METHOD TO CLASSIFY COMPLIANCE PROTOCOLS FOR SAAS APPS BASED ON WEB PAGE CONTENT

§101 §103 §112

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is responsive to the amendment filed on 10/13/2025. Status of claims: Claims 4, 8, 11 and 16 are canceled. Claims 24-27 are newly added. Claims 1-2, 5-7, 9, 14-15, 17-20 and 22 are amended. Claims 1-3, 5-7, 9-10, 12-15 and 17-27 are pending for examination. Response to Arguments Application argued regarding to the amended limitations of the claims have been considered in view of the new ground rejection. Claim Objection Claim 26 is objected because of the formality: claim 26 is a duplication of claim 25. Correction is suggested. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (B) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-3, 5-7, 9-10, 12-15, 17-20 and 22-27 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 19 and 20: recite the newly added limitations: -“a composite text representation”. The specification does not mention about this limitation. It is unclear what Applicant meant by a composite text representation. Applicant is required for correction. - “ inputting webpage sample”. The specification does not mention about this limitation. It is unclear what Applicant meant by webpage sample. Applicant is required for correction. - “input the webpage sample for the SaaS product into a trained machine-learning classifier configured to predict compliance of the SaaS product with the one or more protocols”. The claim provides no guidance as to what/how the step of prediction for compliance is identified/performed as such. Applicant is required for clarification/correction is required. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims (See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). - “in response to determining that the SaaS product is non-compliant with the one or more protocols”. The claim provides no guidance as base on what condition and how the non-compliant is determined. Applicant is required for clarification/correction. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims (See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). - “…generate a protocol-specific risk score and cause enforcement of a security policy for the SaaS product”. The claim provides no guidance as how the steps of the " generate a protocol-specific risk score " and " cause enforcement of a security policy" are defined and/or identified as such? And the steps "cause enforment of a security policy” is to be accomplished?. Applicant is required for clarification/correction. - All dependent claims are rejected under the same rational as their based claim as above. Claim 21, recites the limitations “generate label data for training a machine learning model to detect software-as-a- service (SaaS) product compliance with one or more protocols, wherein the label data comprises labeled body text for product webpages for a plurality of SaaS products and labeled body text for relevant webpages for the plurality of SaaS products, wherein a relevant webpage for a particular SaaS products comprises a most highly ranked resultant webpage that matches a domain for the SaaS product or SaaS product vendor”. The claim provides no guidance as to what/how the step of generate label data and base on what condition and how a most highly ranked resultant webpage determined and process matches a domain. Applicant is required for clarification/correction. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims (See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). “train the machine learning model based at least in part on the label data. The claim provides no guidance as how the train …least in part on the label data is identified/performed as such. Applicant is required for clarification/correction. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims (See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). - All dependent claims are rejected under the same rational as their based claim as above. Claim Rejections - 35 USC§ 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-3, 5-7, 9-10, 12-15 and 17-27 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claims 1, 19 and 20-21 Step 1: The claims 1, 19 and 20-21 are directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter. Step 2A, Prong One: The claims recite the limitations: “determine/determining…;extract/extracting…;query/querying…; obtain/obtaining…; generate/generating…; input/inputting…; generate/generating…”, are processes that, under its broadest reasonable interpretation, covers a mental process as a form of evaluation or judgement, but for the recitation of generic computer components. That is nothing in the claim element precludes the steps from practically being performed in a human mind. For example, the limitation ““determine/determining…;extract/extracting…;query/querying…; obtain/obtaining…; generate/generating…; input/inputting…; generate/generating…”, in the context of the claim encompasses one can manually or mentally with the aid of pen and paper. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the "Mental Processes" grouping of abstract ideas. Accordingly, the claim recites an abstract idea. Step 2A, Prong Two: This judicial exception is not integrated into a practical application. The claim recites the additional elements: “select/selecting…; predict/predicting…”, amount to data gathering steps which is considered to be insignificant extra-solution activity. (See MPEP 2106.05(g). “cause/causing…; provide/providing…; train…; deploy” represent(s) an extra solution activity because it is a mere nominal or tangential addition to the claim, a mere generic transmission and presenting of collected and analyzed data. (See MPEP 2106.05(g)). “processor(s), memory, non-transitory computer readable storage medium” are recited at a high level of generality such that they amount to on more than mere instructions to apply the exception using a generic component. (see MPEP 2106.05(f)). “machine learning model” is a mere implementation using a computer. It is at best generally linking the abstract idea to a particular field of use or technological environment of machine learning (see MPEP 2106.05(h). Step 2B: “select/selecting…; predict/predicting…”. These are identified as insignificant extra-solution activity above when re-evaluated this element is well-understood, routine, and conventional as evidenced by the court cases in MPEP 2106.05(d)(II), "i. Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); … OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network);" and thus remains insignificant extra-solution activity that does not provide significantly more. “cause/causing…; provide/providing…; train…; deploy”. This is identified as insignificant extra-solution activity above when re-evaluated this element is well-understood, routine, and conventional as evidenced by the court cases in MPEP 2106.05(d)(II), "iv. Storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334; i. … transmitting data over a network, …Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); … OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network)”. “Processor, Memory, displayer, non-transitory computer readable storage media”, amount to elements that have been recognized as well-understood, routine, and conventional activity in particular fields, as demonstrate by: relevant court decision: the followings are example of the court decisions demonstrating well-understood, routine and conventional activities, See e.g., MPEP 2106.05(d)(II) and MPEP 2106.05(f)(2): computer readable storage media comprising instructions to implement a method, e.g., see versata Dev. Group, Inc. v SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015). The conclusions for the mere implementation using a computer, mere field of use, and using generic computer components (i.e. ML) as a tool are carried over and do not provide significantly more. Looking at the claims as a whole does not amount to significantly more than the abstract idea itself and the claims appear to be ineligible. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5-7, 9-10, 12-14, 19-21, and 24-26 are rejected under 35 U.S.C. 103 as being unpatentable over Marascu et al. (US 11/763,320 B2), herein after “Marascu”, and in view of Loder (US 2011/0314152 A1), and further in view of Bolla et al., (US 2019/0171767). Claim 1, Marascu discloses a system, comprising: one or more processors (col. 7 lines 10-14, one or more processors) configured to: - extract body text from the product webpage (col. 3 lines 10-50 & col. 10 lines 50-65, automatically identify and extract a compliance profile for an entity (e.g., organization) along with the processes, policies, guidelines, rules, laws, and/or regulations that apply to each specific type of entity from the data sources, wherein the data sources may be of different types, such as wikis, web pages); - query an Internet search engine to obtain a set of resultant webpages, wherein the Internet search engine is queried based at least in part on (i) a product name for the SaaS product (col. 10 lines 1-15 and col. 11 lines, automatic extraction of a compliance profile for an organization/entity includes components, modules, services, applications, and/or functions (production name), and col. 5 lines 15-56, a "software as a service" SaaS”, wherein the privacy policy score may be generated based on data about the web page, text of a privacy policy associated with the web server. The recommendation may be generated based on the privacy score, security products or services), and (ii) one or more protocol names for one or more protocols (col. 5 lines 15-56, wherein the privacy policy score may be generated based on data about the web page, text of a privacy policy associated with the web server. The recommendation may be generated based on the privacy score, security products (protocol name); and col. 6 lines 45 to 60, Europe's General Data Protection Regulation (GDPR)); - obtain a webpage sample for the SaaS product, comprising: extract body text from the one or more relevant webpages (col. 3 lines 10-50 & col. 10 lines 50-65, automatically identify and extract a compliance profile for an entity (e.g., organization) along with the processes, policies, guidelines, rules, laws, and/or regulations that apply to each specific type of entity from the data sources, wherein the data sources may be of different types, such as wikis, web pages); - in response to determining that the SaaS product is non-compliant with the one or more protocols, generate a protocol-specific risk score and cause enforcement of a security policy for the SaaS product (col. 4 lines 30-35 and col. 5 lines 12-65, the score components may be generated based on text of a server's privacy policy, wherein indicated as a C- (e.g., on an A-F scale corresponding to school letter grades, with A indicating high privacy protections and F indicating low or no privacy protections). Numeric scores may be converted to letter scores based on predetermined thresholds or ranges (e.g., A=90-100, B=S0-89, C=70-79, D=60-69, F=0-59). The user is informed of privacy risk resulting from accessing the URL and enabled to take action to reduce the privacy risk, which is similar to the Applicant’s specification, par. [0021], providing an indication to a user such as an administrator for a company/organization network); and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (col. 7 lines 10-14, one or more processors or processing units 16, a system memory 28). However, Marascu substantially