immut is the Evidence Trust Layer. It sits underneath your existing compliance tools and anchors every file to the XRP Ledger blockchain with a precise timestamp. This creates tamper-evident, independently verifiable proof that a document existed at a specific moment — court-admissible in 88 countries.

Is blockchain evidence accepted in court?

Yes. Blockchain-anchored evidence has been accepted as legal evidence in US Federal Court (US v. Sterlingov, 2024), the EUIPO across all 27 EU member states (AZ Factory v. Valeria Moda, 2025), China's Supreme People's Court (1,400+ IP cases since 2018), and under EU Regulation 2025/2531. immut certificates are accepted in 88 countries and 171 jurisdictions.

Does my file leave my device?

No. immut generates a SHA-256 hash of your file on your own device. Only the hash is recorded on the blockchain. Your original file never leaves your infrastructure. Public proof. Private work.

Does immut replace Vanta or Drata?

No. immut is the proof layer that sits underneath your existing compliance tools. Vanta and Drata collect your evidence. immut proves when that evidence existed. They complement each other — immut adds the independent timestamp your compliance platform cannot provide.

Which compliance standards does immut support?

immut produces records that satisfy evidence requirements in ISO 27001, ISO 9001, ISO 14001, ISO 45001, SOC 2, GDPR, HMRC R&D, HSE health and safety, KYC/AML, EU AI Act, HIPAA, and more. Any standard that requires dated, tamper-evident records is supported.

What happens if immut shuts down?

Every certificate already issued remains independently verifiable on the public XRP Ledger. The proof does not depend on immut existing. A regulator, a judge, or opposing counsel can verify your certificate on the public blockchain at any time, with or without immut.

What regulators accept immut compliance evidence?

immut-anchored records satisfy evidence requirements demanded by the UK ICO (ISO 27001/GDPR), HMRC (R&D tax claims), the HSE (health and safety inspections), the FDA (21 CFR Part 11 / GxP data integrity), and courts across 88 countries / 171 jurisdictions. Any regulator that asks 'can you prove this existed when you say it did?' is asking a question immut answers.

Does immut replace compliance management tools like Vanta or Drata?

No. immut is the proof layer underneath your existing compliance tools. Vanta and Drata collect and organise your evidence. immut proves when that evidence existed — a question they contractually disclaim responsibility for in their Terms of Service. They work together.

Why can't we rely on file metadata for compliance evidence?

File metadata (Word 'created' dates, PDF properties, OS timestamps) can be altered in under 30 seconds with no special tools. A document whose timestamp can be silently changed cannot satisfy independence requirements. An XRP Ledger record is public, immutable and verifiable by any party — including a regulator who does not trust the organisation.

Compliance

The burden of proof has shifted.

Regulators no longer ask if you have a policy. They ask if you can prove the policy was in place, operating, and followed — at the time it needed to be. That is a different and much harder question.

The question every regulator now asks

"Can you prove this document existed, in this form, at this date — to a party that does not trust you?"

Every compliance framework now encodes this question. HMRC's AIF requires evidence of when R&D uncertainties were overcome. GDPR Article 5(2) requires you to demonstrate compliance. ISO 27001:2022 Annex A 8.15 requires logs that prove controls were operating. HIPAA's OCR has stated: "cannot produce = never existed."

Precedent

In every case, the document was the weak link.

Meta Platforms

Irish DPC · GDPR

€17M

Could not demonstrate security controls were operating at the time of 12 data breaches.

Boeing

US DOJ · AS9100

$487M

Inspection records for Dreamliner components could not be proven to exist at the point of manufacture.

Advanced Computer Software

UK ICO

£3.07M

Could not demonstrate its vulnerability scanning tool had actually been used before a breach.

National Grid Gas

UK HSE

£4M

769 buildings where safety inspections could not be evidenced at the required intervals.

Frameworks

Five frameworks. One question. One answer.

ISO 27001:2022

Annex A 8.15 · Clause 7.5

Prove logs and controls were operating at the time of the event, not just declared at audit.

GDPR / NIS2

Article 5(2) · Article 21

Demonstrate controls were in place and operating at the time of the incident or data processing.

HMRC R&D

AIF · Finance Act 2000

Contemporaneous evidence that the work happened when the claim says it did.

HIPAA / FDA

45 CFR 164.312 · 21 CFR Part 11

Risk analyses and records existing at the time they were required — OCR: 'cannot produce = never existed.'

SEC Rule 17a-4

Independent third-party attestation

Immutable records with a designated third-party attestation — provider's word alone is not trusted.

The gap

Vanta, Drata and WORM storage push the "when" problem back to you.

Compliance platforms solve collection. They do not solve authenticity. Every major platform's MSA contains language equivalent to: "Customer, not Vanta, shall have sole responsibility for the accuracy, quality, integrity... of all Customer Data." When the auditor asks when a document was created, the platform's answer is: "the customer typed that date in."

Vanta

"Effective Date" field — set by the customer, editable after upload. The auditor cannot verify it.

Drata

"Creation date" — typed manually at upload, remains editable. Drata's answer when challenged: 'the customer entered it.'

Secureframe

"Activity Completion Date" per record. ToS: 'Customer is solely responsible for the accuracy, integrity...' of all evidence dates.

AWS S3 / Azure WORM

Prevents your users from deleting. Does not prevent provider engineers or lawful government orders. Rule 17a-4 already knows this — requires independent third-party attestation.

The burden of proof has shifted.

In every case, the document was the weak link.

Five frameworks. One question. One answer.

Vanta, Drata and WORM storage push the "when" problem back to you.

Prove your first file in minutes.