Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsOnetrust LLC › 18933523
Last updated: April 19, 2026
Application No. 18/933,523

Automated Risk Assessment Module with Real-Time Compliance Monitoring

Non-Final OA §DP
Filed
Oct 31, 2024
Examiner
CHANG, KENNETH W
Art Unit
2438
Tech Center
2400 — Computer Networks
Assignee
Onetrust LLC
OA Round
1 (Non-Final)
87%
Grant Probability
Favorable
1-2
OA Rounds
2y 7m
To Grant
87%
With Interview

Interview Optional

+0.7% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 616 resolved cases, 2023–2026

Examiner Intelligence

CHANG, KENNETH W View full profile →
Grants 87% — above average
87%
Career Allow Rate
534 granted / 616 resolved
+28.7% vs TC avg
Minimal +1% lift
Without
With
+0.7%
Interview Lift
resolved cases with interview
Typical timeline
2y 7m
Avg Prosecution
17 currently pending
Career history
633
Total Applications
across all art units

Statute-Specific Performance

§101
14.1%
-25.9% vs TC avg
§103
37.6%
-2.4% vs TC avg
§102
17.7%
-22.3% vs TC avg
§112
18.1%
-21.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 616 resolved cases

Office Action

§DP
DETAILED ACTION This first non-final action is in response to applicants’ filing on 10/31/2024. Claims 1-20 are currently pending and have been considered as follows. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Drawings The drawings filed on 10/31/2024 are accepted. Information Disclosure Statement The information disclosure statement (IDS) submitted on 11/07/2024 has been placed in the application file, and the information referred therein has been considered as to the merits. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Parent Patent No. 12,166,788 B2 Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over Claims 1-20 of parent U.S. Patent No. 12,166,788 B2 (common inventive entity and assignee) in view of the prior art Moses (US 8538893 B1). Although the claims at issue are not identical, they are not patentably distinct from each other because the instant application Claims 1-20 are an obvious variation of Claims 1-20 of the parent patent in view of the prior art reference Moses. All the elements of Claims 1-20 of the instant application are found within the scope of Claims 1-20 of parent U.S. Patent No. 12,166,788 B2 except for the feature of “required evidence”, although the parent patent instead recites “missing evidence”. However, the analogous prior art Moses does disclose that the missing evidence is required evidence (e.g. Moses “If it is determined by evaluating the data elements in the bundle, that evidence is missing, the evidence archive processor 12 assembles complete evidence for the bundle as shown in block 204” [column 5 lines 57-60]; “where the evidence archive processor already has stored therein a copy of the missing required evidence so that the party requesting archival need not communicate with other processors or devices to obtain the missing information” [column 6 lines 2-5]). It would have been an obvious modification to the invention of Claims 1-20 of parent U.S. Patent No. 12,166,788 B2 to include “required evidence” (as taught by Moses) for the purpose of evidence archival and retrieval that facilitates a reduction in storage requirements while also providing a restoration of authenticity of stored information (Moses [column 2 lines 59-61]). Therefore, the invention as specified in application Claims 1-20 is not patentably distinct from Claims 1-20 of parent U.S. Patent No. 12,166,788 B2 in view of the prior art Moses. The following Claims Comparison Table illustrates the obviousness relationship of the claims at issue. Instant Application: 18/933,523 U.S. Patent No. 12,166,788 B2 (common inventive entity and assignee) Claim 1: A method comprising: performing, with processing hardware of a computing system, operations comprising: establishing a session between a server computing system and a client computing system; accessing, in connection with the session, mapping data that links a set of risks associated with operations using the client computing system to a set of control operations according to a set of objectives identified via an objective identification interface; associating, based on the mapping data, the set of risks and the set of control operations with the client computing system; determining that a software configuration has been implemented to monitor a state of data applicable to the set of control operations; performing a risk assessment operation that comprises determining that the state of the data tracked via the software configuration indicates evidence collection for the set of control operations; and providing, via the session and based on the risk assessment operation, an evidence task interface comprising: an indication of required evidence for an evidence task corresponding to a control operation of the set of control operations; and an interface element configured for viewing or modifying the evidence task corresponding to the control operation. Claim 1: A method comprising: performing, with processing hardware of a computing system, operations comprising: establishing a session between a server computing system and a client computing system; accessing, in connection with the session, mapping data that links a set of risks associated with operations using the client computing system to a set of control operations according to a set of objectives identified via an objective identification interface; associating, based on the mapping data, the set of risks and the set of control operations with the client computing system; determining that a software configuration has been implemented to monitor a state of data applicable to the set of control operations; performing a risk assessment operation that comprises determining that the state of the data tracked via the software configuration indicates no updates within a specified time period; and providing, via the session and based on the risk assessment operation, an evidence task interface comprising: an indication of missing evidence for an evidence task corresponding to a control operation of the set of control operations; and an interface element configured for viewing or modifying the evidence task corresponding to the control operation. Claim 2: The method of claim 1, wherein: the server computing system includes a multi-tenant computing platform having a tenant authorized for use by the client computing system, and establishing the session includes the client computing system communicating with the server computing system via the tenant. Claim 2: The method of claim 1, wherein: the server computing system includes a multi-tenant computing platform having a tenant authorized for use by the client computing