discloses the invention as claimed, excepted “in response to determining that a plurality of relevant webpages are selected, generate a composite text representation based at least in part on one or more of(a) body text from the product webpage, and (b) the body text from the one or more relevant webpages, wherein the composite text representation is used as the webpage sample for the SaaS product when a plurality of relevant webpages are selected”. On the other hand, Loder discloses in response to determining that a plurality of relevant webpages are selected, generate a composite text representation based at least in part on one or more of(a) body text from the product webpage, and (b) the body text from the one or more relevant webpages, wherein the composite text representation is used as the webpage sample for the SaaS product when a plurality of relevant webpages are selected (Abstract, and pars [0006], [0013], and [0016], determining compliance of content in a website or web application. The compliance tool can compile and output a report indicating whether the references to the network locations extracted from the websites and web applications comply with the one or more rules. The report can be a detailed listing of the references identified in data content associated with the website or web application, along with a compliance status of each of the references). - determine a URL of a product webpage for a software-as-a-service (SaaS) product (par. [0013], a list of approved URLs, embeds, domains, URL patterns, file extensions, file types, and/or combinations thereof); - input the webpage sample for the SaaS product into a trained machine-learning classifier configured to predict compliance of the SaaS product with the one or more protocols (par. [0046], a user or viewer of the report can select non-complying references to be added to an approved list or whitelist; par. [0020], a user can respond to a specific post in the forum by providing a hyperlink to an external website such that other users can select the hyperlink and connect to the external website. Further, for instance, a user can maintain a website or web application hosted by the server 108, such as a weblog, in which the user can provide references to other websites that other users can select when accessing the website; par. [0043], a user can add the reference www.foursquare.com that appears in column 310 to a whitelist of approve network locations by selecting a checkbox corresponding to the reference and selecting a submit 325 button). Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of Marascu to include the features as disclosed by Loder to allow websites and web applications to comprise references to only network locations that are known to be harmless or otherwise approved for access. The combination of Marascu and Loder disclose the invention as claimed excepted “ select, as one or more relevant webpages, one or more most highly ranked resultant webpages whose registrable domain matches a vendor domain associated with the SaaS product”. Meanwhile, Bolla discloses select, as one or more relevant webpages, one or more most highly ranked resultant webpages whose registrable domain matches a vendor domain associated with the SaaS product (par. [0013] and [0032], a website's content can be assessed relative to different AUP categories. Wherein a machine classifier might score such as the 100-point scale used in this and other examples is arbitrary. Other scoring scales are possible, including categorization levels such as “very low”, “low”, “high”, etc.). Wherein analyzing the content of the web pages on an internet domain to figure out if that domain is compliant with an acceptable use policy (AUP), wherein the internet domain might be in use to sell illegal firearms, illegal drugs, sex services, or other content regulated or forbidden; and par. [0036], the machine learning classifier can be trained using a set of training data comprising web pages that have been ranked by humans relative to the plurality of particular categories. The classifier can be trained on a page-by-page basis or can also be trained on websites as a whole, wherein the page is 100% certainty that the page is selling illegal weapons, but a 0% certainty that the page is selling illegal drugs. Another page (or website) might be rated as 20% certainty that the page is selling illegal weapons, but 80% certainty that the page is selling illegal drugs; and par. [0058], a merchant might report to a financial services entity that it sells goods and services in certain particular categories, wherein an automated scan of the merchant's website, however, might reveal there is a significant probability (e.g. over a threshold amount such as 25%, 50%, 70%, or some other number). Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of cited references to include the features as disclosed by Bolla to allow conservation of resources in ensuring acceptable use policy compliance. Claim 2, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the classifier is a machine learning model (col. 12 lines 65 to col. 13 line 2, A machine learning classifier can be used for learning the best model, A machine learning (ML) classifier may be trained using one or more of the set features). Claim 3, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Loder further discloses provide, to a client system, an indication that indicates whether the SaaS product is compliant with the one or more protocols (Abstract, and pars [0006], [0013], and [0016], determining compliance of content in a website or web application. The compliance tool can compile and output a report indicating whether the references to the network locations extracted from the websites and web applications comply with the one or more