immut is the Evidence Trust Layer. It sits underneath your existing compliance tools and anchors every file to the XRP Ledger blockchain with a precise timestamp. This creates tamper-evident, independently verifiable proof that a document existed at a specific moment, court-admissible in 88 countries.

Is blockchain evidence accepted in court?

Yes. Blockchain-anchored evidence has been accepted as legal evidence in US Federal Court (US v. Sterlingov, 2024), the EUIPO across all 27 EU member states (AZ Factory v. Valeria Moda, 2025), China's Supreme People's Court (1,400+ IP cases since 2018), and under EU Regulation 2025/2531. immut certificates are accepted in 88 countries and 171 jurisdictions.

Does my file leave my device?

No. immut generates a SHA-256 hash of your file and only that hash is recorded on the blockchain. Your original file is not stored by immut. Public proof. Private work.

Does immut replace Vanta or Drata?

No. immut is the proof layer that sits underneath your existing compliance tools. Vanta and Drata collect your evidence. immut proves when that evidence existed. They complement each other. immut adds the independent timestamp your compliance platform cannot provide.

Which compliance standards does immut support?

immut produces records that satisfy evidence requirements in ISO 27001, ISO 9001, ISO 14001, ISO 45001, SOC 2, GDPR, HMRC R&D, HSE health and safety, KYC/AML, EU AI Act, HIPAA, and more. Any standard that requires dated, tamper-evident records is supported.

What happens if immut shuts down?

Every certificate already issued remains independently verifiable on the public XRP Ledger. The proof does not depend on immut existing. A regulator, a judge, or opposing counsel can verify your certificate on the public blockchain at any time, with or without immut.

Health & Safety

HSE does not ask if the risk assessment existed. It asks what it covered, and when you wrote it.

A risk assessment written after an incident is forensically identical to one written before it. immut proves the difference.

Try immut for free

The problem

A risk assessment written after an incident is forensically identical to one written before it.

HSE investigators do not ask whether your risk assessment looks appropriate. They ask whether it existed before the incident happened. A method statement, permit to work, or COSHH assessment that cannot be proven to predate the harm it was designed to prevent is, in prosecution terms, no different from one written to explain it. The HSE Sentencing Guidelines allow unlimited fines for health and safety offences; prosecutions regularly turn on the single question of when a document was actually created.

£33M+

awarded in HSE fines in 2024/25 from 246 prosecutions, at a 96% conviction rate

Source: Health and Safety Executive Annual Report and Accounts 2024/25, published on GOV.UK.

Real consequences

Companies have already paid the price.

HSE

National Grid Gas plc

£4M2021

HSWA 1974 prosecution

Wm Morrison Supermarkets

£3.5M2023

HSE

BAM Nuttall Limited

£2.35M2024

See all cases with sources →

Use cases

Where immut earns its keep in health and safety.

Every one of these activities already happens in your safety, operations, and facilities teams. immut adds a layer of independently verifiable proof to each one.

Use casePotential impact

Current process

Conducting and recording risk assessments under MHSWR 1999 Regulation 3(1). Employers with five or more employees must record significant findings and review assessments when circumstances change.

How immut helps

immut hashes the risk assessment document on creation and anchors the hash to the XRP Ledger timestamp. If an incident occurs and the document is later queried, or if a revised version is produced after the incident, the original timestamp is independently verifiable on a public blockchain without involving immut. Inspectors and courts can see that the assessment predated the accident, not that it was produced to explain it.

Bottom line

Wm Morrison Supermarkets fined £3.5M after conviction for failing to carry out a suitable and sufficient risk assessment for a vulnerable employee under MHSWR 1999 Reg 3 (Cirencester Crown Court, March 2023). BAM Nuttall fined £2.345M after HSE found it failed to carry out any assessment of the risks involved (Leeds, June 2024).

Source: MHSWR 1999 Reg 3(1) (SI 1999/3242); HSE v BAM Nuttall (2024); R v Wm Morrison Supermarkets (2023).

Current process

Preparing Risk Assessment Method Statements (RAMS) and Construction Phase Plans under CDM 2015. The Construction Phase Plan must be suitably developed prior to commencement of construction.

How immut helps

immut timestamps the RAMS document when it is finalised and approved, before mobilisation. If a construction incident triggers investigation, the timestamp proves the method statement was in place before work started, not prepared retrospectively. Each subsequent revision is individually timestamped, showing the sequence of changes.

