DCT
1:25-cv-01586
Altr Solutions Inc v. Immuta Inc
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: ALTR SOLUTIONS INC. (Delaware)
- Defendant: Immuta Inc. (Delaware)
- Plaintiff’s Counsel: Morris, Nichols, Arsht & Tunnell LLP
- Case Identification: 1:25-cv-01586, D. Del., 12/31/2025
- Venue Allegations: Venue is based on Defendant being a Delaware corporation and therefore residing in the District of Delaware.
- Core Dispute: Plaintiff alleges that Defendant’s data access and control platform infringes three patents related to data security, governance, and user-based access control.
- Technical Context: The technology domain is data security governance, which involves platforms that control and monitor access to sensitive data within enterprise database environments to ensure security and regulatory compliance.
- Key Procedural History: The complaint alleges that Defendant’s CEO contacted Plaintiff’s CEO via LinkedIn to express interest in acquiring Plaintiff and its technology, stating his "team really likes" Plaintiff's solutions. The complaint also notes that both companies are recognized as direct competitors in the Data Security Platform market by third-party industry analysts such as Gartner.
Case Timeline
| Date | Event |
|---|---|
| 2014-09-08 | Defendant Immuta Inc. incorporated |
| 2015-06-02 | Earliest Priority Date for ’330 and ’820 Patents |
| 2020-01-07 | Earliest Priority Date for ’466 Patent |
| 2021-10-05 | ’330 Patent Issued |
| 2025-04-22 | ’466 Patent Issued |
| 2025-11-18 | ’820 Patent Issued |
| 2025-12-31 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,138,330
- Patent Identification: U.S. Patent No. 11,138,330, titled “FRAGMENTING DATA FOR THE PURPOSES OF PERSISTENT STORAGE ACROSS MULTIPLE IMMUTABLE DATA STRUCTURES,” issued October 5, 2021 (the “’330 Patent”).
The Invention Explained
- Problem Addressed: The patent’s background section describes the vulnerability of conventional datastores to attackers who can modify data or exfiltrate records, and then mask their activity by altering access logs (’330 Patent, col. 1:57-66).
- The Patented Solution: The invention discloses a system that uses a “security driver” to intercept database requests and transparently segregate data based on its sensitivity (’330 Patent, col. 9:34-37, col. 10:2-15). Lower-security data is stored in a conventional, “lower-trust” database, while higher-security data is fragmented and stored in a separate, more secure distributed storage system (e.g., a blockchain-based immutable ledger) (’330 Patent, Fig. 1). The conventional database stores pointers in place of the sensitive data, and upon a read request, the security driver reassembles the complete record for the application (’330 Patent, col. 10:16-20).
- Technical Importance: This hybrid storage architecture aims to provide the security and immutability of distributed ledgers for sensitive data without incurring the performance penalties associated with using such systems for all data transactions (’330 Patent, col. 10:5-15).
Key Claims at a Glance
- The complaint asserts infringement of at least independent Claim 1 (Compl. ¶35).
- The essential elements of Claim 1 are:
- A tangible, non-transitory, machine-readable medium storing instructions for operations comprising:
- Obtaining and registering a "security driver" to interface with a "database driver" and receive database requests from an application.
- Receiving database requests from the application and passing at least some to the database driver.
- Obtaining a policy to control data access.
- Modifying a subset of data responsive to a read request by applying the policy to identify the subset and change its values to generate a "modified subset of data".
- Returning a response to the application that includes the "modified subset of data" in place of the original subset.
- The complaint implicitly reserves the right to assert other claims, including dependent claims.
U.S. Patent No. 12,282,466
- Patent Identification: U.S. Patent No. 12,282,466, titled “COMMUNICATING FINE-GRAINED APPLICATION DATABASE ACCESS TO A THIRD PARTY AGENT,” issued April 22, 2025 (the “’466 Patent”).
The Invention Explained
- Problem Addressed: Database management systems are often unaware of the specific application-level user accessing data, because many applications connect using a single, generic service account. This makes it difficult to implement fine-grained, user-specific access controls and auditing (’466 Patent, col. 55:31-41).
