Delve Accused of 'Fake Compliance,' Facing Scrutiny Over Practices
Compliance startup Delve, a prominent Y Combinator-backed company with a recent $32 million Series A funding round valuing it at $300 million, is currently facing serious accusations of misleading hundreds of customers

Compliance startup Delve, a prominent Y Combinator-backed company with a recent $32 million Series A funding round valuing it at $300 million, is currently facing serious accusations of misleading hundreds of customers with "fake compliance." An anonymous Substack post, published this week by an entity identifying as "DeepDelver," alleges that Delve falsely convinced its clientele they were fully compliant with critical privacy and security regulations, including HIPAA and GDPR. These claims suggest potential criminal liability and substantial fines for the affected customers.
Delve swiftly responded to the allegations on its official blog, dismissing the Substack post as "misleading" and asserting it "contains a number of inaccurate claims." The controversy highlights significant concerns within the compliance-as-a-service sector, raising questions about the authenticity and independence of regulatory certifications provided through automated platforms.
DeepDelver's Damning Allegations
DeepDelver, who identified themselves as an employee of a former Delve client and chose anonymity due to fears of retaliation, detailed a series of events leading to their investigation. Their suspicions were first ignited in December after receiving an email from Delve that mentioned the alleged leak of a spreadsheet containing confidential client reports. Although Delve CEO Karun Kaushik reportedly assured customers of their compliance and data security, DeepDelver and other clients, feeling "underwhelmed with the Delve experience," decided to collectively investigate.
The investigation concluded that Delve achieves its speed claims by generating "fake evidence," fabricating auditor conclusions, and bypassing significant framework requirements while simultaneously assuring clients of 100% compliance. DeepDelver specifically accused the startup of providing customers with "fabricated evidence of board meetings, tests, and processes that never happened." This practice, they claim, left customers with a difficult choice: either adopt the pre-filled, potentially false evidence or undertake extensive manual work with minimal automation.
A key aspect of DeepDelver's criticism targets Delve's alleged reliance on two audit firms, Accorp and Gradient, which are described as being part of the "same operation" primarily based in India with a limited U.S. presence. DeepDelver asserted these firms merely "rubber stamp" reports generated by Delve, effectively "inverting" the traditional compliance structure. By preparing auditor conclusions and final reports before an independent review, Delve allegedly positioned itself as both implementer and examiner, which DeepDelver argues invalidates the entire attestation process.
Furthermore, the Substack post accused Delve of assisting clients in misleading the public by hosting "trust pages" that feature security measures reportedly never implemented. DeepDelver recounted an incident where Delve sent their employer boxes of donuts in an attempt to maintain satisfaction amid ongoing discussions. Despite this, DeepDelver's employer ultimately withdrew its trust page and ceased using Delve's services.
Delve's Rebuttal and Lingering Questions
In its blog post, Delve countered the accusations by clarifying its role as an "automation platform" that facilitates the ingestion of compliance-related information, providing auditors with access to this data. The company explicitly stated, "Final reports and opinions are issued solely by independent, licensed auditors, not Delve." Delve emphasized that customers have the flexibility to choose their preferred auditors or select from Delve’s network of "established firms" that are widely used across the industry.
Regarding the claim of providing "fake evidence," Delve clarified that it offers "templates to help teams document their processes in accordance with compliance requirements," a practice common among other compliance platforms. The company asserted that "Draft templates are not the same as ‘pre-filled evidence.’" Delve also confirmed it is "actively investigating any leaks" and continues to review the Substack post.
However, DeepDelver found Delve's response unsatisfactory, describing it as "baffled by the laziness, clumsiness and brazenness of it." DeepDelver argued that Delve attempted to evade accountability by recharacterizing "pre-filled evidence" as "templates," thereby shifting blame onto customers. DeepDelver also highlighted that Delve's response failed to address several "very serious allegations," including the claims about the India-based audit operations, the purported lack of actual AI capabilities, and the issue of trust pages displaying unimplemented controls. DeepDelver promised a "Part II" of their criticism to follow soon.
Broader Security Concerns Emerge
Compounding Delve's challenges, new security vulnerability claims have surfaced following the initial Substack post. An X user named James Zhou publicly stated that they had accessed sensitive information from Delve, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly further elaborated on these claims, sharing details from a conversation with Zhou about "several gaping security holes in Delve’s external attack surface."
TechCrunch's own attempt to contact Delve via its listed media contact email initially bounced back, though a calendar invite for a "Delve demo" was later received. These unfolding events cast a significant shadow over Delve, a high-growth startup in a critical industry, and underscore the increasing scrutiny on automated compliance solutions.
FAQ
Q: What is Delve primarily accused of?
A: Delve is accused of providing "fake compliance" services, allegedly misleading its customers into believing they were fully compliant with privacy and security regulations (like HIPAA and GDPR) by using fabricated evidence and audit reports from questionable, interconnected firms.
Q: How has Delve officially responded to these serious allegations?
A: Delve has publicly refuted the claims as "misleading" and inaccurate, stating that it functions as an automation platform that merely provides data to independent, licensed auditors. The company maintains that these auditors, not Delve, are solely responsible for issuing final compliance reports and opinions. It also describes its provided documentation as "templates," not "pre-filled evidence."
Q: What are the potential implications for Delve and its customers?
A: If the accusations prove true, Delve could face severe reputational damage, potential legal action, and a significant loss of trust. Its customers, who believed they were compliant, could face criminal liability under HIPAA and substantial fines under GDPR due to alleged non-compliance. Separately, new security vulnerability claims also raise concerns about Delve's own data protection practices.
Related articles
Pentagon Halts 155 Wind Projects in 24 States Over Drone Fears
The Pentagon has frozen permitting for 155 wind projects across 24 states for nearly a year, citing concerns that drones can hide within wind farms. This impacts 44 gigawatts of capacity and has cost developers $2 billion. The wind industry claims the freeze is politically motivated and has filed a lawsuit.
Build Your Own Local NMT App with React Native and QVAC
This article explores how Neural Machine Translation (NMT), powered by the Transformer architecture, revolutionized translation by understanding context. We then delve into QVAC, a local-first AI development platform, and its Bergamot engine, enabling private, on-device translation. Learn to set up a React Native app with QVAC and manage model lifecycles for efficient local translation.
Anthropic's 'Hard Questions' Ad: A Divisive Marketing Gambit
Verdict: A Bold but Polarizing Marketing Play Anthropic's latest ad for its Claude AI, themed around its 'Hard Questions' initiative, is nothing if not provocative. Intending to foster dialogue about the future of
in-depth: Chewy Promo Codes: $20 Off July 2026: coupons — Key Details
Pet owners can find substantial savings at Chewy in July 2026. New customers get $20 off first orders (code WELCOME) and free shipping. Existing users benefit from exclusive deals, Autoship discounts, and a Chewy+ membership for ongoing perks and rewards.
Wolverine's Latest Trailer: Lady Deathstrike Delivers a Brutal
Wolverine's Latest Trailer: Lady Deathstrike Delivers a Brutal Beatdown! Alright, True Believers, buckle up! We're now less than two months away from Marvel’s Wolverine slicing its way onto PlayStation 5, and Insomniac
Kalshi says it caught Trump’s teleprompter operator insider trading
Prediction market platform Kalshi has accused Donald Trump's teleprompter operator, Gabriel Perez, of insider trading, alleging he used advance knowledge of Trump's speeches to win over $100,000. Kalshi flagged the activity and referred it to the CFTC. While federal prosecutors declined a criminal case, a settlement is being discussed.