Bottom line

BAM Nuttall fined £2.345M after HSE found the firm failed to plan the work and carried out no risk assessment before a fatality at Knostrop Weir, Leeds (June 2024). Samworth Brothers fined £1.28M after no risk assessment or method existed for a loading bay procedure (November 2024).

Source: CDM 2015 (SI 2015/51) Reg 12; HSG65 Managing for Health and Safety; HSE v BAM Nuttall (2024).

Current process

Providing and recording health and safety training under MHSWR 1999 Regulation 13, particularly on first employment and on exposure to new or increased risk. Toolbox talk records and induction sign-off sheets are the evidence base.

How immut helps

immut timestamps the completed training record or toolbox talk attendance sheet at the point it is signed off. If an employee claims they were never briefed, or if a fatality prompts investigation into pre-task briefings, the blockchain timestamp shows exactly when each document was created, not when it was uploaded to a server after the fact.

Bottom line

Failure to demonstrate pre-task worker briefing is a standard element of HSE enforcement action. The HSE completed 246 criminal prosecutions in 2024/25 with a 96% conviction rate and over £33M awarded in fines.

Source: MHSWR 1999 Reg 13 (SI 1999/3242); HSE Annual Report and Accounts 2024/25 (GOV.UK).

Current process

Arranging and retaining thorough examination reports for lifting equipment under LOLER 1998, and periodic inspection records for work equipment under PUWER 1998, at defined intervals.

How immut helps

immut timestamps the thorough examination report on the day it is issued. After a lifting accident, investigators ask whether the last inspection record is genuine or backdated. An immut-timestamped report carries independent, court-ready proof of exactly when that document entered the world, without relying on the employer's own IT system timestamps, which are controllable.

Bottom line

National Grid Gas fined £4M after HSE investigation found records for 769 buildings were missing, meaning gas risers went uninspected for years (Liverpool Crown Court, February 2021). The prosecution turned solely on a records failure. No physical accident was the trigger.

Source: LOLER 1998 (SI 1998/2307) Reg 9; PUWER 1998 (SI 1998/2306) Reg 6; HSE v National Grid Gas plc (2021).

Current process

Issuing, authorising, and signing permits to work for hot work, confined space entry, electrical isolation, and high-risk maintenance tasks before the activity begins.

How immut helps

immut timestamps each stage of the permit: issue, authorisation signature, and cancellation. If a serious incident triggers prosecution and the PTW is disputed (was it signed before or after the incident?), the blockchain record is independently verifiable by any court without relying on the employer's document management system.

Bottom line

Tata Chemicals Europe fined £1.125M after HSE found the company failed to implement a robust permit-to-work system (Chester Crown Court, June 2024). A retrospectively completed permit to work is a criminal failure of the safe system of work, not a procedural irregularity.

Source: PUWER 1998 Reg 5 (safe system of work); HSE guidance on permit-to-work systems; HSE v Tata Chemicals Europe (2024).

Current process

Assessing health risks from hazardous substances before work begins, as required by COSHH Regulation 6, and reviewing assessments if circumstances change.

How immut helps

immut timestamps the COSHH assessment on creation and on each subsequent review. In an occupational disease or injury claim where causation and timing of exposure are contested, the timestamp provides independent proof that the assessment predated the worker's exposure period. This independent proof is not available from document management systems whose server logs are under employer control.

Bottom line

COSHH Regulation 19 provides for unlimited fines on indictment. Exposure without a suitable prior assessment is both a criminal and civil liability. The HSE completed 246 criminal prosecutions in 2024/25 with a 96% conviction rate and over £33M awarded in fines.

Source: COSHH Regulations 2002 (SI 2002/2677) Reg 6; HSE Annual Report and Accounts 2024/25 (GOV.UK).

Current process

Creating an internal incident report at the time of occurrence and filing a RIDDOR notification to HSE within the statutory window: without delay for fatalities, within 15 days for over-seven-day injuries.

How immut helps

immut timestamps the internal incident report at the moment it is first created. This provides independent proof of when the document entered existence, separate from any subsequent edits. If HSE investigates the timeliness of notification or the accuracy of the original incident record, the blockchain timestamp anchors the first version's creation to a specific point in time.

Bottom line

Failure to report under RIDDOR 2013 Regulation 14 carries up to two years' imprisonment and an unlimited fine. A gap between the internal incident record and the RIDDOR submission date is a standard line of HSE investigation.

