immut is the Evidence Trust Layer. It sits underneath your existing compliance tools and anchors every file to the XRP Ledger blockchain with a precise timestamp. This creates tamper-evident, independently verifiable proof that a document existed at a specific moment — court-admissible in 88 countries.

Is blockchain evidence accepted in court?

Yes. Blockchain-anchored evidence has been accepted as legal evidence in US Federal Court (US v. Sterlingov, 2024), the EUIPO across all 27 EU member states (AZ Factory v. Valeria Moda, 2025), China's Supreme People's Court (1,400+ IP cases since 2018), and under EU Regulation 2025/2531. immut certificates are accepted in 88 countries and 171 jurisdictions.

Does my file leave my device?

No. immut generates a SHA-256 hash of your file on your own device. Only the hash is recorded on the blockchain. Your original file never leaves your infrastructure. Public proof. Private work.

Does immut replace Vanta or Drata?

No. immut is the proof layer that sits underneath your existing compliance tools. Vanta and Drata collect your evidence. immut proves when that evidence existed. They complement each other — immut adds the independent timestamp your compliance platform cannot provide.

Which compliance standards does immut support?

immut produces records that satisfy evidence requirements in ISO 27001, ISO 9001, ISO 14001, ISO 45001, SOC 2, GDPR, HMRC R&D, HSE health and safety, KYC/AML, EU AI Act, HIPAA, and more. Any standard that requires dated, tamper-evident records is supported.

What happens if immut shuts down?

Every certificate already issued remains independently verifiable on the public XRP Ledger. The proof does not depend on immut existing. A regulator, a judge, or opposing counsel can verify your certificate on the public blockchain at any time, with or without immut.

What does MHRA's data integrity guidance require?

MHRA's 2021 GxP Data Integrity Definitions and Guidance requires records to meet ALCOA+ criteria: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available. MHRA is particularly focused on the Contemporaneous requirement: records must be created at the time the activity occurs. MHRA guidance states that contemporaneous means 'at the time of performance' and explicitly warns against records completed from memory or reconstructed from other sources.

What is MHRA's definition of 'original data'?

MHRA defines original data as 'the first-captured data or information — in any format — about an observation, or an activity which provides a source for transcription and/or copying.' The guidance adds that data transferred from one format to another, or recreated after system failure, must be demonstrably equivalent to the original. Where equivalence cannot be demonstrated through an independent, tamper-evident record, the data's integrity is in doubt.

How does MHRA treat audit trails that cannot be independently verified?

MHRA's guidance is explicit: data generated and stored by systems under the control of the regulated entity must have additional controls to ensure integrity. Systems where the regulated entity can modify both the data and the audit trail without detection do not satisfy data integrity requirements. MHRA inspection findings repeatedly cite 'self-referential audit trails' — systems where the same user who creates records can also modify the audit trail — as a critical data integrity risk.

Can immut help prepare for an MHRA data integrity inspection?

Yes. immut provides the independent proof layer that satisfies MHRA's independence requirement. For each critical record, immut anchors the SHA-256 hash to the XRP Ledger blockchain. The timestamp is recorded by the public blockchain — controlled by no party, independently verifiable by any inspector. An MHRA inspector can verify directly on the public ledger that a specific record existed, unchanged, at a specific time. This is the Contemporaneous proof MHRA inspectors look for but most systems cannot independently provide.

UK GxP regulation

What does MHRA look for in a data integrity inspection, and how do you prepare?

MHRA's 2021 GxP Data Integrity guidance applies ALCOA+ to all pharmaceutical and life sciences records in the UK. MHRA inspectors focus on the Contemporaneous criterion: records must prove they were created at the time of the activity, not reconstructed afterward. In inspections, MHRA consistently finds that audit trails are disabled, not reviewed, or contain deleted entries — and that organisations cannot demonstrate original data integrity independently of their own systems.

immut provides the independent proof layer MHRA requires: a blockchain-anchored timestamp that an inspector can verify on the public XRP Ledger, controlled by no party, without trusting the regulated organisation.

