Software & SaaS

In an ICO investigation or ISO 27001 audit, you must prove not just what controls you had, but when they were operating.

A vulnerability patched before a breach and one patched after it are forensically identical. immut proves the difference.

The problem

Adequate controls and backdated controls are forensically identical.

ISO 27001:2022 Annex A 8.15 requires logs to record and protect evidence of events at the time they occur. Under UK GDPR Articles 5(2) and 24, controllers must be able to demonstrate that appropriate technical and organisational measures were in place and operating at the time of any personal data processing. If a breach occurs, the question the ICO asks is not whether you have security controls today: it is whether you can prove those controls were operating at the precise moment in question. File timestamps and change logs are controlled by the organisation's own infrastructure. Any administrator can alter them.

£21.7M
in ICO security-related fines in 2025 alone, eight times the total for 2024, as the ICO shifted from warnings to enforcement
Source: URM Consulting, analysis of ICO enforcement action, 2025.
Real consequences

Software companies have already paid the price.

ICO
Capita plc
£14MOctober 2025
ICO
Advanced Computer Software Group Ltd
£3.07MMarch 2025
ICO
Interserve Group Ltd
£4.4MOctober 2022
Use cases

Where immut earns its keep in software.

Every one of these activities already happens in your security, engineering, and compliance teams. immut adds a layer of independently verifiable proof to each one.

Use casePotential impact
Current process

Running vulnerability scans, penetration tests, and patch management cycles as required by ISO 27001:2022 Annex A 8.8 and your security policy.

How immut helps

Timestamp each vulnerability scan report and patch deployment record at the moment it is completed. When the ICO or a customer asks whether a known vulnerability was remediated before a breach occurred, the blockchain record proves the timeline independently of your internal systems, which are controlled by your own administrators.

Bottom line

Advanced Computer Software Group Ltd was fined £3.07M (ICO, March 2025) because it could not demonstrate that vulnerability scanning was deployed across all its systems. The ICO found gaps in MFA deployment and inadequate patch management. The company was a processor for the NHS. The question was not whether controls existed, but whether they were operating at the time of the 2022 attack.

Source: ICO Monetary Penalty Notice, Advanced Computer Software Group Ltd, March 2025.
How it works

Three steps. Seconds per file.

01

Hash the file.

immut generates a SHA-256 hash of your file on our servers. For sensitive workloads, dedicated servers are available so files stay inside infrastructure you control.

e.g. a vulnerability scan report, DPIA, or change advisory board approval
02

Record on the public ledger.

The hash is committed to the XRP Ledger, a public blockchain, with a precise timestamp.

e.g. XRP Ledger, precise timestamp
03

Timestamped certificate.

immut returns a certificate of the record and its timestamp. Blockchain-anchored evidence of this kind has been accepted in courts across 88 countries and 171 jurisdictions.

e.g. anchored to the XRP Ledger, a public blockchain
Works with your whole stack

immut sits under the records your security, engineering, and compliance teams already produce, in any tool. Files stay where they live; immut writes the proof that anyone can verify.

Source systems
TeamsSlackSharePointDriveGmailNotionGitHubFigmaSalesforceDropboxVanta
The proof layer
immutHash · Anchor · Verify
Verifiers
CustomerCourt / JudgeRegulatorAuditorInvestorInsurer
The four properties

Proof that satisfies the four properties regulators and courts require.

01
Contemporaneous

Timestamped at the moment of creation.

02
Tamper-evident

Any change after creation is detectable by mathematics.

03
Independently verifiable

A regulator, auditor, or court can verify without trusting you or your vendor.

04
Court-ready

Blockchain-anchored timestamps of this kind have been accepted as legal evidence in 88 countries across 171 jurisdictions.

Secondary benefit · IP

Prove it without publishing it.

Because only the hash is ever made public, source code, API specifications, and technical architecture documents can be proven to exist on a given date without disclosing the underlying file. Public proof. Private work.

How immut protects software IP
FAQ

Common questions about immut in software.

Your file is hashed with SHA-256 on immut's servers. Only the hash is committed to the XRP Ledger, a fixed-length string that cannot be reversed to recover the original file. No file content, no source code, and no security documentation is ever stored externally. For sensitive workloads, immut offers dedicated servers so files stay inside infrastructure you control.

ISO 27001:2022 Annex A 8.15 requires logs to record and protect evidence of events as they occur. Blockchain-anchored timestamps satisfy this requirement: they are contemporaneous, tamper-evident, independently verifiable, and court-ready in a way that internal audit logs controlled by the organisation do not. The ICO has cited the inability to demonstrate controls operating at a specific time as a central finding in enforcement actions including the Advanced Computer Software and Capita cases.

immut is an independent layer alongside your SIEM, GRC platform, and security tooling, not a replacement for them. Your internal logs are controlled by your own infrastructure. A determined regulator or opposing expert can question whether they were altered. immut's timestamp lives on a public blockchain that neither you, your vendor, nor immut itself can change. It adds the independent verification that internal audit logs structurally cannot provide.

Because the proof lives on the XRP Ledger, a public blockchain no single party controls, every certificate already issued remains independently verifiable by any court, regulator, or auditor. This continues indefinitely, without immut's continued existence.

Start

Start proving your records today.

Only the hash is ever made public.