A recently published anonymous Substack post has leveled serious accusations against the compliance startup Delve, claiming it "falsely" assured "hundreds of customers they were compliant" with critical privacy and security regulations. This alleged misrepresentation could potentially expose these clients to "criminal liability under HIPAA and hefty fines under GDPR."
Delve, a Y Combinator-backed company, last year announced a successful $32 million Series A funding round, achieving a $300 million valuation, with Insight Partners leading the investment. On Friday, the startup publicly challenged these allegations via its blog, describing the Substack post as "misleading" and asserting it "contains a number of inaccurate claims."
The Substack article is attributed to "DeepDelver," an individual who identified as an employee of a (now former) Delve client. In an email exchange with TechCrunch, DeepDelver explained that the decision to remain anonymous, along with their collaborators, stemmed from "fear for retaliation by Delve."
DeepDelver's post details an incident in December when they received an email reporting that the startup had "leaked a spreadsheet with confidential client reports." While Delve CEO Karun Kaushik subsequently emailed customers to reassure them of their compliance and confirm no external access to sensitive data, DeepDelver and other clients reportedly grew suspicious.
DeepDelver recounted their collective motivation, stating, "Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together."
Their investigation led to a stark conclusion: Delve supposedly "achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance."
DeepDelver provided extensive details regarding these claims, accusing the startup of furnishing clients with "fabricated evidence of board meetings, tests, and processes that never happened." This allegedly forced customers into a dilemma: "choose between adopting fake evidence or performing mostly manual work with little real automation or AI."
Furthermore, DeepDelver claimed that nearly all Delve clients utilized two audit firms, Accorp and Gradient, which they characterized as "part of the same operation." This operation is said to primarily function in India, maintaining only a superficial presence in the United States.
These firms, DeepDelver contended, merely "rubber-stamp reports that were generated by Delve." Consequently, the startup "inverts" the standard compliance framework, as DeepDelver explained: "By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation."
Beyond misleading its own customers, DeepDelver alleged that Delve assists these clients in "mislead[ing] the public by hosting trust pages that contain security measures that were never implemented."
DeepDelver noted a peculiar incident where, during discussions about their company's issues with Delve, the startup "sent us multiple boxes of donuts […] to keep us happy." Despite this gesture, DeepDelver's employer reportedly took down its trust page and no longer relies on Delve for compliance services.
In its defense, Delve clarified that it does not issue compliance reports itself. Instead, it operates as an "automation platform" that processes compliance-related information and facilitates auditors' access to this data.
The company explicitly stated, "Final reports and opinions are issued solely by independent, licensed auditors, not Delve."
Delve further explained that its customers have the option to "work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms." These auditors, the startup emphasized, are "established firms used broadly across the industry, including by other compliance platforms."
Addressing the accusation of providing "fake evidence," Delve countered that it merely offers "templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms."
"Draft templates are not the same as ‘pre-filled evidence,’" the company affirmed.
Delve also confirmed that it is "actively investigating any leaks" and is "still reviewing the Substack" post.
When TechCrunch sought DeepDelver's reaction to Delve's response, they expressed being "baffled by the laziness, clumsiness and brazenness of it."
DeepDelver elaborated, "They are trying to snake their way out [of] being held accountable by denying having ‘pre-filled evidence’ but calling it ‘templates’ instead, effectively shifting the blame to customers for adopting the ‘templates’ as is. They’re claiming they are not the ones to ‘issue’ the report, which is easy to claim if you define issuing a report as providing the final stamp."
They further highlighted several "very serious allegations" that Delve failed to address, including "The India accusation, the lack of AI (they only talk about ‘automations’), and the trust (lol) page containing controls that were never implemented."
DeepDelver indicated that their critique is far from over, promising that "Part II will follow soon."
Adding to the controversy, following the initial Substack post, an X user named James Zhou claimed to have accessed sensitive Delve information, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly subsequently shared further details from a conversation with Zhou, outlining "several gaping security holes in Delve’s external attack surface."
TechCrunch attempted to contact Delve's listed media contact for additional comment, but the email bounced. However, after the initial publication of this article, a calendar invite for a "Delve demo" later in the week was received.
This report was originally published on March 21, 2026, and has since been updated with emailed responses from DeepDelver, supplementary information regarding alleged security vulnerabilities provided by Jamieson O’Reilly, and additional details concerning Delve’s statement to TechCrunch.
The Editorial Staff at AIChief is a team of professional content writers with extensive experience in AI and marketing. Founded in 2025, AIChief has quickly grown into the largest free AI resource hub in the industry.