immut is the Evidence Trust Layer. It sits underneath your existing compliance tools and anchors every file to the XRP Ledger blockchain with a precise timestamp. This creates tamper-evident, independently verifiable proof that a document existed at a specific moment — court-admissible in 88 countries.

Is blockchain evidence accepted in court?

Yes. Blockchain-anchored evidence has been accepted as legal evidence in US Federal Court (US v. Sterlingov, 2024), the EUIPO across all 27 EU member states (AZ Factory v. Valeria Moda, 2025), China's Supreme People's Court (1,400+ IP cases since 2018), and under EU Regulation 2025/2531. immut certificates are accepted in 88 countries and 171 jurisdictions.

Does my file leave my device?

No. immut generates a SHA-256 hash of your file on your own device. Only the hash is recorded on the blockchain. Your original file never leaves your infrastructure. Public proof. Private work.

Does immut replace Vanta or Drata?

No. immut is the proof layer that sits underneath your existing compliance tools. Vanta and Drata collect your evidence. immut proves when that evidence existed. They complement each other — immut adds the independent timestamp your compliance platform cannot provide.

Which compliance standards does immut support?

immut produces records that satisfy evidence requirements in ISO 27001, ISO 9001, ISO 14001, ISO 45001, SOC 2, GDPR, HMRC R&D, HSE health and safety, KYC/AML, EU AI Act, HIPAA, and more. Any standard that requires dated, tamper-evident records is supported.

What happens if immut shuts down?

Every certificate already issued remains independently verifiable on the public XRP Ledger. The proof does not depend on immut existing. A regulator, a judge, or opposing counsel can verify your certificate on the public blockchain at any time, with or without immut.

What does 21 CFR Part 11 require for audit trails?

21 CFR Part 11.10(b) requires computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. The word 'independently' is critical: the audit trail must be maintained by a mechanism that the operator cannot disable or alter. 11.10(e) adds that audit trails must use secure, computer-generated timestamps to independently record date and time.

What makes an audit trail 'independent' under 21 CFR Part 11?

FDA's guidance (2003 and 2018) makes clear that an independent audit trail cannot be modified by users with access to the records it records. An audit trail maintained in the same database as the records it audits, accessible to the same administrators who create records, is not independent. The trail must be secured against the same access control vulnerabilities it is designed to detect. Blockchain-anchored timestamps satisfy this requirement because the XRP Ledger is controlled by no single party.

What Part 11 violations has FDA cited most frequently?

The most frequently cited Part 11 violations are: (1) audit trails disabled or not retained — 11.10(b); (2) electronic records deletable or modifiable without audit trail entries — 11.10(c); (3) system access controls insufficient to prevent unauthorised modification — 11.10(d); (4) audit trail data accessible to users for modification — 11.10(e). In data integrity Warning Letters, FDA consistently finds that computerised systems lacked controls to prevent or detect unauthorised deletion or modification of electronic records.

Does immut replace a validated 21 CFR Part 11-compliant system?

No. immut adds the independent proof layer that most Part 11-compliant systems cannot self-certify: independently verifiable creation timestamps. A validated LIMS or EBR satisfies the access control and audit trail management requirements of Part 11. immut adds blockchain-anchored proof that specific records existed at specific times, independently of the regulated organisation's systems. The two are complementary: the validated system manages records, immut proves when they existed.

FDA electronic records

What does 21 CFR Part 11 require for electronic records and audit trails?

21 CFR Part 11 requires that FDA-regulated electronic records be trustworthy, reliable, and protected from alteration — with independent, computer-generated, time-stamped audit trails that record every creation, modification, and deletion. The word independently in §11.10(b) is the requirement most systems fail: an audit trail maintained by the same organisation in the same database as the records it monitors is self-attesting, not independent.

immut creates the independent proof layer: a SHA-256 hash of each record anchored to the public XRP Ledger, controlled by no single party. An FDA inspector verifies the timestamp directly on the public blockchain — no trust in immut or the regulated organisation required.