- The Patented Solution: The invention describes a driver that intercepts database requests and detects a "user agent string" or other identifier appended to the request that is "indicative of a user of the application" (’466 Patent, Abstract; col. 2:9-14). The driver obtains a policy governing access for different users and, based on the identifier and policy, determines whether access is permitted. It then enforces the policy by modifying the database request (e.g., by adding filters) or the data returned by the database (e.g., by masking values) (’466 Patent, Fig. 14; col. 2:36-42).
- Technical Importance: The technology enables policy-based access control and auditing at the individual end-user level, even when applications use a shared database account, addressing a common security vulnerability in enterprise systems (’466 Patent, col. 55:58-67).
Key Claims at a Glance
- The complaint asserts infringement of at least independent Claim 1 (Compl. ¶46).
- The essential elements of Claim 1 are:
- A tangible, non-transitory, machine-readable medium storing instructions for operations comprising:
- Registering a "security driver" to receive database requests from an application.
- Detecting a "user agent string" appended to the request that includes a user identifier.
- Obtaining a policy that governs data access for different users.
- Determining, based on the policy and identifier, whether the user is permitted or denied access.
- Determining, based on the policy and the request, whether the request pertains to a restricted portion of data.
- In response to a denial determination, "modifying... the database request" to deny access to the restricted portion while permitting access to other portions.
- The complaint implicitly reserves the right to assert other claims.
U.S. Patent No. 12,476,820
- Patent Identification: U.S. Patent No. 12,476,820, titled “USING A TREE STRUCTURE TO SEGMENT AND DISTRIBUTE RECORDS ACROSS ONE OR MORE DECENTRALIZED, ACYCLIC GRAPHS OF CRYPTOGRAPHIC HASH POINTERS,” issued November 18, 2025 (the “’820 Patent”).
- Technology Synopsis: The patent addresses performance limitations in blockchain-like structures by segmenting data records and arranging them in a tree structure (e.g., binary or k-ary tree) stored across decentralized immutable graphs (’820 Patent, Abstract; col. 57:5-19). This structure is intended to allow for concurrent retrieval of different record segments, thereby improving read performance compared to linear, sequential retrieval (’820 Patent, col. 57:12-19).
- Asserted Claims: The complaint asserts infringement of at least independent Claim 1 (Compl. ¶57).
- Accused Features: The complaint alleges that Defendant's platform infringes by monitoring user read requests (queries) and their associated time durations, and determining when the number of requests exceeding a duration threshold satisfies a count threshold, which is alleged to map to the claimed monitoring functionality (Compl. ¶¶ 57 (1.5), 57 (1.6)).
III. The Accused Instrumentality
Product Identification
- The accused product is the Immuta Platform, also referred to as the Immuta System (Compl. ¶15).
Functionality and Market Context
- The Immuta Platform is described as a data access and control platform that functions as a "centralized hub" for data governance, marketed as a solution to "optimize how you access and control data" (Compl. ¶16). Technically, it is alleged to operate as a query engine or proxy that sits between client applications and back-end databases, where it can modify database responses according to governance policies (Compl. ¶17). The platform is offered in both a cloud-based SaaS and a customer-managed software deployment model, as shown in a screenshot of Immuta's documentation (Compl. ¶35, p. 10). The complaint positions Immuta as a direct and significant competitor to ALTR, citing third-party market analysis from sources like SourceForge and Gartner that place the two companies in the same market segment (Compl. ¶¶ 26, 27). A screenshot from SourceForge shows a side-by-side comparison of ALTR, Immuta, and Microsoft Purview (Compl. ¶26, p. 7).