Six common MHRA data integrity inspection findings

These are the most frequently cited issues in MHRA data integrity inspections and regulatory correspondence. Each finding maps to an ALCOA+ criterion failure.

Audit trail not enabled

Computerised systems configured with audit trails disabled — commonly cited as a 'performance optimisation' by IT teams. MHRA treats this as a fundamental data integrity control failure regardless of the business reason.

Audit trail not reviewed

Audit trails were enabled and retained but not reviewed as part of batch record review or quality oversight. MHRA requires that audit trail review be a defined activity in quality procedures, not an ad-hoc investigation tool.

Deleted and re-entered data

Analysts deleted out-of-specification results and re-ran tests, retaining only passing results. The audit trail showed deletions but the batch record presented for review did not reference them. Original data was not retained.

Shared login credentials

Multiple analysts using shared login accounts. Audit trail entries were not attributable to individual operators. The Attributable criterion in ALCOA+ was not satisfied.

System clock manipulation

System clocks set incorrectly or manipulated to backdate records. Without an independent external timestamp, there is no way to verify when a record was actually created.

Reconstruction from memory

Records completed after the end of shifts from analyst memory rather than at the point of each activity. MHRA's guidance specifically warns against this practice as it fails the Contemporaneous criterion.

What does MHRA mean by 'original data' and why does it matter for inspections?

MHRA defines original data as the first-captured observation in any format. Any subsequent transfer, transcription, or recreation must be demonstrably equivalent to the original. The word “demonstrably” is critical: MHRA does not accept an organisation's assurance that a transferred record is equivalent to the original. Equivalence must be shown through an independent, tamper-evident mechanism. Where a laboratory transfers instrument raw data to a LIMS — and the instrument data could have been altered before transfer — MHRA inspectors require evidence that the transfer was verified against the original at the time of capture.

How does immut address the MHRA system clock manipulation finding?

System clock manipulation is cited when a laboratory's instrument computers or LIMS have clocks set incorrectly — accidentally or deliberately — invalidating internal timestamps. immut's timestamps are not derived from any client device clock. The XRP Ledger network timestamp is set by consensus across thousands of independent validator nodes worldwide. No single organisation, including immut, can manipulate the network time. When immut anchors a record to the XRP Ledger, the timestamp is the consensus time of the global validator network — immune to single-party manipulation.

Can immut prove contemporaneity for records created in a validated computerised system?

Yes. The validated computerised system (LIMS, EBR, EDMS) proves the system is fit for purpose and that access controls are in place. immut proves that a specific record — exported or accessed at a specific point in time — existed with a specific hash at that moment. For MHRA inspection purposes, you present both: the validated system's internal audit trail (showing the record was created and modified in sequence), and the immut certificate (proving the final approved record existed, unchanged, at the claimed approval time). The combination addresses both the system integrity question and the contemporaneity question.

MHRA data integrity reference documents

MHRA (2021)

GxP Data Integrity Definitions and Guidance

The primary MHRA guidance document. Defines ALCOA+, data governance, computerised systems requirements, and inspector expectations.

EU GMP Annex 11

Computerised Systems

Applies across EU GMP regulated activities. Clause 9 covers audit trail requirements. Applicable in UK under MHRA's current GMP framework.

ICH Q10

Pharmaceutical Quality System

Requires management of knowledge throughout the product lifecycle, including temporal sequence of knowledge creation.

Related GxP evidence resources

GxP Data Integrity — full guide

8 regulatory frameworks, 4 enforcement cases, how immut works.

ALCOA+ data integrity

What the Contemporaneous criterion requires and how to prove it.

21 CFR Part 11 requirements

FDA electronic records compliance and independent audit trail requirements.

Prove your first file in minutes.

Takes seconds. Works on any file type. No installation required.