DCT

1:25-cv-01586

Altr Solutions Inc v. Immuta Inc

Log In
Key Events
Amended Complaint
complaint Intelligence

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:25-cv-01586, D. Del., 03/30/2026
  • Venue Allegations: Venue is alleged to be proper in the District of Delaware because the Defendant, Immuta Inc., is a Delaware corporation and therefore resides in the district.
  • Core Dispute: Plaintiff alleges that Defendant's data security and governance platform infringes four U.S. patents related to secure data storage, access control, and policy enforcement.
  • Technical Context: The technology at issue is in the field of data governance platforms, which are designed to manage and secure access to sensitive data across complex enterprise environments, including cloud and on-premises databases.
  • Key Procedural History: The complaint alleges that Defendant had pre-suit knowledge of the asserted patents and underlying technology, based in part on a March 2025 acquisition inquiry from Defendant's CEO to Plaintiff's CEO, which purportedly demonstrated a detailed review of Plaintiff's solutions.

Case Timeline

Date Event
2014-09-08 Defendant Immuta Inc. incorporated
2015-06-02 Earliest priority date for '330, '820, and '878 Patents
2020-01-07 Earliest priority date for '466 Patent
2021-10-05 U.S. Patent No. 11,138,330 issues
2022-05-31 U.S. Patent No. 11,347,878 issues
2025-03-22 Alleged communication from Immuta CEO to ALTR CEO regarding potential acquisition
2025-04-22 U.S. Patent No. 12,282,466 issues
2025-11-18 U.S. Patent No. 12,476,820 issues
2026-03-30 Complaint filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 11,138,330 - FRAGMENTING DATA FOR THE PURPOSES OF PERSISTENT STORAGE ACROSS MULTIPLE IMMUTABLE DATA STRUCTURES

  • Patent Identification: U.S. Patent No. 11,138,330, titled "FRAGMENTING DATA FOR THE PURPOSES OF PERSISTENT STORAGE ACROSS MULTIPLE IMMUTABLE DATA STRUCTURES," issued on October 5, 2021.

The Invention Explained

  • Problem Addressed: The patent's background describes the problem of data security in traditional datastores, which are vulnerable to modification or exfiltration by attackers, including credentialed insiders like rogue employees ʼ330 Patent, col. 1:57-64
  • The Patented Solution: The invention proposes a system where a security driver intercepts data requests directed to a database ʼ330 Patent, col. 9:35-51 It classifies data into "higher-security" and "lower-security" categories ʼ330 Patent, col. 10:208 The higher-security data is segmented and stored across multiple, separate, immutable data structures (e.g., blockchains), while the original database stores only the lower-security data along with pointers to the fragmented data segments ʼ330 Patent, abstract ʼ330 Patent, col. 2:5-38 This architecture, illustrated in Figure 1, is designed to prevent reconstruction of sensitive data from a single point of compromise.
  • Technical Importance: This method aims to enhance data security by decentralizing the storage of sensitive information, thereby eliminating a single point of failure and making unauthorized data reconstruction computationally difficult.

Key Claims at a Glance

  • The complaint asserts at least independent Claim 1 Compl. ¶36
  • The essential elements of Claim 1, a tangible non-transitory machine-readable medium, include instructions for:
    • Obtaining a security driver configured to interface with a database driver.
    • Registering the security driver to receive database requests.
    • Receiving the database requests.
    • Obtaining a policy for controlling data access.
    • Modifying a read request by identifying a subset of data based on the policy, changing values in that subset, and generating a modified subset.
    • Returning a response to the application that includes the modified subset of data in place of the original subset.

U.S. Patent No. 12,282,466 - COMMUNICATING FINE-GRAINED APPLICATION DATABASE ACCESS TO A THIRD PARTY AGENT

  • Patent Identification: U.S. Patent No. 12,282,466, titled "COMMUNICATING FINE-GRAINED APPLICATION DATABASE ACCESS TO A THIRD PARTY AGENT," issued on April 22, 2025.

The Invention Explained

  • Problem Addressed: The patent addresses the challenge of enforcing fine-grained, user-specific access policies in database systems where multiple application users may access the database through a single, shared database account, making granular control and auditing difficult ʼ466 Patent, col. 56:25-31
  • The Patented Solution: The invention describes a driver that intercepts database requests from an application ʼ466 Patent, col. 62:45-48 The driver detects a value in the request indicative of the specific application user ʼ466 Patent, claim 1 Based on this user-indicative value and a set of permissions, the driver determines whether the user is requesting access to restricted information and modifies the data response accordingly, such as by masking or redacting certain data before returning it to the application ʼ466 Patent, abstract ʼ466 Patent, claim 1
  • Technical Importance: This approach allows for the implementation of application-level user permissions and security policies without requiring modification of the underlying database or the application itself.

