The story of Delve, a startup facing compliance issues, has many twists and turns.
TechCrunch has confirmed that Delve is the compliance company that provided security certification for Context AI. Context AI is an AI agent training startup that last week disclosed a security incident that led to a data breach at popular app and website hosting giant Vercel.
Meanwhile, Lovable is no longer a Delve customer due to its own security incident.
To recap, Delve came under fire last month after an anonymous whistleblower alleged that it falsified customer data and used auditors to rubber-stamp its compliance and certification processes. Mr. Derbe denies these allegations.
Shortly after, hackers attacked LiteLLM, one of Delve’s security certified customers, and embedded malware in its open source code. Following the incident, LiteLLM told TechCrunch that Delve has been retired and is being recertified.
Delve was also accused of taking open source tools and passing them off as proprietary works without proper license attribution. The startup’s reputation was in jeopardy, and Y Combinator, which Delve graduated from, ended its partnership with the company.
Back last weekend, Barthel announced that hackers had broken into its internal systems and accessed some customer data. The company said the hackers gained entry after an employee downloaded an app made by Context AI and connected it to a Google-hosted Vercel corporate account. Hackers exploited access to the employee’s Google account to break into some of Vercel’s internal systems.
After Context AI was named in the Vercel attack, Gergely Orosz, author of the engineering newsletter The Pragmatic Engineer, said in a post on X that Delve was the company responsible for Context AI’s security certification.
Context AI confirmed to TechCrunch that it did use Delve, but has since retired the startup and is in the process of recertifying it.
“Yes, Context was previously a customer of Delve,” a Context AI spokesperson told TechCrunch. “Following news coverage of Delve in March, we moved our compliance program to Vanta and engaged Insight Assurance, an independent auditing firm, to conduct a new investigation. As part of the review, we have begun updating our public documentation and will share new attestations once completed,” the spokesperson added.
Security certifications alone cannot prevent security issues. These are aimed at validating that businesses have policies and processes in place to thwart attacks and reduce the likelihood of customer data being compromised.
Case in point: Lovable was a Delve customer, but after a whistleblower complaint came to light, the vibe coding platform announced it was exiting the startup in late 2025. The company has already completed one security certification and is in the process of redoing others.
Still, LaBable acknowledged Monday that it had inadvertently publicly shared access to customer chat data. The company also said it had dismissed a vulnerability report that alerted it to the problem several months ago. LaBable initially denied there was a data breach and apologized, but said the problem was caused by a misconfiguration, not hacking.
More bizarre news is swirling around Delve. Anonymous whistleblower DeepDelver published another post alleging that Delve took a team of more than 20 people to off-site meetings held in Hawaii from April 15th to April 19th, despite refusing to refund customers.
The whistleblower shared some convincing receipts with TechCrunch that lend credence to the alleged Hawaii trip, but TechCrunch was unable to confirm any other claims.
After publication, Delve declined to comment.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