Source: RIDDOR 2013 (SI 2013/1471) Regs 4, 5, 9, 14; HSE RIDDOR guidance (hse.gov.uk).

Current process

Pre-qualifying contractors and retaining competence assessments, pre-qualification questionnaires (PQQs), and induction records under CDM 2015 and PAS 91:2013, for the duration of the project and beyond.

How immut helps

immut timestamps the completed PQQ, competence certificate, or induction record at the point it is accepted. If a contractor-related incident triggers investigation and the client's competence records are queried (were they collected before or after engagement?), the blockchain timestamp answers the question without ambiguity.

Bottom line

CDM 2015 duty-holder prosecutions carry unlimited fines. Failure to take reasonable steps to ensure only competent contractors are appointed is a principal contractor and client duty under CDM 2015 Regulations 4 and 8.

Source: CDM 2015 (SI 2015/51) Regs 4, 8; PAS 91:2013.

How it works

Three steps. Seconds per file.

01

Hash the file.

immut generates a SHA-256 hash of your file on our servers. For sensitive workloads, dedicated servers are available so files stay inside infrastructure you control.

e.g. a risk assessment, method statement, or inspection report

02

Record on the public ledger.

The hash is committed to the XRP Ledger, a public blockchain, with a precise timestamp.

e.g. XRP Ledger, precise timestamp

03

Timestamped certificate.

immut returns a certificate of the record and its timestamp. Blockchain-anchored evidence of this kind has been accepted in courts across 88 countries and 171 jurisdictions.

e.g. anchored to the XRP Ledger, a public blockchain

Works with your whole stack

immut sits under the records your safety, operations, and facilities teams already produce, in any tool. Files stay where they live; immut writes the proof that anyone can verify.

Source systems

TeamsSlackSharePointDriveGmailNotionGitHubFigmaSalesforceDropboxVanta

The proof layer

immutHash · Anchor · Verify

Verifiers

CustomerCourt / JudgeRegulatorAuditorInvestorInsurer

See how immut meets HSWA 1974 →

The four properties

Proof that satisfies the four properties regulators and courts require.

01

Contemporaneous

Timestamped at the moment of creation.

02

Tamper-evident

Any change after creation is detectable by mathematics.

03

Independently verifiable

A regulator, auditor, or court can verify without trusting you or your vendor.

04

Court-ready

Blockchain-anchored timestamps of this kind have been accepted as legal evidence in 88 countries across 171 jurisdictions.

How immut meets the Health and Safety at Work Act 1974 →

Secondary benefit · IP

Prove it without publishing it.

Because only the hash is ever made public, proprietary H&S management methodologies, risk assessment frameworks, and training programme materials can be proven to exist on a given date without disclosing the underlying content. Public proof. Private work.

How immut protects health and safety IP →

FAQ

Common questions about immut in health and safety.

Where is the file hashed, and what is stored?+

Your file is hashed with SHA-256 on immut's servers, and only the hash is committed to the XRP Ledger. The hash is a fixed-length string that cannot be reversed to recover the file, so no site-specific details, no employee records, and no commercially sensitive information ever leaves your infrastructure. For sensitive workloads, immut offers dedicated servers so files stay inside infrastructure you control.

Is this accepted by HSE, courts, and coroners?+

Blockchain-anchored timestamps of the kind immut produces have been accepted as legal evidence in 88 countries across 171 jurisdictions. The contemporaneous, tamper-evident, and independently verifiable properties that HSE investigators and courts require are satisfied by construction, not by policy. For a detailed analysis of how immut supports Health and Safety at Work Act 1974 and HSE Sentencing Guideline obligations, see the health and safety evidence page.

How does this work alongside our existing health and safety management system?+

immut is an independent layer alongside your H&S management system. It is not a replacement for your procedures or document management. Your internal records are controlled by your own infrastructure. An HSE investigator, coroner, or opposing expert can question whether they were altered. immut's timestamp lives on a public blockchain that neither you nor your vendor nor immut itself can change. It adds the independent, court-ready verification that internal systems structurally cannot provide.

What happens to our proof if immut ceases to operate?+

Because the proof lives on the XRP Ledger, a public blockchain no single party controls, every certificate already issued remains independently verifiable by any court, HSE investigator, or coroner in the world. This continues indefinitely, without immut's continued existence.

Start

Start proving your records today.

Try immut for free

Only the hash is ever made public.