Adequate controls and backdated controls are forensically identical.
ISO 27001:2022 Annex A 8.15 requires logs to record and protect evidence of events at the time they occur. Under UK GDPR Articles 5(2) and 24, controllers must be able to demonstrate that appropriate technical and organisational measures were in place and operating at the time of any personal data processing. If a breach occurs, the question the ICO asks is not whether you have security controls today: it is whether you can prove those controls were operating at the precise moment in question. File timestamps and change logs are controlled by the organisation's own infrastructure. Any administrator can alter them.
Software companies have already paid the price.
Where immut earns its keep in software.
Every one of these activities already happens in your security, engineering, and compliance teams. immut adds a layer of independently verifiable proof to each one.
Running vulnerability scans, penetration tests, and patch management cycles as required by ISO 27001:2022 Annex A 8.8 and your security policy.
Timestamp each vulnerability scan report and patch deployment record at the moment it is completed. When the ICO or a customer asks whether a known vulnerability was remediated before a breach occurred, the blockchain record proves the timeline independently of your internal systems, which are controlled by your own administrators.
Advanced Computer Software Group Ltd was fined £3.07M (ICO, March 2025) because it could not demonstrate that vulnerability scanning was deployed across all its systems. The ICO found gaps in MFA deployment and inadequate patch management. The company was a processor for the NHS. The question was not whether controls existed, but whether they were operating at the time of the 2022 attack.
Three steps. Seconds per file.
Hash the file.
immut generates a SHA-256 hash of your file on our servers. For sensitive workloads, dedicated servers are available so files stay inside infrastructure you control.
Record on the public ledger.
The hash is committed to the XRP Ledger, a public blockchain, with a precise timestamp.
Timestamped certificate.
immut returns a certificate of the record and its timestamp. Blockchain-anchored evidence of this kind has been accepted in courts across 88 countries and 171 jurisdictions.
immut sits under the records your security, engineering, and compliance teams already produce, in any tool. Files stay where they live; immut writes the proof that anyone can verify.
Proof that satisfies the four properties regulators and courts require.
Timestamped at the moment of creation.
Any change after creation is detectable by mathematics.
A regulator, auditor, or court can verify without trusting you or your vendor.
Blockchain-anchored timestamps of this kind have been accepted as legal evidence in 88 countries across 171 jurisdictions.
Prove it without publishing it.
Because only the hash is ever made public, source code, API specifications, and technical architecture documents can be proven to exist on a given date without disclosing the underlying file. Public proof. Private work.
How immut protects software IP →