IV. Analysis of Infringement Allegations
11,138,330 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| obtaining a security driver configured to interface with a database driver... | The Immuta System includes the Immuta Query Engine, which is a proxy that sits between client applications and backend data sources. | ¶35 (1.1) | col. 9:34-37 |
| registering the security driver to receive database requests... | User authentication with Immuta SQL credentials establishes a connection session, registering the Immuta Query Engine to receive subsequent database requests from the user. | ¶35 (1.2) | col. 39:19-22 |
| receiving the database requests in the schema of the API from the application, at least some of the database requests being passed to the database driver... | The Immuta System receives requests via a PostgreSQL-compatible API and forwards rewritten requests to the underlying database via a database driver. | ¶35 (1.3) | col. 9:45-53 |
| obtaining a policy by which access to at least some data within the database is controlled; | The Immuta System contacts the Immuta policy service at runtime to determine the applicable policy decision, including which rows to filter or columns to mask. | ¶35 (1.4) | col. 40:1-3 |
| modifying, in association with a received read request... a subset of data... responsive to applying the policy, wherein applying the policy comprises identifying the subset of data based on the policy and changing values in the subset of data to generate a modified subset of data; | The Immuta Query Engine intercepts and rewrites the query based on policy decisions, implementing column masking or row filtering. This identifies a subset of data (e.g., a column) and changes its values (e.g., masks them) to create a modified result. | ¶35 (1.5) | col. 61:61-62:1 |
| returning, to the application, responsive to the read request, a response including the modified subset of data in place of the subset of data within the records. | The Immuta System returns the policy-modified query results to the application, with original values in masked columns replaced by hashed values, constants, or nulls. | ¶35 (1.6) | col. 62:2-5 |
- Identified Points of Contention:
- Scope Questions: An issue may arise regarding whether the accused "Immuta Query Engine," described as a proxy that "sits between" applications and databases (Compl. ¶17), meets the claim limitation of a "security driver" that "wraps" or "interfaces with a database driver" (’330 Patent, Fig. 1; col. 9:34-44). The patent figures depict an architecture where the security driver is a component within the client computing device, which may raise questions of architectural equivalence with a proxy-based system.
- Technical Questions: Claim 1 requires "modifying... a subset of data... by... identifying the subset of data based on the policy and changing values in the subset of data." The complaint alleges Immuta achieves this by rewriting the SQL query or by transforming results as they are streamed back (Compl. ¶35 (1.5)). The analysis may question whether rewriting a query before it executes constitutes "changing values in the subset of data" as required by the claim, or if that language is limited to modification of the data after it is retrieved.
12,282,466 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| registering a security driver to receive database requests generated by an application... | The Immuta System's Query Engine functions as a security driver by interposing itself between client applications and backend databases to receive SQL requests. | ¶46 (1.1) | col. 39:19-22 |
| detecting, by the security driver, a user agent string appended to the database request, the user agent string including at least one identifier indicative of a user... | The Immuta Query Engine receives database requests containing identifying values, such as user attributes, which it inspects to enforce policies. | ¶46 (1.2) | col. 2:9-14 |
| obtaining, by the security driver, a policy by which access to a portion of data within a database arrangement... is governed for different users or client devices... | The Immuta Query Engine obtains policies from the Immuta policy service that govern data access for different users or client devices based on the requesting user's identity or context. | ¶46 (1.3) | col. 2:14-22 |
| determining, by the security driver, based on the obtained policy and the identifier... whether the user... is permitted or denied access... | The system evaluates the user identifier against the obtained policy to determine if the user is permitted or denied access to a portion of data. | ¶46 (1.4) | col. 2:23-29 |
| determining, by the security driver, based on the obtained policy and the database request, whether the database request indicates access pertaining to the portion of data... | The system parses the incoming database request to determine if it targets data governed by a policy and if the user is entitled to access it. | ¶46 (1.5) | col. 2:30-35 |
| in response to determining that the user... is denied access... modifying, by the security driver, the database request to deny access to the portion of data while permitting access to the other portions of data... | The system modifies the database request before execution by removing protected columns, appending filtering conditions, or transforming the query to exclude access to the restricted portion while allowing access to permissible portions. | ¶46 (1.6) | col. 2:36-42 |
- Identified Points of Contention:
- Scope Questions: A central point of contention may be the construction of "user agent string." While the term has a specific technical meaning in other contexts (e.g., HTTP), the patent specification refers more broadly to "application-level user information delimited in the request" (’466 Patent, Abstract). The case may turn on whether the "identifying values" and "user attributes" alleged to be used by Immuta (Compl. ¶46 (1.2)) fall within the scope of this claim term.
