An nameless Substack publish revealed this week accuses compliance startup Delve of “falsely” convincing “tons of of shoppers they have been compliant” with privateness and security laws, doubtlessly exposing these clients to “felony legal responsibility beneath HIPAA and hefty fines beneath GDPR.”
Delve is a Y Combinator-backed startup that final yr introduced elevating a $32 million Collection A at a $300 million valuation. (The spherical was led by Perception Companions.) On Friday, the startup tried to refute the accusations on its weblog, calling the Substack publish “deceptive” and saying it “accommodates quite a lot of inaccurate claims.”
The Substack publish is credited to “DeepDelver,” who described themselves as working at a (now former) Delve shopper. In response to emailed questions from information.killnetswitch, DeepDelver stated that they and their collaborators “selected to stay nameless out of worry for retaliation by Delve.”
Of their publish, DeepDelver recounted receiving an electronic mail in December claiming the startup had “leaked a spreadsheet with confidential shopper reviews.” Whereas Delve CEO Karun Kaushik apparently assured clients in a subsequent electronic mail that they have been in compliance and that no exterior get together gained entry to delicate information, DeepDelver stated they and different clients had grow to be suspicious.
“Having the shared expertise of being underwhelmed with the Delve expertise, and having the general sense that one thing fishy was occurring, we determined to pool assets and examine collectively,” they wrote.
Their conclusion? That Delve “achieves its declare of being the quickest platform by producing pretend proof, producing auditor conclusions on behalf of certification mills that rubber stamp reviews, and skipping main framework necessities whereas telling purchasers they’ve achieved 100% compliance.”
DeepDelver went into appreciable element about these claims, accusing the startup of offering clients with “fabricated proof of board conferences, checks, and processes that by no means occurred,” then forcing these clients to “select between adopting pretend proof or performing largely handbook work with little actual automation or AI.”
Techcrunch occasion
San Francisco, CA
|
October 13-15, 2026
DeepDelver additionally claimed that nearly all of Delve’s purchasers appear to have gone via two audit companies, Accorp and Gradient, which they described as “a part of the identical operation,” one which operates primarily in India, with solely a nominal presence in america.
These companies, they stated, are simply rubber-stamping reviews that have been generated by Delve. Because of this, DeepDelver stated the startup “inverts” the traditional compliance construction: “By producing auditor conclusions, take a look at procedures, and ultimate reviews earlier than any unbiased evaluation happens, Delve locations itself within the function of each implementer and examiner. This isn’t a technicality. It’s a structural fraud that invalidates the complete attestation.”
Along with accusing Delve of deceptive its clients, DeepDelver stated the startup helps these clients “mislead the general public by internet hosting belief pages that comprise security measures that have been by no means applied.”
DeepDelver stated that whereas their firm was discussing its points with Delve, the startup “despatched us a number of bins of donuts […] to maintain us comfortable.” Nonetheless, DeepDelver’s employer supposedly unpublished its belief web page and now not depends on the startup for compliance.
Delve responded to the accusations by saying it doesn’t subject compliance reviews in any respect. As an alternative, it’s an “automation platform” that ingests details about compliance, then supplies auditors with entry to that data.
“Ultimate reviews and opinions are issued solely by unbiased, licensed auditors, not Delve,” the corporate stated.
Delve additionally stated that its clients “can choose to work with an auditor of their selecting or choose to work with one from Delve’s community of unbiased, accredited third-party audit companies.” These auditors, the startup stated, are “established companies used broadly throughout the business, together with by different compliance platforms.”
In response to the accusation that it’s offering clients with “pretend proof,” Delve countered that it’s merely providing “templates to assist groups doc their processes in accordance with compliance necessities, as do different compliance platforms.”
“Draft templates are usually not the identical as ‘pre-filled proof,’” the corporate stated.
Delve added that it’s “actively investigating any leaks” and is “nonetheless reviewing the Substack.”
When requested about Delve’s response, DeepDelver instructed information.killnetswitch that they have been “baffled by the laziness, clumsiness and brazenness of it.”
“They’re making an attempt to snake their approach out [of] being held accountable by denying having ‘pre-filled proof’ however calling it ‘templates’ as a substitute, successfully shifting the blame to clients for adopting the ‘templates’ as is,” DeepDelver stated. “They’re claiming they don’t seem to be those to ‘subject’ the report, which is simple to say should you outline issuing a report as offering the ultimate stamp.”
They added that there are “quite a lot of very severe allegations” that Delve didn’t handle in any respect: “The India accusation, the shortage of AI (they solely speak about ‘automations’), and the belief (lol) web page containing controls that have been by no means applied.”
Apparently DeepDelver isn’t accomplished with its criticism, because it promised, “Half II will observe quickly.”
As well as, following the preliminary Substack publish, an X person named James Zhou stated they have been in a position to acquire entry to delicate data from Delve, similar to worker background checks and fairness vesting schedules. Dvuln founder Jamieson O’Reilly shared extra particulars from what O’Reilly stated was a dialog with Zhou about “a number of gaping security holes in Delve’s exterior assault floor.”
information.killnetswitch despatched an electronic mail in search of further remark to the media contact handle listed on Delve’s web site. The e-mail bounced, however after this text was revealed, I acquired a calendar invite for a “Delve demo” later this week.
This publish was initially revealed on March 21, 2026. It has been up to date with emailed solutions from DeepDelver, further details about purported security vulnerabilities supplied by Jamieson O’Reilly, and extra particulars about Delve’s response to information.killnetswitch.