rules. The report can be a detailed listing of the references identified in data content associated with the website or web application, along with a compliance status of each of the references). Claim 5, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the trained machine- learning classifier predicts whether the SaaS product is compliant with at least a subset of the one or more protocols (col. 11 lines 60-65, a "software as a service" SaaS; and col. 5 lines 15-30, The privacy policy score may be generated based on data about the web page, text of a privacy policy associated with the web server, past behavior of the web server, or any suitable combination thereof. The recommendation may be generated based on the privacy score, security products or services to which the user already has access (e.g., as indicated by account data of an account of the user), security products or services, col. 6 lines 45 to 60, Europe's General Data Protection Regulation (GDPR), allowing them to correct errors in collected Thus, even though a GDPR-compliant entity retains ownership of data. A predetermined data ownership score may be assigned to a web site based on a determination that the privacy policy indicates GDPR compliance). Claim 6, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the protocol-specific risk score includes an aggregate score indicating a security of the set of the plurality of SaaS products (col. 4 lines 30-35, the score module 220 is configured to generate a privacy policy score for a server. For example, score components may be generated based on text of a server's privacy policy; and col. 5 lines 12-65, indicated as a C- (e.g., on an A-F scale corresponding to school letter grades, with A indicating high privacy protections and F indicating low or no privacy protections). Numeric scores may be converted to letter scores based on predetermined thresholds or ranges (e.g., A=90-100, B=S0-89, C=70-79, D=60-69, F=0-59). The user is informed of privacy risk resulting from accessing the URL and enabled to take action to reduce the privacy risk, which is similar to the Applicant’s specification, par. [0021], providing an indication to a user such as an administrator for a company/organization network)). Claim 7, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the protocol-specific risk score comprises a plurality of scores respectively corresponding to the plurality of SaaS products (col. 4 lines 30-35, the score module 220 is configured to generate a privacy policy score for a server. For example, score components may be generated based on text of a server's privacy policy; and col. 4 lines 30-35, the score module 220 is configured to generate a privacy policy score for a server. For example, score components may be generated based on text of a server's privacy policy; and col. 5 lines 12-65, indicated as a C- (e.g., on an A-F scale corresponding to school letter grades, with A indicating high privacy protections and F indicating low or no privacy protections). Numeric scores may be converted to letter scores based on predetermined thresholds or ranges (e.g., A=90-100, B=S0-89, C=70-79, D=60-69, F=0-59). the user is informed of privacy risk resulting from accessing the URL and enabled to take action to reduce the privacy risk). Claim 9, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the product name for the SaaS product is extracted from the product webpage (col. 11 lines 60-65, a "software as a service" SaaS; and col. 5 lines 15-30, The privacy policy score may be generated based on data about the web page, text of a privacy policy associated with the web server, past behavior of the web server, or any suitable combination thereof. The recommendation may be generated based on the privacy score, security products or services to which the user already has access (e.g., as indicated by account data of an account of the user), security products or services), and the product name and the body text are input to the trained machine-learning classifier in connection with determining whether the SaaS product is compliant with one or more protocols (col. 6 lines 45 to 60, Europe's General Data Protection Regulation (GDPR), allowing them to correct errors in collected Thus, even though a GDPR-compliant entity retains ownership of data. A predetermined data ownership score may be assigned to a web site based on a determination that the privacy policy indicates GDPR compliance). Claim 10, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the one or more protocols include one or more of (i) General Data Protection Regulation (GDPR), (ii) Health Insurance Portability and Accountability Act (HIPAA), (iii) International Traffic in Arms Regulations (ITAR), (iv) ISO 9001, and (v) Financial Industry Regulatory Authority (FINRA) (col. 6 lines 44-60, under Europe's General Data Protection Regulation (GDPR)). Claim 12, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the one or more processors are further configured to: - obtain results from the search engine, the results comprising a plurality of resultant is webpages (col. 10 lines 1-15 and col. 11 lines, automatic extraction of a compliance profile for an organization/entity includes components, modules, services, applications, and/or functions (production name), and col. 5 lines 15-56, a "software as a service" SaaS”, wherein the privacy policy score may be generated based on data about the web page, text of a privacy policy associated with the web server. The recommendation may be generated based on the privacy score, security products or services): and - filter the plurality of resultant webpages to obtain the relevant webpage (col. 4 lines 30-35 and col. 5 lines 12-65). Claim 13, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses the relevant webpage is