Built for Compliance Consultants
Your Clients Have the Records. Can They Prove When?
Every compliance tool your clients use — Vanta, SharePoint, WORM storage — collects and organises their evidence. None of them can prove when that evidence was created. That question comes up in every enforcement action, every regulatory audit, every legal challenge. immut is the independent proof layer that answers it.
The Challenge
What Keeps Compliance Consultants Up at Night
IP protection challenges that compliance consultants face every day.
Compliance Tools Cannot Prove Contemporaneity
Vanta, Drata, and SharePoint let users set the date field on uploaded evidence. Every platform's terms and conditions explicitly disclaim responsibility for the accuracy of those dates. When a regulator or court asks 'when was this control operating?' your client's compliance platform cannot answer — it contractually pushes that question back to them.
Certification Does Not Equal Protection
Advanced Computer Software Group was ISO 27001 certified. The ICO fined them £3.07M anyway because they could not demonstrate their controls were operating at the time of the breach. Certification proves intent. immut proves execution — at the exact moment it happened.
Retrospective Documentation Is a Liability
When an incident triggers an audit, teams are tempted to create records that should have existed at the time. Forensically identical to original records, retrospective documentation is undetectable by most tools — until a court orders metadata analysis. immut makes contemporaneous records provably contemporaneous.
The Enforcement Landscape Is Escalating
HMRC is prosecuting accountancy firms criminally (Bennett Verby, 2025). The FDA pursued Ranbaxy for $500M over data integrity gaps. The ICO is issuing multi-million-pound fines against certified organisations. The question regulators and prosecutors now ask is not whether records exist, but whether they existed when claimed.
The Solution
How immut Fits Your Workflow
Blockchain-verified IP protection designed for how compliance consultants actually work.
Add Independent Proof Underneath Existing Tools
immut does not replace your clients' compliance platforms. It sits underneath them. The moment a document is created or approved, immut anchors its SHA-256 hash to the XRP Ledger with a precise timestamp. This creates independently verifiable proof — by a party that does not trust the organisation — that the document existed, unchanged, at that exact moment.
Court-Ready Certificates in Seconds
Each immut timestamp produces a certificate with cryptographic proof, blockchain transaction ID, and verification instructions. It is accepted as legal evidence in 88 countries and 171 jurisdictions. Your clients present it directly in audits and legal proceedings — no third-party verification required.
Prove Controls Were Operating, Not Just Planned
For ISO 27001 Annex A 8.15 (logging), Clause 7.5 (documented information integrity), HMRC's contemporaneous documentation requirement, FDA 21 CFR Part 11, and HSE audit expectations, regulators want evidence of when controls were implemented and operating. immut timestamps give you that proof by default.
Channel Revenue: Your Clients, Your Relationship
immut works as a channel product. You advise on the compliance framework; immut proves your clients executed it. Enterprise clients (£24K–£60K/year) can be introduced through your existing relationships. White-label and API options available for firms building immut into their advisory stack.
Real-World Scenario
Scenario: ISO 27001 Surveillance Audit
A manufacturing firm receives notice of an unannounced HSE inspection following a near-miss incident. The inspector asks for evidence that the risk assessment was in place before the incident date. The firm's H&S consultant pulls up the immut certificate for the risk assessment document.
The certificate shows the SHA-256 hash of the risk assessment document was anchored to the XRP Ledger three weeks before the incident — timestamped to the second.
The hash is verified directly on the public blockchain by the HSE inspector using the certificate's verification link. No third party required, no chain of custody to dispute.
The inspector confirms the risk assessment predates the incident. The prosecution case for failure to manage risk in advance is closed.
The consultant updates the client's evidence management process: all future risk assessments and method statements are timestamped on creation as standard practice.
An HSE prosecution avoided. The evidence existed — immut proved it existed when it claimed to. That is the question regulators now ask.
Benefits
Why Compliance Consultants Choose immut
Stronger Client Protection
Clients who use immut enter regulatory audits and legal challenges with evidence that is independently verifiable on a public blockchain. No party can allege retrospective creation.
Differentiated Advisory Offering
Most compliance consultants deliver frameworks and audits. Recommending immut adds a continuous evidence layer that your competitors do not offer — turning one-off engagements into ongoing relationships.
Works Alongside Every Platform
immut integrates with the tools your clients already use. It does not require them to change workflow — just to hash files as they create them. Compatible with Vanta, Drata, SharePoint, Google Drive, and any file-based workflow.
Private by Design
Files never leave the client's device. Only the hash is recorded on the blockchain. Confidential records, personal data, and commercially sensitive documents remain completely private. Public proof. Private work.
Evidence Outlives immut
Certificates are independently verifiable on the XRP Ledger indefinitely — even if immut ceases to exist. Your clients are never dependent on a third party remaining solvent.
Accepted in 88 Countries
Blockchain evidence is accepted under UK Civil Evidence Act 1995, EU eIDAS Regulation, US Federal Rules of Evidence, and equivalent legislation across 88 countries. One timestamp, global recognition.
FAQ
Frequently Asked Questions
Does immut replace Vanta, Drata, or SharePoint?
No. immut is the independent proof layer that sits underneath your clients' existing compliance tools. Vanta and Drata collect and organise evidence. immut proves when that evidence was created. They are complementary — immut adds the one property compliance platforms cannot provide: independent verification of creation time.
What compliance standards does immut satisfy?
immut produces evidence that satisfies contemporaneity requirements in ISO 27001 (Annex A 8.15, Clause 7.5), ISO 9001, ISO 14001, ISO 45001, HMRC R&D tax (AIF/CCO), FDA 21 CFR Part 11 (ALCOA+), MHRA GxP, HSE Sentencing Framework, GDPR Article 5(2), SOC 2, and more. Any standard that requires dated, tamper-evident, independently verifiable records is supported.
Can regulators verify the evidence independently?
Yes. That is the core property. Every certificate includes a blockchain transaction ID that any party can verify on the public XRP Ledger. No need to contact immut, no need to trust the organisation — the mathematics of the blockchain provide independent verification. This is what regulators mean when they ask for 'independent assurance.'
Does my client's file leave their device?
No. immut generates a SHA-256 hash of the file locally. Only the hash is recorded on the blockchain. The original file never leaves the client's infrastructure. This is critical for confidential records, personal data under GDPR, and commercially sensitive materials.
Is blockchain evidence legally admissible?
Yes, in 88 countries and 171 jurisdictions. In the UK under the Civil Evidence Act 1995, across the EU under eIDAS Regulation, in the US under Federal Rules of Evidence, and in China (Supreme People's Court, 2018). immut certificates have been accepted in regulatory proceedings and commercial litigation.
How does immut handle evidence from multiple tools?
immut timestamps individual files, regardless of where they originate or are stored. A Vanta evidence export, a SharePoint document, a GxP batch record — each can be timestamped at the moment it is created or approved. The certificate proves that specific file, at that exact hash, existed at that exact time.
Prove your first file in minutes.
Takes seconds. Works on any file type. No installation required.