Key 21 CFR Part 11 requirements and where existing systems fall short

11.10(a)

System validation

“Validated systems appropriate for their intended use, including the ability to discern invalid or altered records.”

Common gap: Validation confirms system function at the time of validation. It does not prove records created after validation are unaltered.

11.10(b)

Independent audit trail

“Computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records.”

Common gap: Most LIMS and EBR systems maintain audit trails in the same database as records — accessible to the same administrators. The trail is self-referential, not independent.

11.10(c)

Record protection

“Adequate protection of records to enable their accurate and ready retrieval throughout the records retention period.”

Common gap: Centralised systems can be modified by privileged users, backup restoration can overwrite records, and system migrations can introduce gaps in record integrity.

11.10(d)

System access controls

“Limiting system access to authorised individuals.”

Common gap: Access controls prevent most users from modifying records — but not privileged administrators, IT staff, or users who obtain elevated credentials.

11.10(e)

Audit trail security

“Use of secure, computer-generated time stamps to independently record the date and time of operator entries. Audit trail documentation should be retained for the same period as the related records.”

Common gap: If the system clock can be altered, or if audit trail records are stored in a modifiable database, timestamps are not secure. An unbroken, cryptographic timestamp is required for genuine independence.

Why do most LIMS and EBR audit trails not satisfy Part 11's independence requirement?

The independence requirement in §11.10(b) means the audit trail mechanism must be controlled by a different party from the one creating records. A LIMS audit trail stored in the same Oracle database as the records, accessible to the same DBA who manages the system, is self-referential. FDA investigators in data integrity inspections consistently find that a determined administrator with database access can modify both records and their audit trail. The FDA's 2018 data integrity guidance acknowledges this: computerised systems must have audit trails that are stored in a way that prevents users from modifying them. Most on-premises ERP and LIMS systems do not meet this standard without additional controls.

What evidence does an FDA inspector expect during a data integrity inspection?

FDA inspectors use the "data integrity investigational approach" (CDER/CBER, 2019): (1) review of the computerised system validation status and access controls; (2) comparison of printed batch records against raw electronic data to identify discrepancies; (3) analysis of audit trails for deleted, modified, or duplicate entries; (4) interviews with analysts about practices around data retention and system use; (5) IT forensics on shared network drives and instrument computers. Inspectors look specifically for "audit trail review" — whether the regulated facility reviews audit trails as part of batch record review. Many Warning Letters cite failure to include audit trail review in quality oversight procedures.

How does immut complement a validated 21 CFR Part 11 system?

A validated Part 11 system handles access controls, user authentication, and internal record integrity. immut adds the one property the validated system cannot self-certify: independently verifiable proof that a specific record existed, unchanged, at a specific time. When you run immut at the point of each critical GxP activity (batch record completion, out-of-specification investigation, stability protocol approval), you create a blockchain-anchored timestamp that FDA inspectors can verify on the public XRP Ledger without trusting your system or your organisation. The Part 11 validation says the system is fit for purpose. immut proves the records it produced were contemporary with the events they record.

What happens when 21 CFR Part 11 audit trail requirements are violated?

Import Alert

Zydus Pharmaceuticals — FDA Warning Letter, 2023

FDA found that audit trails had been disabled on manufacturing systems. Data had been deleted and re-entered. The Warning Letter finding: “Your firm failed to exercise appropriate controls over computerised systems to assure that only authorised personnel institute changes.” The inability to demonstrate audit trail integrity under §11.10(b) resulted in an import alert on all affected products.

Related GxP evidence resources

GxP Data Integrity — full guide

8 regulatory frameworks, 4 enforcement cases, how immut works.

ALCOA+ data integrity

What the Contemporaneous criterion requires and how to prove it.

MHRA data integrity inspections

What MHRA inspectors check and how to prepare.

Prove your first file in minutes.

Takes seconds. Works on any file type. No installation required.