The controversy surrounding Delve appears to have damaged the compliance startup’s relationship with accelerator Y Combinator.
Delve is not listed in YC’s portfolio company directory, and the Delve page appears to have been removed from the YC website. Furthermore, the startup’s COO Selin Kocalar posted on X that “YC and Delve have parted ways.”
“I still remember the day I had my YC interview at MIT,” Kokara said. “We are so grateful for the community and all the founder friends we have made.”
YC is not the first investor to distance itself from Delve. Insight Partners also appears to have deleted a post about investing in the company, but the main blog post has since been restored.
Meanwhile, Delve continues to push back against anonymous claims that it misled customers that it complied with privacy and security regulations while ignoring key requirements and automatically generating reports for “rubber-stamp certified factories.”
These claims were first published in an anonymous Substack post identified as “DeepDelver.” The person described himself as a former Delve customer who became suspicious after receiving leaked data about the startup’s customers.
DeepDelver later published posts sharing what it said were Slack posts and video posts from the company, accusing Delve of passing off open source tools as its own without giving credit or reaching agreements with developers. One security researcher said he had access to Delve’s sensitive data.
tech crunch event
San Francisco, California
|
October 13-15, 2026
Meanwhile, Delve also became part of a related controversy after malware was discovered in an open source project developed by Delve customer LiteLLM.
In the company’s latest blog post, Delve COO Kocalar and CEO Karun Kaushik vowed to “set the record straight against anonymous attacks.” Among other things, they claimed that the company hired a cybersecurity firm “to understand what happened,” and said that “evidence points to a malicious attack rather than a genuine whistleblower.”
“It appears that the attackers purchased Delve under false pretenses, maliciously extracted the data, including Delve’s internal data, and used it to launch a coordinated smear campaign against our company,” they said. The blog post also includes a screenshot that “shows the attacker exfiltrating our audit trail spreadsheet via file.io.”
Beyond this accusation, Delve described DeepDelver’s criticism as “a combination of fabricated claims, cherry-picked screenshots, and decontextualized data.” For example, they say that DeepDelver “admits to automating 70% of security surveys, yet ignores our AI.”
Regarding the issue of using open source tools, Delve said, “We built on the Apache 2.0 open source repository, which explicitly allows commercial use, and have significantly restructured it for compliance use cases.”
But executives also said they are taking steps to ensure customers “have confidence in our platform and compliance outcomes.”
These actions reportedly include cleaning up the company’s network to remove audit firms that “do not meet our standards,” “offering free re-audits and penetration testing to all active customers,” and “making it clear” that Delve’s templates, such as board minutes, are “designed as a starting point only.”
In his post on X, Kaushik made many of the same points, but also said:[W]We grew too fast and fell short of our own standards. We apologize for any inconvenience caused to our customers. ”
TechCrunch has reached out to Y Combinator and DeepDelver for a response to Delve’s comments.
Source link
