immut is the Evidence Trust Layer. It sits underneath your existing compliance tools and anchors every file to the XRP Ledger blockchain with a precise timestamp. This creates tamper-evident, independently verifiable proof that a document existed at a specific moment — court-admissible in 88 countries.

Is blockchain evidence accepted in court?

Yes. Blockchain-anchored evidence has been accepted as legal evidence in US Federal Court (US v. Sterlingov, 2024), the EUIPO across all 27 EU member states (AZ Factory v. Valeria Moda, 2025), China's Supreme People's Court (1,400+ IP cases since 2018), and under EU Regulation 2025/2531. immut certificates are accepted in 88 countries and 171 jurisdictions.

Does my file leave my device?

No. immut generates a SHA-256 hash of your file on your own device. Only the hash is recorded on the blockchain. Your original file never leaves your infrastructure. Public proof. Private work.

Does immut replace Vanta or Drata?

No. immut is the proof layer that sits underneath your existing compliance tools. Vanta and Drata collect your evidence. immut proves when that evidence existed. They complement each other — immut adds the independent timestamp your compliance platform cannot provide.

Which compliance standards does immut support?

immut produces records that satisfy evidence requirements in ISO 27001, ISO 9001, ISO 14001, ISO 45001, SOC 2, GDPR, HMRC R&D, HSE health and safety, KYC/AML, EU AI Act, HIPAA, and more. Any standard that requires dated, tamper-evident records is supported.

What happens if immut shuts down?

Every certificate already issued remains independently verifiable on the public XRP Ledger. The proof does not depend on immut existing. A regulator, a judge, or opposing counsel can verify your certificate on the public blockchain at any time, with or without immut.

What does ALCOA stand for in data integrity?

ALCOA stands for Attributable, Legible, Contemporaneous, Original, and Accurate. In GxP and pharmaceutical contexts, it is extended to ALCOA+ which adds Complete, Consistent, Enduring, and Available. These are the minimum data integrity criteria required by FDA, MHRA, and EMA for any GxP-regulated record.

What does Contemporaneous mean in ALCOA+?

Contemporaneous means a record must be created at the time the activity occurs — not reconstructed from memory, notebooks, or instrument printouts after the fact. FDA and MHRA inspectors treat records that cannot prove their creation date as failing the contemporaneity criterion. The record may be excluded from a regulatory submission or trigger a warning letter.

How does immut satisfy the ALCOA+ Contemporaneous requirement?

immut generates a SHA-256 hash of a document locally on the user's device and anchors it to the XRP Ledger blockchain with a cryptographic timestamp. This creates an independently verifiable record that proves the exact file existed at a specific moment. An FDA inspector or MHRA auditor can verify this directly on the public blockchain — no trust in immut or the regulated organisation is required.

Can ALCOA+ data integrity be proved with a LIMS or electronic batch record system?

Most LIMS and EBR systems generate internal timestamps, but internal timestamps are self-attesting — they are generated and stored by the same system that stores the record. FDA's position under 21 CFR Part 11 is that truly independent audit trails must be maintained by a system that cannot be manipulated by the same users who create records. Blockchain-anchored proof is independent because the XRP Ledger is public, immutable, and controlled by no single party.

What happens when ALCOA+ data integrity fails an FDA inspection?

FDA data integrity failures typically result in Warning Letters, Import Alerts, and consent decrees. Ranbaxy Laboratories paid $500M after FDA found broken documentation trails including incomplete batch records and records that could not be authenticated. The agency's finding was not that products were unsafe — it was that records could not independently verify GMP compliance. MHRA failures similarly result in suspension of manufacturing licences.

GxP data integrity

What is ALCOA data integrity and what does Contemporaneous actually require?

ALCOA stands for Attributable, Legible, Contemporaneous, Original, Accurate. Extended to ALCOA+ by FDA and MHRA, it is the minimum standard for all GxP-regulated records. The hardest criterion to satisfy is Contemporaneous: a record must prove it was created at the time the activity occurred, not reconstructed afterward. Most electronic record systems generate internal timestamps that are self-attesting — controlled by the same organisation that created the record. That is not independent proof.

FDA, MHRA, and EMA have cited ALCOA+ failures in hundreds of Warning Letters and inspection findings. In every case, the question is the same: can you prove this record was created when you say it was? immut provides the independent blockchain-anchored timestamp that makes the Contemporaneous criterion provable.

