# The burden of proof has shifted Regulators no longer ask if you have a policy. They ask if you can prove the policy was in place, operating, and followed at the time it needed to be. That is a different and much harder question. immut is the compliance evidence layer that answers it: contemporaneous, tamper-evident, independently verifiable, court-ready records for ISO 27001, HMRC R&D, GxP, HSE and GDPR. ## What question does every regulator now ask? "Can you prove this document existed, in this form, at this date, to a party that does not trust you?" Every compliance framework now encodes this question. HMRC's AIF requires evidence of when R&D uncertainties were overcome. GDPR Article 5(2) requires you to demonstrate compliance. ISO 27001:2022 Annex A 8.15 requires logs that prove controls were operating. HIPAA's OCR has stated: "cannot produce = never existed." ## What happens when organisations cannot prove controls were operating? In every case, the document was the weak link. - Meta Platforms, Irish DPC (GDPR): €17M. Could not demonstrate security controls were operating at the time of 12 data breaches. - Boeing, US DOJ (AS9100): $487M. Inspection records for Dreamliner components could not be proven to exist at the point of manufacture. - Advanced Computer Software, UK ICO: £3.07M. Could not demonstrate its vulnerability scanning tool had actually been used before a breach. - National Grid Gas, UK HSE: £4M. 769 buildings where safety inspections could not be evidenced at the required intervals. ## Which frameworks require proof that controls were operating? Five frameworks. One question. One answer. - ISO 27001:2022 (Annex A 8.15, Clause 7.5): prove logs and controls were operating at the time of the event, not just declared at audit. - GDPR / NIS2 (Article 5(2), Article 21): demonstrate controls were in place and operating at the time of the incident or data processing. - HMRC R&D (AIF, Finance Act 2000): contemporaneous evidence that the work happened when the claim says it did. - HIPAA / FDA (45 CFR 164.312, 21 CFR Part 11): risk analyses and records existing at the time they were required. OCR: "cannot produce = never existed." - SEC Rule 17a-4 (independent third-party attestation): immutable records with a designated third-party attestation. Provider's word alone is not trusted. ## Why do Vanta, Drata and WORM storage not solve this? Compliance platforms solve collection. They do not solve authenticity. Every major platform's MSA contains language equivalent to: "Customer, not Vanta, shall have sole responsibility for the accuracy, quality, integrity... of all Customer Data." When the auditor asks when a document was created, the platform's answer is: "the customer typed that date in." Vanta, Drata and WORM storage push the "when" problem back to you. - Vanta: "Effective Date" field is set by the customer and editable after upload. The auditor cannot verify it. - Drata: "Creation date" is typed manually at upload and remains editable. Drata's answer when challenged: "the customer entered it." - Secureframe: "Activity Completion Date" per record. ToS: "Customer is solely responsible for the accuracy, integrity..." of all evidence dates. - AWS S3 / Azure WORM: prevents your users from deleting. Does not prevent provider engineers or lawful government orders. Rule 17a-4 already knows this, requiring independent third-party attestation. ## What properties does immut give a compliance record? immut is the proof layer for every compliance standard that requires you to demonstrate controls were operating. Each anchored record is: - Contemporaneous: the timestamp is created at the moment the evidence exists, not reconstructed later. - Tamper-evident: any change to the file after anchoring is detectable. - Independently verifiable: any party, including a regulator who does not trust the organisation, can verify the record on the public XRP Ledger. - Court-ready: certificates are accepted as legal evidence in 88 countries / 171 jurisdictions. ## Does immut replace compliance management tools like Vanta or Drata? No. immut is the proof layer underneath your existing compliance tools. Vanta and Drata collect and organise your evidence. immut proves when that evidence existed, a question they contractually disclaim responsibility for in their Terms of Service. They work together. ## What regulators accept immut compliance evidence? immut-anchored records satisfy evidence requirements demanded by the UK ICO (ISO 27001/GDPR), HMRC (R&D tax claims), the HSE (health and safety inspections), the FDA (21 CFR Part 11 / GxP data integrity), and courts across 88 countries / 171 jurisdictions. Any regulator that asks "can you prove this existed when you say it did?" is asking a question immut answers. ## Why can't we rely on file metadata for compliance evidence? File metadata (Word "created" dates, PDF properties, OS timestamps) can be altered in under 30 seconds with no special tools. A document whose timestamp can be silently changed cannot satisfy independence requirements. An XRP Ledger record is public, immutable and verifiable by any party, including a regulator who does not trust the organisation. ## Links - Live page: https://www.immut.io/compliance - Developer and agent docs: https://www.immut.io/docs - For AI agents: https://www.immut.io/ai-agents