An anonymous Substack post published this week has raised serious allegations against compliance startup Delve, claiming the company has “falsely” convinced “hundreds of customers” of their compliance with privacy and security regulations. The allegations suggest that this misrepresentation could potentially expose customers to “criminal liability under HIPAA and hefty fines under GDPR.”
Delve, a Y Combinator-backed company, secured $32 million in Series A funding last year at a valuation of $300 million, led by Insight Partners. In response to the allegations, the startup issued a blog post on Friday, labeling the Substack narrative as “misleading” and asserting that it “contains a number of inaccurate claims.”
The post, authored by an individual using the pseudonym “DeepDelver,” claims to have worked for a former client of Delve. DeepDelver recounted an incident in December when they received an email about a supposed leak of a spreadsheet containing confidential client reports. Although Delve’s CEO Karun Kaushik reassured customers that the company was compliant and that sensitive data had not been accessed by any external parties, DeepDelver and other customers became increasingly suspicious.
“Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together,” DeepDelver wrote. Their investigation purportedly concluded that Delve “achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.”
DeepDelver went into detail about these claims, alleging that Delve provided fabricated evidence of board meetings, tests, and processes that never occurred. Customers were supposedly coerced to choose between adopting this “fake evidence” or carrying out tedious manual work with little automation. They also suggested that nearly all of Delve’s clients had been audited by two firms, Accorp and Gradient, which were described as operating in tandem and primarily based in India, with minimal presence in the U.S.
According to DeepDelver, these firms simply rubber-stamped reports generated by Delve, allowing the company to invert the standard compliance structure. “By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation,” DeepDelver stated.
DeepDelver further accused Delve of helping customers mislead the public by hosting trust pages that allegedly contain security measures that were never implemented. Despite discussing these issues, DeepDelver’s employer reportedly unpublished its trust page and ceased reliance on Delve for compliance. They also recalled that while trying to resolve their concerns, Delve sent multiple boxes of donuts to maintain customer satisfaction.
In its defense, Delve clarified that it does not issue compliance reports but operates as an “automation platform” that ingests compliance information and provides auditors access to that data. “Final reports and opinions are issued solely by independent, licensed auditors, not Delve,” the company explained. Additionally, Delve stated that customers have the option to work with an auditor of their choosing or select one from Delve’s network of independent, accredited third-party firms.
Responding to claims of providing “fake evidence,” Delve emphasized that it merely offers templates to assist teams in documenting processes in accordance with compliance standards. “Draft templates are not the same as ‘pre-filled evidence,’” the company noted. Delve also mentioned that it is “actively investigating any leaks” and continues to review the Substack post.
Following the Substack allegations, a user on X, identified as James Zhou, claimed to have gained access to sensitive information from Delve, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly shared further details from a conversation regarding what he described as “several gaping security holes in Delve’s external attack surface.”
While TechCrunch sought additional comments from Delve via the media contact listed on its website, the email bounced back. However, a calendar invite for a “Delve demo” was subsequently received. TechCrunch also reached out to DeepDelver for further comments on the matter.
As these developments unfold, the implications for Delve and its clients could be substantial, raising questions about the integrity of compliance measures in the startup’s operational framework and the potential repercussions for its customers.
See also
OpenAI’s Rogue AI Safeguards: Decoding the 2025 Safety Revolution
US AI Developments in 2025 Set Stage for 2026 Compliance Challenges and Strategies
Trump Drafts Executive Order to Block State AI Regulations, Centralizing Authority Under Federal Control
California Court Rules AI Misuse Heightens Lawyer’s Responsibilities in Noland Case
Policymakers Urged to Establish Comprehensive Regulations for AI in Mental Health
