ai: Delve accused of misleading customers with ‘fake compliance

Compliance startup Delve, a Y Combinator-backed company that raised a $32 million Series A last year at a $300 million valuation, is facing serious allegations of providing “fake compliance” services. An anonymous Substack post, published this week by “DeepDelver,” claims Delve has “falsely” assured hundreds of customers they were compliant with privacy and security regulations, potentially exposing them to significant legal and financial risks under HIPAA and GDPR.

Delve has publicly refuted these accusations on its blog, calling the Substack post “misleading” and asserting it “contains a number of inaccurate claims.” The firm, led by CEO Karun Kaushik, specializes in automated compliance platforms, aiming to streamline adherence to complex regulatory frameworks.

The Allegations Unveiled

DeepDelver, identifying as a former client, stated their suspicions arose after receiving an email in December about a leaked spreadsheet containing confidential client reports. Despite CEO Kaushik's assurances of continued compliance and no external data access, DeepDelver and other customers initiated a joint investigation due to a shared sense of dissatisfaction with Delve's service.

Their investigation concluded that Delve achieves its rapid compliance claims by producing “fake evidence,” generating auditor conclusions on behalf of what they describe as “certification mills” that merely “rubber stamp reports.” DeepDelver specifically accused Delve of fabricating evidence for board meetings, tests, and processes that never occurred. This practice allegedly forces clients to either adopt the fake evidence or resort to mostly manual compliance work, contrary to the promise of automation.

The post further alleges that almost all of Delve’s clients used two audit firms, Accorp and Gradient, which DeepDelver claims are part of the same operation, primarily based in India with a minimal U.S. presence. According to DeepDelver, these firms are not independently reviewing but rather approving reports pre-generated by Delve, thereby “inverting” the standard compliance structure and invalidating the entire attestation process. This structure, they argue, allows Delve to act as both implementer and examiner.

DeepDelver also claimed Delve assisted clients in “misleading the public” by hosting trust pages that listed security measures which were never actually implemented. The anonymous author noted that while their company discussed these issues with Delve, the startup sent them multiple boxes of donuts. Ultimately, DeepDelver’s employer reportedly unpublished its trust page and discontinued its reliance on Delve for compliance.

Delve's Counterarguments

In response to these grave accusations, Delve clarified its role, stating it is an “automation platform” that facilitates compliance information for auditors, rather than issuing compliance reports itself. The company emphasized that “final reports and opinions are issued solely by independent, licensed auditors, not Delve.”

Delve also asserted that its customers have the flexibility to choose their own auditors or select from Delve’s network of “independent, accredited third-party audit firms.” These firms, Delve added, are “established firms used broadly across the industry.” Regarding the “fake evidence” claim, Delve countered that it provides “templates to help teams document their processes,” a common practice among compliance platforms, distinguishing these from “pre-filled evidence.” The company affirmed it is “actively investigating any leaks” and is “still reviewing the Substack.”

Emerging Security Concerns and Industry Implications

Following the Substack publication, an X user named James Zhou reported gaining access to sensitive Delve information, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly corroborated these claims, detailing what he described as “several gaping security holes in Delve’s external attack surface” based on a conversation with Zhou.

TechCrunch’s attempt to reach Delve for additional comment via its listed media contact resulted in a bounced email, though a subsequent calendar invite for a “Delve demo” was received. TechCrunch has also reached out to DeepDelver for further comment. These developments highlight potential vulnerabilities and raise questions about the integrity of compliance-as-a-service models, especially for companies that rely on them to avoid significant legal repercussions.

FAQ

Q: What are the main accusations against Delve?

A: Delve is accused of providing “fake compliance” by generating fabricated evidence, using audit firms that allegedly rubber-stamp reports, and inverting the traditional audit structure. These actions purportedly misled hundreds of customers into believing they were compliant with privacy and security regulations, potentially exposing them to legal liabilities.

Q: How has Delve responded to these claims?

A: Delve has denied the accusations, stating the Substack post is misleading and contains inaccuracies. They maintain that they are an automation platform, not an issuer of compliance reports, and that final reports are issued by independent, licensed auditors chosen by customers. Delve also clarifies that it provides templates for documentation, not pre-filled evidence.

Q: What are the potential implications for Delve's customers?

A: If the accusations prove true, Delve's customers could face serious consequences, including criminal liability under HIPAA and hefty fines under GDPR, due to being falsely informed of their compliance status. They may also have unknowingly misled the public through trust pages listing unimplemented security measures.