system, and establishing the session includes the client computing system communicating with the server computing system via the tenant. Claim 3: The method of claim 2, wherein associating the set of risks and the set of control operations with the client computing system includes: providing a confirmation menu to the client computing system that includes interface elements configured for instructing that mitigation of the set of risks should occur; receiving instructions to mitigate the set of risks via the confirmation menu; and updating, in the tenant of the client computing system, a project data object to include the set of risks, the set of control operations, and evidence task objects corresponding to evidence tasks for storing data applicable to the set of control operations. Claim 3: The method of claim 2, wherein associating the set of risks and the set of control operations with the client computing system includes: providing a confirmation menu to the client computing system that includes interface elements configured for instructing that mitigation of the set of risks should occur, receiving instructions to mitigate the set of risks via the confirmation menu, and updating, in the tenant of the client computing system, a project data object to include the set of risks, the set of control operations, and evidence task objects corresponding to evidence tasks for storing data applicable to the set of control operations. Claim 4: The method of claim 1, wherein providing the evidence task interface comprises providing the indication of the required evidence for the evidence task with an indication of required attachments for a specified time period. Claim 4: The method of claim 1, wherein providing the evidence task interface comprises providing the indication of the missing evidence for the evidence task with an indication of missing attachments for an amount of time associated with the specified time period. Claim 5: The method of claim 1, further comprising: detecting a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation; and presenting, for display via the evidence task interface, evidence collected for the control operation utilizing an evidence data object. Claim 5: The method of claim 1, further comprising: detecting a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation; and presenting, for display via the evidence task interface, evidence collected for the control operation utilizing an evidence data object. Claim 6: The method of claim 1, further comprising: detecting a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation; and presenting, for display via the evidence task interface, an option to add evidence for the control operation utilizing an evidence data object. Claim 6: The method of claim 1, further comprising: detecting a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation; and presenting, for display via the evidence task interface, an option to add evidence for the control operation in connection with the specified time period utilizing an evidence data object. Claim 7: The method of claim 6, further comprising determining, in response to evidence being added for the control operation, that the state of the data indicates the required evidence for the control operation. Claim 7: The method of claim 6, further comprising determining, in response to evidence being added for the control operation in connection with the specified time period, that the state of the data indicates an update within the specified time period for the control operation. Claim 8: The method of claim 1, wherein: performing the risk assessment operation comprises determining that the control operation requires periodic evidence collection in connection with one or more time periods; and providing the evidence task interface comprises generating a message including the indication of the required evidence in response to determining that the state of the data applicable to the set of control operations indicates missing evidence for the evidence task for a specified time period of the one or more time periods. Claim 8: The method of claim 1, wherein: performing the risk assessment operation comprises determining that previously collected evidence for the control operation is outdated according to requirements of the control operation in connection with the specified time period; and providing the evidence task interface comprises generating a message including the indication of the missing evidence based on the previously collected evidence for the control operation being outdated. Claim 9: The method of claim 1, wherein determining that the software configuration has been implemented comprises determining that an integration with third-party software has been configured to retrieve the data applicable to the set of control operations. Claim 9: The method of claim 1, wherein determining that the software configuration has been implemented comprises determining that an integration with third-party software has been configured to retrieve the data applicable to the set of control operations. Claim 10: The method of claim 9, wherein determining that the integration has been configured includes: identifying, in a tenant authorized for use by the client computing system, a computer-executable program or script specifying a data source within the client computing system and a destination accessible via the tenant, and determining that the computer-executable program or script is associated with at least one evidence task object for storing data applicable to the set of control operations. Claim 10: The method of claim 9, wherein determining that the integration has been configured includes: identifying, in a tenant authorized for use by the client computing system, a computer-executable program or script specifying a data source within the client computing system and a destination accessible via the tenant, and determining that the computer-executable program or script is associated with at least one evidence task object for storing data applicable to the set of control operations. Claim 11: A computing system comprising: processing hardware; and a non-transitory computer-readable medium communicatively coupled to the processing hardware, wherein the processing hardware is configured for executing instructions stored in the non-transitory computer-readable medium and thereby performing operations comprising: providing a multi-tenant computing platform having a tenant authorized for use by a client computing system; identifying, based on input to the client computing system, a set of risks associated with operations using the client computing system; determining that a software configuration has been implemented to monitor a state of