An nameless Substack publish revealed this week accuses compliance startup Delve of “falsely” convincing “lots of of consumers they had been compliant” with privateness and safety rules, probably exposing these prospects to “prison legal responsibility underneath HIPAA and hefty fines underneath GDPR.”
Delve is a Y Combinator-backed startup that final 12 months introduced elevating a $32 million Collection A at a $300 million valuation. (The spherical was led by Perception Companions.) On Friday, the startup tried to refute the accusations on its weblog, calling the Substack publish “deceptive” and saying it “comprises quite a few inaccurate claims.”
The Substack publish is credited to “DeepDelver,” who described themselves as working at a (now former) Delve shopper.
DeepDelver recounted receiving an electronic mail in December claiming the startup had “leaked a spreadsheet with confidential shopper studies.” Whereas Delve CEO Karun Kaushik apparently assured prospects in a subsequent electronic mail that they had been in compliance and that no exterior celebration gained entry to delicate knowledge, DeepDelver stated they and different prospects had develop into suspicious.
“Having the shared expertise of being underwhelmed with the Delve expertise, and having the general sense that one thing fishy was happening, we determined to pool sources and examine collectively,” they wrote.
Their conclusion? That Delve “achieves its declare of being the quickest platform by producing pretend proof, producing auditor conclusions on behalf of certification mills that rubber stamp studies, and skipping main framework necessities whereas telling purchasers they’ve achieved 100% compliance.”
DeepDelver went into appreciable element about these claims, accusing the startup of offering prospects with “fabricated proof of board conferences, checks, and processes that by no means occurred,” then forcing these prospects to “select between adopting pretend proof or performing largely handbook work with little actual automation or AI.”
Techcrunch occasion
San Francisco, CA
|
October 13-15, 2026
DeepDelver additionally claimed that just about all of Delve’s purchasers appear to have gone by two audit corporations, Accorp and Gradient, which they described as “a part of the identical operation,” one which operates primarily in India, with solely a nominal presence in the US.
These corporations, they stated, are simply rubber-stamping studies that had been generated by Delve. Because of this, DeepDelver stated the startup “inverts” the traditional compliance construction: “By producing auditor conclusions, check procedures, and ultimate studies earlier than any impartial evaluate happens, Delve locations itself within the position of each implementer and examiner. This isn’t a technicality. It’s a structural fraud that invalidates the complete attestation.”
Along with accusing Delve of deceptive its prospects, DeepDelver stated the startup helps these prospects “mislead the general public by internet hosting belief pages that comprise safety measures that had been by no means carried out.”
DeepDelver stated that whereas their firm was discussing its points with Delve, the startup “despatched us a number of bins of donuts […] to maintain us blissful.” Nonetheless, DeepDelver’s employer supposedly unpublished its belief web page and now not depends on the startup for compliance.
Delve responded to the accusations by saying it doesn’t difficulty compliance studies in any respect. As a substitute, it’s an “automation platform” that ingests details about compliance, then offers auditors with entry to that data.
“Last studies and opinions are issued solely by impartial, licensed auditors, not Delve,” the corporate stated.
Delve additionally stated that its prospects “can decide to work with an auditor of their selecting or decide to work with one from Delve’s community of impartial, accredited third-party audit corporations.” These auditors, the startup stated, are “established corporations used broadly throughout the business, together with by different compliance platforms.”
In response to the accusation that it’s offering prospects with “pretend proof,” Delve countered that it’s merely providing “templates to assist groups doc their processes in accordance with compliance necessities, as do different compliance platforms.”
“Draft templates should not the identical as ‘pre-filled proof,’” the corporate stated.
Delve added that it’s “actively investigating any leaks” and is “nonetheless reviewing the Substack.”
Following the preliminary Substack publish, an X consumer named James Zhou stated they had been capable of acquire entry to delicate data from Delve, resembling worker background checks and fairness vesting schedules. Dvuln founder Jamieson O’Reilly shared extra particulars from what O’Reilly stated was a dialog with Zhou about “a number of gaping safety holes in Delve’s exterior assault floor.”
TechCrunch despatched an electronic mail in search of further remark to the media contact tackle listed on Delve’s web site. The e-mail bounced, however I subsequently obtained a calendar invite for a “Delve demo” later this week. TechCrunch has additionally reached out to DeepDelver for extra remark.
This publish has been up to date with further details about purported safety vulnerabilities supplied by Jamieson O’Reilly, and extra particulars about Delve’s response to TechCrunch.