- Technical Questions: Claim 1.6 recites "modifying... the database request." However, sub-part 1.6(c) includes "modification of data returned by the database arrangement" as a way to satisfy this limitation. This raises the question of whether modifying the result of a query can, as a matter of claim construction, satisfy a limitation directed at modifying the request itself. The complaint's evidence, such as the "Immuta SQL Access Pattern" diagram, shows the "original query is rewritten based on the policy decision" (step 4) and separately that "Results are streamed back" (step 6), suggesting these are distinct technical steps that may be analyzed differently under the claim language (Compl. ¶46, p. 23).
V. Key Claim Terms for Construction
'330 Patent
- The Term: "security driver"
- Context and Importance: This term defines the core architectural component of the invention. The complaint alleges that Immuta’s "Query Engine," which acts as a proxy, is a "security driver" (Compl. ¶35 (1.1)). Practitioners may focus on this term because its construction will determine whether the patent's scope is limited to the specific in-client architecture shown in the patent figures or if it can also cover proxy-based systems.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the term functionally as a component that "interfaces between the application 28 and the database driver 32" and is "transparent to the application 28" (’330 Patent, col. 9:34-44). This functional language may support a construction not limited by physical location.
- Evidence for a Narrower Interpretation: Figure 1 of the patent explicitly depicts the "security driver 30" as a component located within the "client computing device 12" and "wrapping" the "db driver 32" (’330 Patent, Fig. 1). This specific embodiment could be used to argue for a narrower construction tied to an in-process or on-device implementation.
'466 Patent
- The Term: "user agent string"
- Context and Importance: This term is the mechanism for conveying the identity of the application-level user. The complaint alleges Immuta's use of "user attributes" and "identifying values" meets this limitation (Compl. ¶46 (1.2)). The construction of this term is critical to determining whether Immuta's method for user identification infringes.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent’s abstract describes the driver reading "application-level user information delimited in the request," suggesting "user agent string" is an example of this broader concept. The summary of the invention likewise refers more broadly to detecting "at least one identifier indicative of a user of the application" (’466 Patent, col. 2:11-12).
- Evidence for a Narrower Interpretation: A party could argue the term should be given its ordinary technical meaning from other fields (e.g., a specific string format in HTTP headers). However, the specification does not appear to impose such a limitation, instead describing it as being "appended to the database request" (’466 Patent, col. 2:10-11), which suggests it is part of the query payload itself.
VI. Other Allegations
- Indirect Infringement: The complaint alleges both induced and contributory infringement for all three patents. Inducement is based on allegations that Immuta provides its customers with instructions, documentation, demonstrations, and customer support that encourage use of the Immuta Platform in an infringing manner (Compl. ¶¶ 36, 47, 58). Contributory infringement is based on the allegation that the Immuta Platform is a material part of the invention, is not a staple article of commerce, and is especially made for infringing use (Compl. ¶¶ 37, 48, 59).
- Willful Infringement: The complaint alleges pre-suit knowledge as a basis for willfulness. The primary factual basis is direct communication from Immuta’s CEO to ALTR’s CEO via LinkedIn to "attempt to acquire ALTR itself and its intellectual property" (Compl. ¶20). The complaint includes an exhibit with a message where Immuta’s CEO allegedly states, "My team really likes the way you have built thresholds" (Compl. ¶20). Further bases for knowledge include the parties’ status as direct competitors in a small market and ALTR's public patent marking website (Compl. ¶¶ 26, 27).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural equivalence: can the claimed "security driver," which is primarily depicted in the '330 patent specification as a component co-located with a client application, be construed to cover the accused "Immuta Query Engine," which is described as a proxy-based system that sits between clients and databases?
- A second central question will be one of definitional scope: for the '466 patent, can the term "user agent string," which has specific meanings in other technical contexts, be construed broadly enough to read on the "user attributes" and other "identifying values" that the complaint alleges are used in the accused system to enforce user-based policies?
- A key legal and technical question for the '466 patent will be one of claim interpretation: does modifying the data returned from a database satisfy a claim limitation that explicitly requires "modifying... the database request"? The court's construction of this unusual claim structure will be critical to the infringement analysis.