Key Claims at a Glance

  • The complaint asserts at least independent Claims 1 and 18 Compl. ¶47
  • The essential elements of Claim 1, a tangible non-transitory machine-readable medium, include instructions for a driver to perform operations comprising:
    • Obtaining a database request from a client application.
    • Detecting a value indicative of the user.
    • Obtaining a policy with permissions for users or devices.
    • Determining if the user is requesting access to restricted information.
    • Obtaining the records implicated by the request.
    • Identifying the restricted portion of the information.
    • Modifying the restricted portion while leaving the unrestricted portion intact.
    • Providing the modified response to the application.
  • The essential elements of Claim 18, a method of application-level user permissioning, include:
    • Obtaining a database request from an application.
    • Detecting a value indicative of the user.
    • Obtaining policy information conveying permissions.
    • Determining if the user is requesting access to a restricted portion of information.
    • Conveying requests to the database to obtain the records.
    • Identifying the restricted portion of the obtained information.
    • Modifying the restricted portion.
    • Providing a modified response that includes the unrestricted information.

U.S. Patent No. 12,476,820 - USING A TREE STRUCTURE TO SEGMENT AND DISTRIBUTE RECORDS ACROSS ONE OR MORE DECENTRALIZED, ACYCLIC GRAPHS OF CRYPTOGRAPHIC HASH POINTERS

  • Patent Identification: U.S. Patent No. 12,476,820, titled "USING A TREE STRUCTURE TO SEGMENT AND DISTRIBUTE RECORDS ACROSS ONE OR MORE DECENTRALIZED, ACYCLIC GRAPHS OF CRYPTOGRAPHIC HASH POINTERS," issued November 18, 2025.
  • Technology Synopsis: The patent describes a system for securing data by segmenting records and distributing them across decentralized, cryptographically-linked data structures. The invention also details a method for monitoring database activity by receiving read requests associated with a user, accessing logs of prior requests, and determining whether to obfuscate data based on an access policy. Further, it claims monitoring the number and duration of read requests against predefined thresholds to identify anomalous behavior.
  • Asserted Claims: At least independent claims 1, 17, 19, and 35 Compl. ¶58
  • Accused Features: The complaint alleges that the Immuta Platform's functions for monitoring user queries, applying access policies to obfuscate data, and evaluating user activity against configured thresholds for metrics like query count and duration infringe the patent Compl. ¶¶47-60

U.S. Patent No. 11,347,878 - REPLACING DISTINCT DATA IN A RELATIONAL DATABASE WITH A DISTINCT REFERENCE TO THAT DATA AND DISTINCT DE-REFERENCING OF DATABASE DATA

  • Patent Identification: U.S. Patent No. 11,347,878, titled "REPLACING DISTINCT DATA IN A RELATIONAL DATABASE WITH A DISTINCT REFERENCE TO THAT DATA AND DISTINCT DE-REFERENCING OF DATABASE DATA," issued May 31, 2022.
  • Technology Synopsis: The technology involves replacing plain-text values in a "lower-trust" database with a distinct reference, or pointer. The original plain-text data is stored in a separate, "higher-trust" database. When an application queries the data, the system transparently de-references the pointer to retrieve the plain-text value from the higher-trust store, thereby securing the sensitive data while maintaining functionality for the application.
  • Asserted Claims: At least claims 52-53 and 69-70, which depend from independent claims 44 and 61 Compl. ¶69
  • Accused Features: The complaint alleges that the Immuta Platform's policy enforcement engine, which selects fields for which plain-text values should be replaced with non-revealing placeholder values (e.g., masked or hashed data) based on user-specific policies, infringes the patent Compl. ¶¶64-83

III. The Accused Instrumentality

Product Identification

  • The accused instrumentality is the "Immuta Platform," also referred to as the "Immuta System" Compl. ¶16

Functionality and Market Context

  • The Immuta Platform is a data security and governance platform that provides centralized control over access to sensitive data Compl. ¶17 A core component is the "Immuta System Query Engine," which acts as a proxy between client applications and backend databases Compl. ¶18 This engine intercepts and modifies database responses according to pre-defined data governance policies, enabling functionalities such as data masking, row-level filtering, and auditing Compl. ¶¶18, 10-18 The complaint provides a product architecture diagram from Immuta's website illustrating these components, including a "Policy/Entitlements Engine" and "Data Access Governance" module Compl. p. 11 The platform is offered in both a cloud-based SaaS and a customer-managed software deployment model Compl. ¶18 The complaint alleges that Immuta is a direct competitor to ALTR and has achieved significant market traction, evidenced by substantial venture capital funding Compl. ¶¶19, 27