data applicable to a set of control operations associated with the set of risks; performing a risk assessment operation that comprises determining that the state of the data tracked via the software configuration indicates evidence collection for the set of control operations; and providing, via the tenant, an evidence task interface comprising: an indication of required evidence for an evidence task corresponding to a control operation of the set of control operations; and an interface element configured for viewing or modifying the evidence task corresponding to the control operation. Claim 11: A computing system comprising: processing hardware; and a non-transitory computer-readable medium communicatively coupled to the processing hardware, wherein the processing hardware is configured for executing instructions stored in the non-transitory computer-readable medium and thereby performing operations comprising: providing a multi-tenant computing platform having a tenant authorized for use by a client computing system; identifying, based on input to the client computing system, a set of risks associated with operations using the client computing system; determining that a software configuration has been implemented to monitor a state of data applicable to a set of control operations associated with the set of risks; performing a risk assessment operation that comprises determining that the state of the data tracked via the software configuration indicates no updates within a specified time period; and providing, via the tenant, an evidence task interface comprising: an indication of missing evidence for an evidence task corresponding to a control operation of the set of control operations; and an interface element configured for viewing or modifying the evidence task corresponding to the control operation. Claim 12: The computing system of claim 11, wherein the operations further comprise: providing a confirmation menu to the client computing system that includes interface elements configured for instructing that mitigation of the set of risks should occur; receiving instructions to mitigate the set of risks via the confirmation menu; and updating, in the tenant of the client computing system, a project data object to include the set of risks, the set of control operations, and evidence task objects for storing data applicable to the set of control operations. Claim 12: The computing system of claim 11, wherein the operations further comprise: providing a confirmation menu to the client computing system that includes interface elements configured for instructing that mitigation of the set of risks should occur, receiving instructions to mitigate the set of risks via the confirmation menu, and updating, in the tenant of the client computing system, a project data object to include the set of risks, the set of control operations, and evidence task objects for storing data applicable to the set of control operations. Claim 13: The computing system of claim 11, wherein providing the evidence task interface comprises providing the indication of the required evidence for the evidence task with an indication of required attachments for a specified time period. Claim 13: The computing system of claim 11, wherein providing the evidence task interface comprises providing the indication of the missing evidence for the evidence task with an indication of missing attachments for an amount of time associated with the specified time period. Claim 14: The computing system of claim 11, wherein the operations further comprise responsive to a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation, presenting, for display via the evidence task interface, evidence collected for the control operation via an evidence data object. Claim 14: The computing system of claim 11, wherein the operations further comprise responsive to a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation, presenting, for display via the evidence task interface, evidence collected for the control operation via an evidence data object. Claim 15: The computing system of claim 11, wherein the operations further comprise: responsive to a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation, presenting, for display via the evidence task interface, an option to add evidence for the control operation utilizing an evidence data object; and determining, in response to evidence being added for the control operation, that the state of the data indicates that the required evidence was collected for the control operation. Claim 15: The computing system of claim 11, wherein the operations further comprise: responsive to a selection of the interface element configured for viewing or modifying the evidence task corresponding to the control operation, presenting, for display via the evidence task interface, an option to add evidence for the control operation in connection with the specified time period utilizing an evidence data object; and determining, in response to evidence being added for the control operation in connection with the specified time period, that the state of the data indicates an update within the specified time period for the control operation. Claim 16: The computing system of claim 11, wherein: performing the risk assessment operation comprises determining that the control operation requires periodic evidence collection in connection with one or more time periods; and providing the evidence task interface comprises generating a message including the indication of the required evidence in response to determining that the state of the data applicable to the set of control operations indicates missing evidence for the evidence task for a specified time period of the one or more time periods. Claim 16: The computing system of claim 11, wherein: performing the risk assessment operation comprises determining that previously collected evidence for the control operation is outdated according to requirements of the control operation in connection with the specified time period; and providing the evidence task interface comprises generating a message including the indication of the missing evidence based on the previously collected evidence for the control operation being outdated. Claim 17: The computing system of claim 11, wherein determining that the software configuration has been implemented comprises: determining that an integration with third-party software has been configured to retrieve the data applicable to the set of control operations; identifying, in a tenant authorized for use by the client computing system, a computer-executable program or script specifying a data source within the client computing system and a destination accessible via the tenant, and determining