What does each ALCOA+ criterion require?

FDA guidance on data integrity (2018) and MHRA's GxP data integrity guide (2021) apply ALCOA+ to all computerised and paper records in regulated environments. Here is what each criterion demands:

Attributable

Who performed the action and when. Record must identify the originator.

Legible

Permanent, readable for the record's lifetime.

Contemporaneous

Created at the time the activity occurs — not reconstructed later.

immut proves this

Original

First-captured observation or certified true copy of it.

Accurate

Truthful record of what actually occurred.

Complete · Consistent · Enduring · Available

Extended criteria added by regulatory agencies.

Why can't existing LIMS or EBR systems prove Contemporaneity?

Internal system timestamps are self-attesting: generated and stored by the same system — controlled by the same organisation — that created the record. A LIMS administrator or IT team with appropriate access can alter system time, modify audit trail tables, or recreate records with backdated timestamps. FDA's 21 CFR Part 11.10(b) requires audit trails that independently record time. The word independently rules out systems where the generating organisation also controls the timestamp.

What is an independent, tamper-evident audit trail for ALCOA purposes?

An independent audit trail is one recorded by a system that the regulated organisation does not control and cannot alter. The XRP Ledger is a public, decentralised blockchain. No single entity — including immut — controls it. When immut anchors the SHA-256 hash of a record to the XRP Ledger, the timestamp is recorded by thousands of independent validator nodes simultaneously. The regulated organisation cannot retroactively alter the timestamp without changing the underlying record (which changes the hash, making the alteration immediately detectable).

How does immut prove the Contemporaneous criterion to an FDA or MHRA inspector?

Each immut certificate contains: (1) the SHA-256 hash of the original file, (2) the XRP Ledger transaction ID, (3) the ledger sequence number, (4) the UTC timestamp to the second. An inspector verifies the certificate by looking up the transaction ID on the public XRP Ledger. If the hash matches the file presented, and the timestamp predates the claimed event, the Contemporaneous criterion is satisfied. No trust in immut or the regulated organisation is required — the verification is mathematical and public.

Does immut replace our LIMS, EBR, or document management system?

No. immut sits underneath existing systems as the independent proof layer. Your LIMS or EBR manages and organises records. immut proves when those records existed. The two are complementary. immut adds the one property that electronic systems cannot self-certify: independent verification of creation time. It integrates with any file-based workflow — documents, reports, batch records, validation protocols — regardless of what system they originate in.

What has happened to organisations that failed ALCOA+ data integrity inspections?

$500M

Ranbaxy Laboratories — FDA/DOJ, 2013

FDA inspections found broken documentation trails: incomplete batch records, records that could not be authenticated. The agency's finding was not that products were unsafe — it was that records could not independently verify that GMP had been followed. The consent decree covered all 30+ manufacturing facilities. ALCOA+ failures resulted in $500M in penalties and import alerts.

Zydus Pharmaceuticals (2023), Sun Pharmaceutical (multiple years), and Bharat Serums (2022) faced similar enforcement actions — all rooted in audit trail integrity failures. See the full GxP enforcement case library.

How immut satisfies ALCOA+ in four steps

01

Hash on your device

The SHA-256 hash of your batch record, validation protocol, or audit log is computed locally. The original file never leaves your infrastructure. No data is transmitted to immut.

02

Anchored to public blockchain

The hash is recorded on the XRP Ledger with a cryptographic timestamp. The ledger is public and immutable — controlled by no single party. No administrator can alter the entry.

03

Certificate issued

immut issues a certificate containing the hash, XRPL transaction ID, ledger sequence number, and UTC timestamp. This is your ALCOA+ contemporaneous proof.

04

Independently verified by any inspector

An FDA or MHRA inspector verifies the certificate by looking up the transaction ID on the public blockchain. No contact with immut required. No chain of custody to dispute.

Related GxP evidence resources

GxP Data Integrity — full guide

8 regulatory frameworks, 4 enforcement cases, how immut works.

21 CFR Part 11 compliance requirements

What FDA requires for electronic records and audit trails.

MHRA data integrity inspections

What MHRA inspectors look for and how to prepare evidence.

Prove your first file in minutes.

Takes seconds. Works on any file type. No installation required.