An anonymous Substack post published this week accuses compliance startup Delve of “falsely” convincing “hundreds of customers” that it complies with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and significant fines under GDPR.”
Delve is a Y Combinator-backed startup that announced last year that it would raise $32 million in Series A at a valuation of $300 million. (The round was led by Insight Partners.) On Friday, the startup sought to refute the accusations on its blog, saying Substack’s post was “misleading” and “contains a number of inaccurate claims.”
The Substack post is attributed to “DeepDelver,” who claims to work for the (now former) Delve client.
DeepDelver recalled receiving an email in December claiming that the company had “leaked spreadsheets containing confidential customer reports.” Although Delve CEO Karun Kaushik appeared to clarify in a subsequent email that the customers were compliant and that sensitive data would not be accessed by outside parties, DeepDelver said they and other customers had doubts.
“With a shared experience of being overwhelmed by the Delve experience and an overall sense that something fishy was going on, we decided to pool our resources and investigate together,” they wrote.
Their conclusion? That Delve “achieves its claim to be the fastest platform by creating false evidence, deriving auditor conclusions on behalf of rubber-stamp-reported certified factories, and skipping key framework requirements while telling customers it’s 100% compliant.”
DeepDelver looked into these claims in considerable detail, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened,” and forcing those customers to “choose between adopting fake evidence or doing the work mostly manually with little actual automation or AI.”
tech crunch event
San Francisco, California
|
October 13-15, 2026
DeepDelver also claimed that virtually all of Delve’s clients appear to go through two audit firms, Accorp and Gradient, which it said are “part of the same practice” and which operate primarily in India and have only a nominal presence in the United States.
They said those companies were just rubber-stamp reports created by Delve. As a result, DeepDelver said, the startup has “inverted” the usual compliance structure: “By producing auditor conclusions, testing procedures, and final reports before independent reviews occur, Delve assumes the role of both implementer and assessor. This is not a technicality. It is a structural fraud that invalidates the entire certification.”
In addition to accusing Delve of misleading customers, DeepDelver said the startup helps customers “mislead the public by hosting trust pages that contain security measures that are never implemented.”
DeepDelver said that while his company was discussing the issue with Delve, the startup “already sent us boxes of donuts to keep us happy.” Nevertheless, DeepDelver’s employers have likely made their trust pages private and are no longer relying on the company for compliance.
Delve responded to the accusations by saying it had not issued any compliance reports. Instead, it is an “automation platform” that captures compliance information and provides auditors with access to that information.
“Final reports and opinions will be issued only by independent licensed auditors and not by Delve,” the company said.
Delve also said that customers “can choose to work with an auditor of their own choice or with an auditor from Delve’s network of independent, certified third-party audit firms.” The company says these auditors are “established companies that are widely used across the industry, including by other compliance platforms.”
In response to accusations that it provides “fake evidence” to customers, Delve countered that it only provides “templates to help teams document processes in accordance with compliance requirements, like other compliance platforms.”
“Draft templates are not the same as ‘pre-populated evidence,'” the company said.
Delve added that it is “actively investigating any breaches” and is “still considering Substack.”
Following the initial Substack post, an X user named James Zhou said Delve had access to sensitive information such as employee background checks and stock vesting schedules. Dvuln founder Jamison O’Reilly shared details of what he said was a conversation O’Reilly had with Chou about “some major security holes in Delve’s external attack surface.”
TechCrunch sent an email seeking additional comment to the media contact address listed on Delve’s website. The email bounced, but then I received a calendar invite to a “Delve Demo” later this week. TechCrunch also reached out to DeepDelver for additional comment.
This post has been updated with additional information about the alleged security vulnerability provided by Jamieson O’Reilly and additional details regarding Delve’s response to TechCrunch.
Source link
