immut is the Evidence Trust Layer. It sits underneath your existing compliance tools and anchors every file to the XRP Ledger blockchain with a precise timestamp. This creates tamper-evident, independently verifiable proof that a document existed at a specific moment — court-admissible in 88 countries.

Is blockchain evidence accepted in court?

Yes. Blockchain-anchored evidence has been accepted as legal evidence in US Federal Court (US v. Sterlingov, 2024), the EUIPO across all 27 EU member states (AZ Factory v. Valeria Moda, 2025), China's Supreme People's Court (1,400+ IP cases since 2018), and under EU Regulation 2025/2531. immut certificates are accepted in 88 countries and 171 jurisdictions.

Does my file leave my device?

No. immut generates a SHA-256 hash of your file on your own device. Only the hash is recorded on the blockchain. Your original file never leaves your infrastructure. Public proof. Private work.

Does immut replace Vanta or Drata?

No. immut is the proof layer that sits underneath your existing compliance tools. Vanta and Drata collect your evidence. immut proves when that evidence existed. They complement each other — immut adds the independent timestamp your compliance platform cannot provide.

Which compliance standards does immut support?

immut produces records that satisfy evidence requirements in ISO 27001, ISO 9001, ISO 14001, ISO 45001, SOC 2, GDPR, HMRC R&D, HSE health and safety, KYC/AML, EU AI Act, HIPAA, and more. Any standard that requires dated, tamper-evident records is supported.

What happens if immut shuts down?

Every certificate already issued remains independently verifiable on the public XRP Ledger. The proof does not depend on immut existing. A regulator, a judge, or opposing counsel can verify your certificate on the public blockchain at any time, with or without immut.

Compliance evidence

The question isn't whether you have records. It's whether you can prove when they existed.

Eight compliance verticals. One question in every one of them. Regulators, auditors, and courts all apply a contemporaneity test that your file metadata cannot pass.

01

Contemporaneous

Evidence must have been created at the time the activity occurred, not retrospectively assembled from memory, invoices, or AI summaries.

02

Tamper-evident

Any modification to the record after creation must be detectable. File metadata, SharePoint version history, and cloud timestamps cannot satisfy this.

03

Independently verifiable

A regulator or court must be able to verify the record's integrity without taking your word for it, or the word of any party with an interest in the outcome.

Eight verticals

Where the contemporaneity test applies.

Select a vertical to see the statutory basis, the regulatory cases, and what immut provides for each.

ISO 27001 · 9001 · 45001

ISO management systems

ISO auditors now challenge evidence that cannot be dated independently. Annex A 8.15 requires tamper-evident logs. If your records cannot prove when they were created, the control fails.

£3.07M

Advanced Computer Software · ICO · 2025

HMRC AIF · CFA 2017 · IRC §41

R&D tax claims

HMRC requires contemporaneous evidence of qualifying activity — not retrospective narratives. Invoices satisfy Test 1. They do not satisfy Test 2. The first criminal prosecution of an R&D adviser landed in 2025.

Criminal prosecution

Bennett Verby Ltd · CFA 2017 · 2025

FDA 21 CFR Part 11 · ALCOA+ · EU GMP Annex 11

GxP data integrity

ALCOA+ requires records to be contemporaneous. FDA inspectors treat records that cannot prove their creation date as failing the standard — triggering warning letters, consent decrees, or import alerts.

$500M

Ranbaxy Laboratories · FDA/DOJ · 2013

HSE · ISO 45001 · CDM 2015

Health & safety

The HSE fines organisations not for lacking policies, but for lacking evidence that procedures were followed. No harm needs to have occurred. The evidential gap alone attracts a penalty.

£4M

National Grid Gas · HSE · 2016

GDPR Article 5(2) · Article 24 · NIS2

GDPR accountability

GDPR Article 5(2) requires controllers to demonstrate compliance — not assert it. Meta was fined €17M not because controls were absent, but because their operation could not be demonstrated.

€17M

Meta Platforms · Irish DPC · 2022

EU AI Act · Copyright law · Data provenance

AI training data provenance

The EU AI Act requires high-risk AI systems to maintain logs of training data provenance. Proving what data was used, and when, requires independently verifiable records that cannot be reconstructed retrospectively.

Up to €30M

EU AI Act · Chapter III · 2024

DTSA · Trade Secrets Directive · Know-how

Trade secrets & know-how

Proving a trade secret existed before an alleged misappropriation requires contemporaneous evidence. Courts apply the Ridgeway standard: you must show the information was a secret at the time it was taken.

Injunction + damages

DTSA · 18 U.S.C. §1836 · Federal

Prior use · Copyright · Derivation

IP creation & prior use

Proving prior creation in IP disputes, copyright registration, and derivation proceedings requires evidence that cannot be challenged as backdated. The question is not authorship — it is when.

IP rights lost

AZ Factory v. Valeria Moda · Paris · 2025

The common thread

Your compliance platform collects the evidence. It cannot prove when it was created.

Vanta, Drata, SharePoint, and every WORM storage provider contractually return the question of evidence integrity to you in their Terms of Service. They are the collection layer. immut is the proof layer.

A regulator asking “when did this control exist?” receives a blockchain-anchored answer that cannot be disputed. That is what your compliance platform cannot provide.

See the cases where the evidence gap cost everything

43 enforcement actions and court decisions, annotated by what evidence was missing and what it cost.

Evidence failure library →

Prove your first file in minutes.

Takes seconds. Works on any file type. No installation required.