The unfolding narrative surrounding the embattled compliance startup, Delve, continues to reveal a series of unexpected developments.
TechCrunch has confirmed that Delve was the provider of security certifications for Context AI, the AI agent training startup recently implicated in a security incident. This incident ultimately led to a data breach at Vercel, the widely used app and website hosting giant.
Separately, Lovable, a platform that has experienced its own security issues, is no longer counted among Delve's clientele.
To provide a brief overview: Delve faced significant scrutiny last month following allegations from an anonymous whistleblower. The whistleblower claimed the startup was fabricating customer data and employing auditors who merely rubber-stamped compliance and certification processes. Delve has vehemently denied these accusations.
Shortly after these allegations surfaced, LiteLLM, one of Delve’s security certification customers, was targeted by hackers who successfully embedded malware into its open-source code. In the wake of this incident, LiteLLM informed TechCrunch of its decision to sever ties with Delve and pursue re-certification from another provider.
Delve's integrity was further questioned when it was accused of appropriating an open-source tool and presenting it as its own work without proper license attribution. This series of events significantly eroded the startup's reputation, prompting Y Combinator, from which Delve had graduated, to formally cut ties.
Moving to last weekend, Vercel announced that its internal systems had been compromised by hackers, resulting in unauthorized access to some customer data. The company explained that the breach occurred after an employee downloaded an application developed by Context AI and subsequently linked it to Vercel's corporate account, which is hosted by Google. The attackers exploited this employee's Google account access to infiltrate certain internal Vercel systems.
Following Context AI's identification in the Vercel attack, Gergely Orosz, author of "The Pragmatic Engineer" newsletter, posted on X (formerly Twitter) that Delve was responsible for Context AI’s security certification.
Context AI has since confirmed to TechCrunch its prior engagement with Delve, but stated it has now moved on from the startup and is actively seeking re-certification.
“Yes, Context was previously a Delve customer,” a spokesperson for Context AI informed TechCrunch. “Following the reporting surrounding Delve in March, we transitioned our compliance program to Vanta and engaged Insight Assurance, an independent audit firm, to conduct new examinations. As part of the re-examination, we began updating our public materials, and we’ll share the new attestation when it is complete,” the spokesperson elaborated.
It is important to note that security certifications alone do not prevent security incidents. Their primary function is to validate that a company has established and implemented appropriate policies and processes designed to deter attacks and minimize the risk of customer data compromise.
A relevant example is Lovable, which was a Delve customer. After the whistleblower's allegations came to light, the vibe-coding platform stated it had already distanced itself from Delve in late 2025. The company has since completed one security certification and is in the process of redoing others, according to its statement.
However, Lovable admitted on Monday that it had inadvertently exposed customer chat data publicly. The company also disclosed that it had previously dismissed vulnerability reports that had alerted it to the problem months prior. Lovable apologized for initially denying the existence of a data breach, though it clarified that the issue stemmed from a configuration error rather than a direct hack.
Adding to Delve's ongoing troubles, the anonymous whistleblower, known as DeepDelver, has published another post alleging that Delve was refusing customer refunds while simultaneously taking its team of over 20 employees to an offsite meeting in Hawaii between April 15 and April 19.
The whistleblower provided TechCrunch with compelling evidence supporting the alleged Hawaii trip, though TechCrunch was unable to corroborate other claims made.
Delve did not respond to requests for comment or confirmation, and an email sent to its media relations address was undeliverable.
The Editorial Staff at AIChief is a team of professional content writers with extensive experience in AI and marketing. Founded in 2025, AIChief has quickly grown into the largest free AI resource hub in the industry.