Delve Accused of 'Fake Compliance,' Facing Scrutiny Over Practices
Compliance startup Delve, a prominent Y Combinator-backed company with a recent $32 million Series A funding round valuing it at $300 million, is currently facing serious accusations of misleading hundreds of customers
Compliance startup Delve, a prominent Y Combinator-backed company with a recent $32 million Series A funding round valuing it at $300 million, is currently facing serious accusations of misleading hundreds of customers with "fake compliance." An anonymous Substack post, published this week by an entity identifying as "DeepDelver," alleges that Delve falsely convinced its clientele they were fully compliant with critical privacy and security regulations, including HIPAA and GDPR. These claims suggest potential criminal liability and substantial fines for the affected customers.
Delve swiftly responded to the allegations on its official blog, dismissing the Substack post as "misleading" and asserting it "contains a number of inaccurate claims." The controversy highlights significant concerns within the compliance-as-a-service sector, raising questions about the authenticity and independence of regulatory certifications provided through automated platforms.
DeepDelver's Damning Allegations
DeepDelver, who identified themselves as an employee of a former Delve client and chose anonymity due to fears of retaliation, detailed a series of events leading to their investigation. Their suspicions were first ignited in December after receiving an email from Delve that mentioned the alleged leak of a spreadsheet containing confidential client reports. Although Delve CEO Karun Kaushik reportedly assured customers of their compliance and data security, DeepDelver and other clients, feeling "underwhelmed with the Delve experience," decided to collectively investigate.
The investigation concluded that Delve achieves its speed claims by generating "fake evidence," fabricating auditor conclusions, and bypassing significant framework requirements while simultaneously assuring clients of 100% compliance. DeepDelver specifically accused the startup of providing customers with "fabricated evidence of board meetings, tests, and processes that never happened." This practice, they claim, left customers with a difficult choice: either adopt the pre-filled, potentially false evidence or undertake extensive manual work with minimal automation.
A key aspect of DeepDelver's criticism targets Delve's alleged reliance on two audit firms, Accorp and Gradient, which are described as being part of the "same operation" primarily based in India with a limited U.S. presence. DeepDelver asserted these firms merely "rubber stamp" reports generated by Delve, effectively "inverting" the traditional compliance structure. By preparing auditor conclusions and final reports before an independent review, Delve allegedly positioned itself as both implementer and examiner, which DeepDelver argues invalidates the entire attestation process.
Furthermore, the Substack post accused Delve of assisting clients in misleading the public by hosting "trust pages" that feature security measures reportedly never implemented. DeepDelver recounted an incident where Delve sent their employer boxes of donuts in an attempt to maintain satisfaction amid ongoing discussions. Despite this, DeepDelver's employer ultimately withdrew its trust page and ceased using Delve's services.
Delve's Rebuttal and Lingering Questions
In its blog post, Delve countered the accusations by clarifying its role as an "automation platform" that facilitates the ingestion of compliance-related information, providing auditors with access to this data. The company explicitly stated, "Final reports and opinions are issued solely by independent, licensed auditors, not Delve." Delve emphasized that customers have the flexibility to choose their preferred auditors or select from Delve’s network of "established firms" that are widely used across the industry.
Regarding the claim of providing "fake evidence," Delve clarified that it offers "templates to help teams document their processes in accordance with compliance requirements," a practice common among other compliance platforms. The company asserted that "Draft templates are not the same as ‘pre-filled evidence.’" Delve also confirmed it is "actively investigating any leaks" and continues to review the Substack post.
However, DeepDelver found Delve's response unsatisfactory, describing it as "baffled by the laziness, clumsiness and brazenness of it." DeepDelver argued that Delve attempted to evade accountability by recharacterizing "pre-filled evidence" as "templates," thereby shifting blame onto customers. DeepDelver also highlighted that Delve's response failed to address several "very serious allegations," including the claims about the India-based audit operations, the purported lack of actual AI capabilities, and the issue of trust pages displaying unimplemented controls. DeepDelver promised a "Part II" of their criticism to follow soon.
