new tokens, wherein the one or more new tokens are decrypted using a different cryptographic function and a different cryptographic key; and replace, by the first device, the value data within the field with the one or more new tokens. 3. The system of claim 2 , wherein the instructions further cause the one or more processors to: receive, from the second jurisdiction, a new cryptographic key for encrypting the field of the second set of fields; and subsequent to replacing the value data, transmit, by the first device, a confirmation to the second device, wherein the different cryptographic function and the different cryptographic key are not stored at the first device. 4. The system of claim 3 , wherein the instructions for determining the new cryptographic key for encrypting the field of the second set of fields further causes the one or more processors to: transmit, by the first device, an encryption request to the second device for the new cryptographic key for encrypting the field of the second set of fields; and in response to the encryption request, receive, by the first device, the new cryptographic key for encrypting the field of the second set of fields, wherein the new cryptographic key corresponds to a decryption key for decrypting the field of the second set of fields. 5. The system of claim 1 , wherein the instructions further cause the one or more processors to: subsequent to transmitting the response to the data request, receive, by the first device, from the second device, a new command to re-encrypt the one or more decrypted data fields; receive, by the first device and from the second jurisdiction, a new cryptographic function and a new cryptographic key for re-encrypting the one or more decrypted data fields; re-encrypt, by the first device, value data within the one or more decrypted data fields into new tokens, wherein the new tokens are enabled to be decrypted using the new cryptographic function and the new cryptographic key; and replace the value data within the one or more decrypted data fields with the new tokens. 6. The system of claim 1 , wherein the instructions for requesting by the first device, from the second device based on each data field of the one or more data fields, the cryptographic key further cause the one or more processors to determine for each data field of the one or more data fields a corresponding cryptographic key of a plurality of cryptographic keys. 7. A method for providing data protection, the method comprising: receiving data at a first device located in a first datacenter in a first jurisdiction from a second device located in a second datacenter in a second jurisdiction, wherein the data comprises a plurality of data fields, and wherein the plurality of data fields comprises a first set of fields encrypted into a corresponding token representing corresponding field data and a second set of fields not encrypted into the corresponding token, and wherein the first set of fields comprises sensitive data to be controlled by the second device in the second jurisdiction; storing the data in the first jurisdiction; receiving, at the first device from a third device, a data request, wherein the data request comprises a request for one or more data fields from the first set of fields encrypted into the corresponding token; in response to receiving the data request from the third device, requesting, by the first device from the second device, a cryptographic key for decrypting the one or more data fields; upon receiving the cryptographic key, decrypting by the first device, field data within the one or more data fields using the cryptographic key to obtain one or more decrypted data fields; transmitting, by the first device to the third device, a response to the data request comprising the one or more decrypted data fields; based on a rule change within the second jurisdiction, receiving, by the first device from the second jurisdiction, a command to disable access to the first set of fields encrypted into the corresponding token representing the corresponding field data; and in response to receiving the command, disabling, by the first device, each corresponding token representing the corresponding field data stored in the first jurisdiction, restricting the first jurisdiction from storing the sensitive data. 8. The method of claim 7 , further comprising: based on a new rule change within the second jurisdiction, receiving, by the first device from the second device, an instruction to encrypt a field of the second set of fields into the corresponding token, wherein the field that has not been designated sensitive previously and has now been designated as sensitive; encrypting, by the first device, value data within the field of the second set of fields into one or more new tokens, wherein the one or more new tokens are decrypted using a different cryptographic function and a different cryptographic key; and replacing, by the first device, the value data within the field with the one or more new tokens. 9. The method of claim 8 , further comprising: receiving, from the second jurisd
Assignees
Inventors
Classifications
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
- H04L9/088Primary
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12445281B2 cover?
- A network system to allow global usage of data while allowing regional jurisdictions control over sensitive data. Different jurisdictions may declare different types of data as sensitive data that is not to be discoverable by another party. The system may receive data that includes encoded data at a first device from a second device (e.g., associated with a remote datacenter). The system may st…
- Who is the assignee on this patent?
- Citibank Na
- What technology area does this patent fall under?
- Primary CPC classification H04L9/088. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 14 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).