ai: Delve accused of misleading customers with ‘fake compliance
Compliance startup Delve, a Y Combinator-backed company that raised a $32 million Series A last year at a $300 million valuation, is facing serious allegations of providing “fake compliance” services. An anonymous

Compliance startup Delve, a Y Combinator-backed company that raised a $32 million Series A last year at a $300 million valuation, is facing serious allegations of providing “fake compliance” services. An anonymous Substack post, published this week by “DeepDelver,” claims Delve has “falsely” assured hundreds of customers they were compliant with privacy and security regulations, potentially exposing them to significant legal and financial risks under HIPAA and GDPR.
Delve has publicly refuted these accusations on its blog, calling the Substack post “misleading” and asserting it “contains a number of inaccurate claims.” The firm, led by CEO Karun Kaushik, specializes in automated compliance platforms, aiming to streamline adherence to complex regulatory frameworks.
The Allegations Unveiled
DeepDelver, identifying as a former client, stated their suspicions arose after receiving an email in December about a leaked spreadsheet containing confidential client reports. Despite CEO Kaushik's assurances of continued compliance and no external data access, DeepDelver and other customers initiated a joint investigation due to a shared sense of dissatisfaction with Delve's service.
Their investigation concluded that Delve achieves its rapid compliance claims by producing “fake evidence,” generating auditor conclusions on behalf of what they describe as “certification mills” that merely “rubber stamp reports.” DeepDelver specifically accused Delve of fabricating evidence for board meetings, tests, and processes that never occurred. This practice allegedly forces clients to either adopt the fake evidence or resort to mostly manual compliance work, contrary to the promise of automation.
The post further alleges that almost all of Delve’s clients used two audit firms, Accorp and Gradient, which DeepDelver claims are part of the same operation, primarily based in India with a minimal U.S. presence. According to DeepDelver, these firms are not independently reviewing but rather approving reports pre-generated by Delve, thereby “inverting” the standard compliance structure and invalidating the entire attestation process. This structure, they argue, allows Delve to act as both implementer and examiner.
DeepDelver also claimed Delve assisted clients in “misleading the public” by hosting trust pages that listed security measures which were never actually implemented. The anonymous author noted that while their company discussed these issues with Delve, the startup sent them multiple boxes of donuts. Ultimately, DeepDelver’s employer reportedly unpublished its trust page and discontinued its reliance on Delve for compliance.
Delve's Counterarguments
In response to these grave accusations, Delve clarified its role, stating it is an “automation platform” that facilitates compliance information for auditors, rather than issuing compliance reports itself. The company emphasized that “final reports and opinions are issued solely by independent, licensed auditors, not Delve.”
Delve also asserted that its customers have the flexibility to choose their own auditors or select from Delve’s network of “independent, accredited third-party audit firms.” These firms, Delve added, are “established firms used broadly across the industry.” Regarding the “fake evidence” claim, Delve countered that it provides “templates to help teams document their processes,” a common practice among compliance platforms, distinguishing these from “pre-filled evidence.” The company affirmed it is “actively investigating any leaks” and is “still reviewing the Substack.”
Emerging Security Concerns and Industry Implications
Following the Substack publication, an X user named James Zhou reported gaining access to sensitive Delve information, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly corroborated these claims, detailing what he described as “several gaping security holes in Delve’s external attack surface” based on a conversation with Zhou.
TechCrunch’s attempt to reach Delve for additional comment via its listed media contact resulted in a bounced email, though a subsequent calendar invite for a “Delve demo” was received. TechCrunch has also reached out to DeepDelver for further comment. These developments highlight potential vulnerabilities and raise questions about the integrity of compliance-as-a-service models, especially for companies that rely on them to avoid significant legal repercussions.
FAQ
Q: What are the main accusations against Delve?
A: Delve is accused of providing “fake compliance” by generating fabricated evidence, using audit firms that allegedly rubber-stamp reports, and inverting the traditional audit structure. These actions purportedly misled hundreds of customers into believing they were compliant with privacy and security regulations, potentially exposing them to legal liabilities.
Q: How has Delve responded to these claims?
A: Delve has denied the accusations, stating the Substack post is misleading and contains inaccuracies. They maintain that they are an automation platform, not an issuer of compliance reports, and that final reports are issued by independent, licensed auditors chosen by customers. Delve also clarifies that it provides templates for documentation, not pre-filled evidence.
Q: What are the potential implications for Delve's customers?
A: If the accusations prove true, Delve's customers could face serious consequences, including criminal liability under HIPAA and hefty fines under GDPR, due to being falsely informed of their compliance status. They may also have unknowingly misled the public through trust pages listing unimplemented security measures.
Related articles
How to Evaluate the 2026 Hyundai Ioniq 5 N's New Price and Upgrades
Learn to evaluate the 2026 Hyundai Ioniq 5 N's significant price drop and enhanced features to decide if this enthusiast EV is right for you.
Pentagon Halts 155 Wind Projects in 24 States Over Drone Fears
The Pentagon has frozen permitting for 155 wind projects across 24 states for nearly a year, citing concerns that drones can hide within wind farms. This impacts 44 gigawatts of capacity and has cost developers $2 billion. The wind industry claims the freeze is politically motivated and has filed a lawsuit.
Kimi K3 Review: An Open-Source AI Challenger Worth Watching
Kimi K3 Review: An Open-Source AI Challenger Worth Watching Quick Verdict: Moonshot's Kimi K3 emerges as a compelling open-source alternative in the rapidly evolving AI landscape. While its overall performance might not
Build Your Own Local NMT App with React Native and QVAC
This article explores how Neural Machine Translation (NMT), powered by the Transformer architecture, revolutionized translation by understanding context. We then delve into QVAC, a local-first AI development platform, and its Bergamot engine, enabling private, on-device translation. Learn to set up a React Native app with QVAC and manage model lifecycles for efficient local translation.
iOS 27 Features Review: Subtle Upgrades, Big Impact
ZDNet reviews 5 underrated iOS 27 features, excluding Siri AI, that significantly enhance daily iPhone use. Discover Control Center optimizations, a dedicated photo folder, improved dictation, and more.
The SaaS Survival Guide: AI's Impact & Workday's Strategy Reviewed
ZDNet's article, "'The SaaS apocalypse is overrated': How Workday and other software providers plan to survive AI," offers a refreshingly balanced and insightful perspective on a topic often shrouded in sensationalism.