Broader Security Concerns Emerge
Compounding Delve's challenges, new security vulnerability claims have surfaced following the initial Substack post. An X user named James Zhou publicly stated that they had accessed sensitive information from Delve, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly further elaborated on these claims, sharing details from a conversation with Zhou about "several gaping security holes in Delve’s external attack surface."
TechCrunch's own attempt to contact Delve via its listed media contact email initially bounced back, though a calendar invite for a "Delve demo" was later received. These unfolding events cast a significant shadow over Delve, a high-growth startup in a critical industry, and underscore the increasing scrutiny on automated compliance solutions.
FAQ
Q: What is Delve primarily accused of?
A: Delve is accused of providing "fake compliance" services, allegedly misleading its customers into believing they were fully compliant with privacy and security regulations (like HIPAA and GDPR) by using fabricated evidence and audit reports from questionable, interconnected firms.
Q: How has Delve officially responded to these serious allegations?
A: Delve has publicly refuted the claims as "misleading" and inaccurate, stating that it functions as an automation platform that merely provides data to independent, licensed auditors. The company maintains that these auditors, not Delve, are solely responsible for issuing final compliance reports and opinions. It also describes its provided documentation as "templates," not "pre-filled evidence."
Q: What are the potential implications for Delve and its customers?
A: If the accusations prove true, Delve could face severe reputational damage, potential legal action, and a significant loss of trust. Its customers, who believed they were compliant, could face criminal liability under HIPAA and substantial fines under GDPR due to alleged non-compliance. Separately, new security vulnerability claims also raise concerns about Delve's own data protection practices.
Related articles
Intel Joins Elon Musk’s Terafab Chips Project
Intel has joined Elon Musk's Terafab chips project, partnering with SpaceX and Tesla to build a new semiconductor factory in Texas. This collaboration leverages Intel's chip manufacturing expertise to produce 1 TW/year of compute for AI, robotics, and other advanced applications, significantly bolstering Intel's foundry business.
Apple’s foldable iPhone is on track to launch in September, report
Apple's first foldable iPhone is reportedly on track for a September launch alongside the iPhone 18 Pro and Pro Max, according to a new report from Bloomberg's Mark Gurman. This news mitigates earlier concerns about potential delays due to engineering complexities, suggesting Apple has made significant strides in addressing screen quality, durability, and crease visibility issues. The highly anticipated device is poised to position Apple as a strong competitor in the growing foldable smartphone market.
Tech Moves: Microsoft Leader Jumps to Anthropic, New CEO at Tagboard
Microsoft veteran Eric Boyd has joined AI leader Anthropic to head its infrastructure team, marking a major personnel shift in the competitive AI sector. Concurrently, Tagboard, a Redmond-based live broadcast production company, announced Marty Roberts as its new CEO, succeeding Nathan Peterson. Expedia Group also promoted Ryan Desjardins to Vice President of Technology, bolstering its efforts in AI integration.
in-depth: My Blissful Week as a ‘Do Not Disturb’ Maximalist: Digital
A technology journalist embarked on a week-long experiment, embracing "Do Not Disturb" (DND) maximalism to silence all smartphone notifications. The experience, though challenging socially, revealed a path to greater focus and personal boundaries, highlighting a growing trend to reclaim attention in a constantly connected world.
NASA’s Artemis II mission to fly around the far side of the Moon
NASA's Artemis II mission successfully completed its historic lunar flyby on April 6th, circling the Moon's far side and setting a new human distance record. The four astronauts are now returning to Earth, marking a critical step in the program's ambitious goal of establishing a sustainable presence on the Moon and paving the way for future lunar landings.
OpenAI’s vision for the AI economy: public wealth funds, robot taxes
In a significant move to shape the burgeoning AI economy, OpenAI has unveiled a comprehensive set of policy proposals designed to navigate the economic and social shifts brought about by superintelligent machines. The