IV. Analysis of Infringement Allegations

11,138,330 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
obtaining a security driver configured to interface with a database driver and applications compatible with the database driver The Immuta System includes the Immuta Query Engine, which functions as a proxy between client applications and backend data sources. ¶36 (1.1) col. 9:35-37
registering the security driver to receive database requests in the schema of the API from an application compatible with the database driver A user authenticates to the Immuta Query Engine, which establishes a connection session. This authentication step registers the Query Engine to receive subsequent database requests from the user's application. ¶36 (1.2) col. 10:202
receiving the database requests in the schema of the API from the application, at least some of the database requests being passed to the database driver in the schema of the API The Immuta System receives database requests (e.g., SQL queries) via its PostgreSQL-compatible API. The Query Engine processes these requests and forwards rewritten queries to the underlying database via a database driver. ¶36 (1.3) col. 9:45-51
obtaining a policy by which access to at least some data within the database is controlled Upon receiving a query, the Immuta System contacts its policy service to determine the applicable policy decision, such as which rows to filter or columns to mask, based on user identity and attributes. ¶36 (1.4) col. 10:206
modifying, in association with a received read request... a subset of data associated with the records responsive to applying the policy... The Immuta Query Engine rewrites the SQL query or transforms the results based on the obtained policy. This includes identifying a subset of data (e.g., a column) and changing its values (e.g., masking) to generate a modified result. ¶36 (1.5) col. 10:216-218
returning, to the application, responsive to the read request, a response including the modified subset of data in place of the subset of data within the records The Immuta System returns the modified query results to the requesting application through the same SQL interface. The returned data includes the modified (e.g., masked) values in place of the original sensitive data. ¶36 (1.6) col. 10:218-220
  • Identified Points of Contention:
    • Scope Questions: A primary point of contention may be whether the accused "Immuta Query Engine," which is described as a proxy, meets the claim limitation of a "security driver configured to interface with a database driver." The patent's specification and figures appear to depict the security driver as a client-side component that wraps a local database driver ʼ330 Patent, FIG. 1, raising the question of whether a proxy-based architecture falls within the claim's scope.
    • Technical Questions: The analysis may focus on whether the Immuta System's act of rewriting a query and transforming result sets functionally meets the claim limitation of "changing values in the subset of data to generate a modified subset of data." The complaint presents a "SQL Access Pattern" diagram where the original query is rewritten, which may support Plaintiff's theory Compl. p. 14

12,282,466 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
obtaining, by a driver of a client executing an application, a database request generated by the application executing on the client The Immuta Query Engine acts as the driver for client applications, providing an in-line SQL interface through which the client's database tool submits a query. ¶47 (1.1) col. 62:45-48
detecting, by the driver, at least one value indicative of a user of the application or the client executing the application that generated the database request The Query Engine detects a user-indicative value by requiring user-specific SQL credentials for authentication. Immuta's documentation shows the creation of an "Immuta user SQL account" for this purpose Compl. p. 23 ¶47 (1.2) col. 2:5-7
obtaining, by the driver, policy information conveying permissions to access information... for some users or some client devices The Query Engine obtains policy information from the Immuta policy service at runtime, which governs what data the specific requesting user is allowed to see based on their identity and attributes. ¶47 (1.3) col. 62:10-15
determining, by the driver, based on the permissions and the detected value, whether the user... is requesting access to a portion of restricted information The Query Engine applies the obtained policy to the user's identity and the objects implicated by the query to determine if the request involves restricted data, such as by comparing user metadata with data values at query time for row-level policies. ¶47 (1.4) col. 62:16-23
obtaining, by the driver, information of records... by conveying one or more requests for the information to the database arrangement The Query Engine acts as the in-line SQL endpoint and uses its configured connection to the backing database to fetch the responsive data implicated by the client's query. ¶47 (1.5) col. 10:5-13
identifying, by the driver, based on the permissions, the portion of restricted information from the one or more records... The Query Engine identifies the restricted portion of the data by applying active policies, such as masking policies that "hide values in data," to the retrieved record set. ¶47 (1.6) col. 62:30-41
modifying, by the driver, the portion of restricted information... without modifying at least some other portion of the obtained information The Query Engine selectively transforms only the restricted values by applying masking or redaction, leaving unrestricted portions of the data intact. ¶47 (1.7) col. 62:30-41
providing, by the driver, to the application... a database response including the at least some other portion of the obtained information The Query Engine returns the modified database response, which includes the unrestricted data alongside the modified (e.g., masked) restricted data, to the client application over the same SQL connection. ¶47 (1.8) col. 62:42-48
  • Identified Points of Contention:
    • Scope Questions: As with the ʼ330 Patent, a central question will be whether Immuta's "Query Engine" constitutes a "driver" as that term is used in the patent. The patent specification's reliance on figures showing a client-side component suggests a potential dispute over whether a proxy architecture is equivalent ʼ466 Patent, FIG. 1
    • Technical Questions: The mechanism for "detecting... a value indicative of a user" will be a key factual issue. The complaint alleges this is done via SQL credentials and user attributes, which are then used to enforce policies Compl. pp. 23-24 The evidence required to demonstrate that this process performs the specific function claimed will be central to the infringement analysis.