obtained by selecting a first search result for the plurality of relevant webpages (col. 11 lines 30 to col. 12 lines 14). Claim 14, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses filtering the plurality of relevant webpages to obtain the one or more relevant webpages comprises: obtaining a plurality of pages; generating a page map; and combining relevant pages to obtain the relevant webpage (col. 11 lines 30 to col. 12 lines 55, col. 9 lines 30-58, and col. 10 lines 40-67). Claim 24, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Marascu further discloses determine, based at least in part on a prediction obtained from the trained machine-learning classifier, an aggregated score pertaining to an enterprise risk of a set of SaaS products (col. 4 lines 30-35, the score module 220 is configured to generate a privacy policy score for a server. For example, score components may be generated based on text of a server's privacy policy; and col. 5 lines 12-65, indicated as a C- (e.g., on an A-F scale corresponding to school letter grades, with A indicating high privacy protections and F indicating low or no privacy protections). Numeric scores may be converted to letter scores based on predetermined thresholds or ranges (e.g., A=90-100, B=S0-89, C=70-79, D=60-69, F=0-59). the user is informed of privacy risk resulting from accessing the URL and enabled to take action to reduce the privacy risk). Claim 25, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Bolla further discloses wherein inputting the webpage sample for the SaaS product into the trained machine-learning classifier comprises inputting a tokenized representation of the body text from the one or more relevant webpages (par. [0013] and [0032], a website's content can be assessed relative to different AUP categories. Wherein a machine classifier might score such as the 100-point scale used in this and other examples is arbitrary. Other scoring scales are possible, including categorization levels such as “very low”, “low”, “high”, etc.). Wherein analyzing the content of the web pages on an internet domain to figure out if that domain is compliant with an acceptable use policy (AUP), wherein the internet domain might be in use to sell illegal firearms, illegal drugs, sex services, or other content regulated or forbidden; and par. [0036] & [0058], the machine learning classifier can be trained using a set of training data comprising web pages that have been ranked by humans relative to the plurality of particular categories. The classifier can be trained on a page-by-page basis or can also be trained on websites as a whole, wherein the page is 100% certainty that the page is selling illegal weapons, but a 0% certainty that the page is selling illegal drugs. Another page (or website) might be rated as 20% certainty that the page is selling illegal weapons, but 80% certainty that the page is selling illegal drugs). Claim 26, Marascu, Loder, and Bolla substantially discloses the invention as claimed. In addition, Bolla further discloses wherein inputting the webpage sample for the SaaS product into the trained machine-learning classifier comprises inputting a tokenized representation of the body text from the one or more relevant webpages (par. [0013], [0032], [0036] & [0058]). Claim 19, is a method claim to execute the system of claim 1 above. Therefore, it’s rejected under the same rational as claim 1. Claim 20, is a computer program product claim to execute the system of claim 1 above. Therefore, it’s rejected under the same rational as claim 1. Claim 21, Marascu discloses a system, comprising: one or more processors (col. 7 lines 10-14, one or more processors) configured to: - generate label data for training a machine learning model to detect software-as-a-service (SaaS) product compliance with one or more protocols (col. 3 lines 10-50 & col. 10 lines 50-65, automatically identify and extract a compliance profile for an entity (e.g., organization) along with the processes, policies, guidelines, rules, laws, and/or regulations that apply to each specific type of entity from the data sources, wherein the data sources may be of different types, such as wikis, web pages), - train the machine learning model based at least in part on the label data (col. 12 lines 65 to col. 13 line 2, A machine learning classifier can be used for learning the best model, the set of features may include keywords, concepts, categories, locations, time, domain of activity, a type of organization; and col. 5 lines 1-3, regulatory compliance information, policy information, legal information; and col. 4 lines 31-65, a compliance profile and/or a named entity of type organization may be extracted using one or more natural language processing (NLP) named-entity recognition (NER) operations. A set of features describing the domains of activity, type, and location from the extended text surrounding the entity text may be extracted. A machine learning (ML) classifier may be trained using one or more of the set features); and - deploy the machine learning model (col. 4 lines 31-65, a compliance profile and/or a named entity of type organization may be extracted using one or more natural language processing (NLP) named-entity recognition (NER) operations. A set of features describing the domains of activity, type, and location from the extended text surrounding the entity text may be extracted. A machine learning (ML) classifier may be trained using one or more of the set features); and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (col. 7 lines 10-14, one or more processors or processing units 16, a system memory 28). However, Marascu substantially discloses the invention as claimed, excepted “wherein the label data comprises labeled body text for product webpages for a plurality