that the computer-executable program or script is associated with at least one evidence task object for storing data applicable to the set of control operations. Claim 17: The computing system of claim 11, wherein determining that the software configuration has been implemented comprises: determining that an integration with third-party software has been configured to retrieve the data applicable to the set of control operations; identifying, in a tenant authorized for use by the client computing system, a computer-executable program or script specifying a data source within the client computing system and a destination accessible via the tenant, and determining that the computer-executable program or script is associated with at least one evidence task object for storing data applicable to the set of control operations. Claim 18: A non-transitory computer-readable medium storing instruction that, when executed by processing hardware, configure the processing hardware to perform operations comprising: performing, with processing hardware of a computing system, operations comprising: establishing a session between a server computing system and a client computing system; accessing, in connection with the session, mapping data that links a set of risks associated with operations using the client computing system to a set of control operations according to a set of objectives identified via an objective identification interface; associating, based on the mapping data, the set of risks and the set of control operations with the client computing system; determining that a software configuration has been implemented to monitor a state of data applicable to the set of control operations; performing a risk assessment operation that comprises determining that the state of the data tracked via the software configuration indicates evidence collection for the set of control operations; and providing, via the session and based on the risk assessment operation, an evidence task interface comprising: an indication of required evidence for an evidence task corresponding to a control operation of the set of control operations; and an interface element configured for viewing or modifying the evidence task corresponding to the control operation. Claim 18: A non-transitory computer-readable medium storing instruction that, when executed by processing hardware, configure the processing hardware to perform operations comprising: performing, with processing hardware of a computing system, operations comprising: establishing a session between a server computing system and a client computing system; accessing, in connection with the session, mapping data that links a set of risks associated with operations using the client computing system to a set of control operations according to a set of objectives identified via an objective identification interface; associating, based on the mapping data, the set of risks and the set of control operations with the client computing system; determining that a software configuration has been implemented to monitor a state of data applicable to the set of control operations; performing a risk assessment operation that comprises determining that the state of the data tracked via the software configuration indicates no updates within a specified time period; and providing, via the session and based on the risk assessment operation, an evidence task interface comprising: an indication of missing evidence for an evidence task corresponding to a control operation of the set of control operations; and an interface element configured for viewing or modifying the evidence task corresponding to the control operation. Claim 19: The non-transitory computer-readable medium of claim 18, wherein providing the evidence task interface comprises: determining, by accessing an evidence task object for the control operation in connection with the risk assessment operation, that evidence has not been collected for the control operation; and generating, for display within the evidence task interface, a message comprising an indication of missing evidence for the evidence task with the interface element. Claim 19: The non-transitory computer-readable medium of claim 18, wherein providing the evidence task interface comprises: determining, by accessing an evidence task object for the control operation in connection with the risk assessment operation, that evidence has not been collected for the control operation during the specified time period; and generating, for display within the evidence task interface, a message comprising the indication of the missing evidence for the evidence task with an amount of time associated with the specified time period and the interface element. Claim 20: The non-transitory computer-readable medium of claim 18, wherein the operations further comprise: receiving an upload of one or more documents corresponding to the control operation; and associating the one or more documents with the control operation via an evidence data object. Claim 20: The non-transitory computer-readable medium of claim 18, wherein the operations further comprise: receiving an upload of one or more documents corresponding to the control operation for the specified time period; and associating the one or more documents with the control operation via an evidence data object. Conclusion The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure. Budampati et al. (US 20070087763 A1 Johnson (US 20100179843 A1) GILL et al. (US 20120216243 A1) Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9:30am-5:30pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KENNETH W CHANG/Primary Examiner, Art Unit 2438 PNG media_image1.png 35 280 media_image1.png Greyscale 02.02.2026
Read full office action

Prosecution Timeline

Oct 31, 2024
Application Filed
Feb 02, 2026
Non-Final Rejection — §DP (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/100,619
Patent 12574408
POST-INCIDENT ALERTS FOR PII DATA LOSS
2y 5m to grant Granted Mar 10, 2026
18/194,741
Patent 12568118
SHORTEST PATH BRIDGING (SPB) SECURITY GROUP POLICY
2y 5m to grant Granted Mar 03, 2026
17/937,101
Patent 12554508
PROCESSING COMPLEX PACKED TENSORS USING INTEGRATED CIRCUIT OF REAL AND COMPLEX PACKED TENSORS IN COMPLEX DOMAIN
2y 5m to grant Granted Feb 17, 2026
18/129,814
Patent 12537666
EFFICIENT IMPLEMENTATION OF ZUC AUTHENTICATION
2y 5m to grant Granted Jan 27, 2026
18/669,820
Patent 12536312
FILE VIEWING SYSTEM, FILE VIEWING METHOD, AND STORAGE MEDIUM
2y 5m to grant Granted Jan 27, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
87%
Grant Probability
87%
With Interview (+0.7%)
2y 7m
Median Time to Grant
Low
PTA Risk
Based on 616 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month