A recent anonymous Substack post has leveled serious accusations against Delve, a compliance startup, alleging it "falsely" assured "hundreds of customers they were compliant" with critical privacy and security regulations. These claims suggest that Delve's clients could face "criminal liability under HIPAA and hefty fines under GDPR."
Delve, a startup backed by Y Combinator, garnered significant attention last year when it announced a $32 million Series A funding round, led by Insight Partners, at a $300 million valuation. The company quickly moved to dispute the allegations, publishing a blog post on Friday that branded the Substack content as "misleading" and containing "a number of inaccurate claims."
The Substack article was authored by "DeepDelver," an individual who identified as an employee of a former Delve client.
DeepDelver detailed an incident in December where they received an email indicating the startup had "leaked a spreadsheet with confidential client reports." Although Delve CEO Karun Kaushik subsequently emailed customers to reassure them of their compliance and confirm no external access to sensitive data, DeepDelver, along with other clients, grew suspicious.
"Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together," DeepDelver wrote, explaining the motivation behind their collective inquiry.
Their investigation led to a stark conclusion: Delve "achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance."
DeepDelver provided extensive details supporting these claims, accusing the startup of furnishing customers with "fabricated evidence of board meetings, tests, and processes that never happened." This allegedly left clients with the difficult choice of either "adopting fake evidence or performing mostly manual work with little real automation or AI."
Furthermore, DeepDelver asserted that nearly all of Delve's clients utilized two specific audit firms, Accorp and Gradient. These firms were characterized as "part of the same operation," primarily based in India with only a nominal presence in the United States.
According to DeepDelver, these firms merely "rubber-stamp reports that were generated by Delve." This process, DeepDelver argued, "inverts" the standard compliance structure. The post stated, "By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation."
Beyond misleading its customers, DeepDelver also accused Delve of assisting clients in "mislead[ing] the public by hosting trust pages that contain security measures that were never implemented."
Regarding their own association with Delve, DeepDelver confirmed that their company has since removed its trust page and no longer relies on the startup for compliance services.
In its defense, Delve clarified that it does not issue compliance reports. Instead, it functions as an "automation platform" that processes compliance-related information and grants auditors access to this data.
"Final reports and opinions are issued solely by independent, licensed auditors, not Delve," the company affirmed.
Delve also highlighted that its customers have the flexibility to "opt to work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms." The startup emphasized that these firms are "established firms used broadly across the industry, including by other compliance platforms."
Addressing the accusation of providing "fake evidence," Delve countered that it simply offers "templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms."
"Draft templates are not the same as ‘pre-filled evidence," the company stated.
Delve further noted that it is "actively investigating any leaks" and is "still reviewing the Substack" post.
TechCrunch’s attempt to obtain further comment via the media contact address listed on Delve’s website resulted in a bounced email. Additional comment has also been sought from DeepDelver.
The Editorial Staff at AIChief is a team of professional content writers with extensive experience in AI and marketing. Founded in 2025, AIChief has quickly grown into the largest free AI resource hub in the industry.