of SaaS products and labeled body text for relevant webpages for the plurality of SaaS products”. On the other hand, Loder discloses the label data comprises labeled body text for product webpages for a plurality of SaaS products and labeled body text for relevant webpages for the plurality of SaaS products (col. 10 lines 1-15 and col. 11 lines, automatic extraction of a compliance profile for an organization/entity includes components, modules, services, applications, and/or functions (production name), and col. 5 lines 15-56, a "software as a service" SaaS”, wherein the privacy policy score may be generated based on data about the web page, text of a privacy policy associated with the web server. The recommendation may be generated based on the privacy score, security products or services, and col. 5 lines 15-56, wherein the privacy policy score may be generated based on data about the web page, text of a privacy policy associated with the web server. The recommendation may be generated based on the privacy score, security products (protocol name); and col. 6 lines 45 to 60, Europe's General Data Protection Regulation (GDPR)) Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of Marascu to include the features as disclosed by Loder to allow websites and web applications to comprise references to only network locations that are known to be harmless or otherwise approved for access. The combination of Marascu and Loder disclose the invention as claimed excepted “ determining the relevant webpage comprises selecting a most highly ranked resultant webpage that matches a domain for the SaaS product or SaaS product vendor”. Meanwhile, Bolla discloses determining the relevant webpage comprises selecting a most highly ranked resultant webpage that matches a domain for the SaaS product or SaaS product vendor (par. [0013] and [0032], a website's content can be assessed relative to different AUP categories. Wherein a machine classifier might score such as the 100-point scale used in this and other examples is arbitrary. Other scoring scales are possible, including categorization levels such as “very low”, “low”, “high”, etc.). Wherein analyzing the content of the web pages on an internet domain to figure out if that domain is compliant with an acceptable use policy (AUP), wherein the internet domain might be in use to sell illegal firearms, illegal drugs, sex services, or other content regulated or forbidden; and par. [0036], the machine learning classifier can be trained using a set of training data comprising web pages that have been ranked by humans relative to the plurality of particular categories. The classifier can be trained on a page-by-page basis or can also be trained on websites as a whole, wherein the page is 100% certainty that the page is selling illegal weapons, but a 0% certainty that the page is selling illegal drugs. Another page (or website) might be rated as 20% certainty that the page is selling illegal weapons, but 80% certainty that the page is selling illegal drugs; and par. [0058], a merchant might report to a financial services entity that it sells goods and services in certain particular categories, wherein an automated scan of the merchant's website, however, might reveal there is a significant probability (e.g. over a threshold amount such as 25%, 50%, 70%, or some other number). Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of cited references to include the features as disclosed by Bolla to allow conservation of resources in ensuring acceptable use policy compliance. Claims 15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Marascu, in view of Loder and Bolla, and further in view of VanLoo et al. (US 11/563,778 B1), herein after “VanLoo”. Claim 15, Marascu, Loder, and Bolla substantially discloses the invention as claimed above, except “determine a risk score based at least in part on the use of classifier to determine whether the SaaS product is compliant with one or more protocols based at least in part on the body text”. Meanwhile, VanLoo discloses the protocol-specific risk score is determined based at least in part on a prediction of whether the SaaS product is compliant with the one or more protocols obtained by the trained machine-learning classifier, and the security policy is enforced in response to determining that the risk score exceeds a predefined risk threshold. (col. 5 lines 12-65, indicated as a C- (e.g., on an A-F scale corresponding to school letter grades, with A indicating high privacy protections and F indicating low or no privacy protections). Numeric scores may be converted to letter scores based on predetermined thresholds or ranges (e.g., A=90-100, B=S0-89, C=70-79, D=60-69, F=0-59). the user is informed of privacy risk resulting from accessing the URL and enabled to take action to reduce the privacy risk. A privacy policy score below a first predetermined reference may cause at least a portion of the privacy policy information; a privacy score above the first predetermined reference and below a second predetermined reference may cause at least a portion of the privacy policy information 330 to be presented in yellow; and a privacy score above the second predetermined reference may cause at least a portion of the privacy policy information 330 to be presented in green); Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of cited references to include the features as disclosed by VanLoo for the purpose of users are enabled to better monitor how their data is used online and to better control the distribution of that data. Claim 17, Marascu, Loder, Bolla, and Vanloo substantially discloses the invention as claimed. In addition, Marascu discloses enforcing the security policy comprises restricting access to the SaaS product by one or more client terminals (col. 5 lines 12-65 to col. 6 line 15). Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Marascu, in view of Loder and Bolla, and further in view of Bulut et al. (US 2021/0075814 Al), herein after “Bulut”. Claim 18, Marascu, Loder, and Bolla substantially discloses the invention as claimed, excepted “the classifier comprises a Convolutional Neural Network (CNN) model, and the CNN is used to perform text classification with respect to the body text”. On the other hand, Bulut discloses the trained machine-learning classifier comprises a Convolutional Neural Network (CNN) model, and the CNN is used to perform text classification with respect to the body text (pars. [0024], [0057]-[0058], a) set a vulnerability scoring system (e.g., CVSS) as a methodology; b) collect vulnerabilities and corresponding assigned scores from different data sources; c) use such previous history of vulnerabilities to build a machine learning (ML) model. The metric assignment component 108 can employ a machine learning (ML) model based on Artificial Intelligence (AI) and Natural Language Processing (NLP), a convolutional neural network (CNN) model…). Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of cited references to include the features as disclosed by Bulut for the purpose of supporting risk assessment metrics of different compliance process vulnerability scoring systems. Claims 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over Marascu, in view of Loder and Bolla, and further in view of Yaniv Shemesh (US 10270792), herein after “Shemesh”. Claim 22, Marascu, Loder, and Bolla substantially discloses the invention as claimed above, except “a blank page is used as the one ore more webpages if a top ranked webpage of the set of resultant webpages does not correspond to a domain for the SaaS product”. Meanwhile, Shemesh discloses a blank page is used as the one or more webpages if a top ranked webpage of the set of resultant webpages does not correspond to a domain for the SaaS product (col. 11. Lines 11-59) Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of cited references to include the features as disclosed by Shemesh for the purpose of providing acknowledgement of security/protection process. Claim 23, Marascu, Loder, Bolla, and Shemesh substantially discloses the invention as claimed. In addition, Shemesh discloses he system of claim 22, wherein the blank page is used in connection with inferring that the SaaS product is non-compliant with respect to one or more protocols (col. 11. Lines 11-59 and col. 4 lines 30-35 and col. 5 lines 12-65, the score components may be generated based on text of a server's privacy policy, wherein indicated as a C- (e.g., on an A-F scale corresponding to school letter grades, with A indicating high privacy protections and F indicating low or no privacy protections). Numeric scores may be converted to letter scores based on predetermined thresholds or ranges (e.g., A=90-100, B=S0-89, C=70-79, D=60-69, F=0-59). The user is informed of privacy risk resulting from accessing the URL and enabled to take action to reduce the privacy risk, which is similar to the Applicant’s specification, par. [0021], providing an indication to a user such as an administrator for a company/organization network)( Marascu). Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Marascu, Loder, in view of Bolla, and further in view of Reddy et al. (US 2019/0303541 A1), hereinafater “Reddy”. Claim 27, Marascu, Loder, and Bolla substantially discloses the invention as claimed, except “inputting the webpage sample for the SaaS product into the trained machine-learning classifier comprises inputting to the trained machine- learning model a byte pair embedding of the product name for the SaaS product and a byte pair embedding with respect to information obtained from the one or more relevant web pages”. Meanwhile, Reddy discloses inputting the webpage sample for the SaaS product into the trained machine-learning classifier comprises inputting to the trained machine- learning model a byte pair embedding of the product name for the SaaS product and a byte pair embedding with respect to information obtained from the one or more relevant web pages (par. [0071], private and public cryptographic key pairs may be generated with various asymmetric encryption algorithms; [0097], a target of byte code into which smart contracts are interpreted) in content of nodes of the directed acyclic graph of cryptographic hash pointers. …as the chain increases in length or tree increases in size [0099], the on-chain portion stored as node content may be a machine-readable portion, such as a portion of key-value pairs in dictionaries encoded as a hierarchical data serialization format; par. [0149], input the trust assertions to a trained machine learning model trained in the manner described above on a training set having labeled examples of software assets suitable for promotion at a given stage and not suitable for promotion). Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention was made to modify the disclosures and features of cited references to include the features as disclosed by Reddy for the purpose of providing reliable identification and verification of quality-related software and verification of ownership and sourcing of software assets. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to LOAN T NGUYEN whose telephone number is (571)-270-3103. The examiner can normally be reached on Monday from 10:00 am - 6:00 pm, Thursday-Friday from 10:00 am - 2:00 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571) 270-1760. The fax phone number for the organization where this application or proceeding is assigned is 571-270-4103. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 3/15/2026 /LOAN T NGUYEN/Examiner, Art Unit 2165