The controversy over Delve appears to have cost it its relationship with compliance startups and accelerator Y Combinator.
Delve is no longer listed in YC’s list of portfolio companies, and the Delve page also appears to have been removed from the YC website. Additionally, the startup’s COO Selin Kocalar posted on X that “YC and Delve have parted ways.”
“I still remember the day of my YC interview at MIT,” Kocalar said. “We are so thankful for our community and all the founder friends we have made.”
YC isn’t the first investor to distance itself from Delve. Insight Partners also appears to have deleted posts about its investment in the company, although the primary blog post was later restored.
Meanwhile, Delve continues to push back against anonymous claims that it misled customers by telling them it complied with privacy and security regulations, reportedly skipping important requirements and auto-generating reports for “certified factories reporting by rubber stamps.”
The claims were first published in an anonymous Substack post by “DeepDelver,” who described himself as a former Delve customer who became suspicious after receiving leaked data about the startup client.
DeepDelver posted a follow-up post sharing what it said was the company’s Slack and video posts, and accused Delve of passing on open source tools on its own without giving developers credit or reaching an agreement. A security researcher said they also had access to sensitive Delve data.
Tech Crunch Event
San Francisco, California
|
October 13-15, 2026
Meanwhile, Delve was embroiled in controversy as malicious code was discovered in an open source project developed by LiteLLM, a Delve customer.
In the company’s latest blog post, Delve’s COO Kocalar and CEO Karun Kaushik announced their intention to “set the record straight about anonymous attacks.” Among other things, they claimed the company had hired a cybersecurity firm “to help us understand what happened” and said “evidence points to a malicious attack, not an actual whistleblower.”
“It appears that the attackers purchased Delve under false pretenses and maliciously leaked data, including Delve’s internal company data, to launch an organized smear campaign against us,” they said. The blog post also includes a screenshot that “shows an attacker exfiltrating an audit trail spreadsheet via file.io.”
In addition to this accusation, Delve described DeepDelver’s criticism as “a mix of fabricated claims, cherry-picked screenshots, and out-of-context data.” For example, they said DeepDelver “ignores our AI while admitting to automating 70% of its security questionnaire.”
In response to questions about its use of open source tools, Delve said it was “built on top of the Apache 2.0 open source repository, which explicitly allows for commercial use, and has been heavily rebuilt for compliance use cases.”
However, executives said they were taking steps to ensure customers “have confidence in our platform and compliance outcomes.”
These steps include pruning the company’s network to weed out audit firms that “do not meet our standards,” “offering free re-audits and penetration testing to all active customers,” and making it “absolutely clear” that Delve’s templates for items such as board meeting minutes are “designed only as a starting point.”
Kaushik made many of the same points in his post on
TechCrunch has reached out to Y Combinator and DeepDelver for response to Delve’s comments.