V. Key Claim Terms for Construction

From U.S. Patent No. 11,138,330

  • The Term: "security driver"
  • Context and Importance: This term appears in the preamble and first element of independent Claim 1. The infringement analysis will likely turn on whether Immuta's proxy-based "Query Engine" can be considered a "security driver." Practitioners may focus on this term because the patent's primary embodiment (FIG. 1) depicts a client-side component, whereas the accused product operates as an intermediary proxy, raising a question of architectural difference.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claims do not explicitly restrict the location of the "security driver". The specification describes its function as "interfac[ing] between the application 28 and the database driver 32" ʼ330 Patent, col. 9:35-37, a role that a proxy could arguably fulfill.
    • Evidence for a Narrower Interpretation: The detailed description of Figure 1, the sole architectural diagram, places the "security driver 30" within the "client computing device 12" and describes it as a component that "wraps an application program interface of the database driver 32" ʼ330 Patent, col. 9:42-44 This language may support a narrower construction limited to a client-side software wrapper.

From U.S. Patent No. 12,282,466

  • The Term: "driver"
  • Context and Importance: This term is central to independent claims 1 and 18, which claim operations performed "by a driver." The case may depend on whether the accused Immuta Query Engine, a network proxy, qualifies as the claimed "driver". The patent family's consistent depiction of a client-side component suggests this will be a contested issue.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claim language itself does not specify the location or architecture of the "driver", referring to it functionally as a component that "reads incoming database requests" and "obtains policy" ʼ466 Patent, abstract This functional description could arguably encompass a proxy.
    • Evidence for a Narrower Interpretation: The patent incorporates by reference and includes the same architectural figure (FIG. 1) as the '330 patent, which illustrates the "security driver" as a component residing on the "client computing device" ʼ466 Patent, FIG. 1 '466 Patent, col. 13:28-30 This consistent depiction across the patent family may be used to argue for a narrower, client-side construction.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges both induced and contributory infringement. Inducement is based on allegations that Immuta provides customers with instructions, documentation, and customer support that encourage use of the Immuta Platform in an infringing manner Compl. ¶37 Compl. ¶48 Contributory infringement is alleged on the basis that the Immuta Platform's components are not staple articles of commerce and are especially adapted for use in an infringing manner Compl. ¶38 Compl. ¶49
  • Willful Infringement: The complaint alleges willful infringement based on purported pre-suit knowledge. The primary basis is a March 22, 2025 LinkedIn message from Immuta's CEO to ALTR's CEO proposing an acquisition and noting a "clear alignment" between the companies' technologies Compl. ¶21 The complaint asserts this communication demonstrates that Immuta had studied ALTR's technology. Willfulness is also alleged based on ALTR's public patent marking webpage, which Immuta's team allegedly had the opportunity to review Compl. ¶24

VII. Analyst's Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the term "driver", which the patent specifications and figures consistently depict as a software component residing on a "client computing device" and wrapping a local database driver, be construed to cover a network-based proxy "Query Engine" that sits between client applications and back-end data sources?
  • A key evidentiary question will be one of functional operation: does the accused platform's process of rewriting SQL queries and transforming result sets based on user identity constitute the specific sequence of "modifying... a subset of data" and "returning... a modified subset of data in place of the subset of data" as claimed in the '330 patent, or is there a fundamental technical difference in how the data is manipulated and returned?
  • A central question for willfulness and potential damages enhancement will be one of knowledge and intent: does the pre-suit LinkedIn communication from Immuta's CEO, which mentions a "clear alignment" in technology, provide sufficient evidence of knowledge of the specific patented inventions, or will it be characterized as a high-level business inquiry without specific technical admissions?