An anonymous Substack post this week accused compliance startup Delve of “falsely” assuring “hundreds of its customers are compliant” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and massive fines under GDPR.”
Delve is a Y Combinator-backed startup that last year announced a $32 million Series A round at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to rebut the accusations on its blog, calling the Substack post “misleading” and “containing a number of inaccurate claims.”
The Substack post comes from “DeepDelver”. He explained that he was working for a (now former) Delve client. In response to emailed questions from TechCrunch, DeepDelver said they and their collaborators “have chosen to remain anonymous for fear of retaliation from Delve.”
In its post, DeepDelver recalled receiving an email in December claiming the startup had “leaked a spreadsheet containing confidential customer reports.” Delve CEO Karun Kaushik said in a follow-up email that while he assured customers that they were compliant and that external parties could not access sensitive data, DeepDelver said he and other customers were suspicious.
“With our shared experience of being overwhelmed by the Delve experience and the general feeling that something fishy was going on, we decided to pool our resources and investigate together,” they wrote.
Their conclusion? Delve “achieves its claim to be the fastest platform by generating fake evidence, generating audit conclusions on behalf of certified factories, and skipping key framework requirements while informing customers that 100% compliance has been achieved.”
DeepDelver went into considerable detail about these claims, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened” and then forcing those customers “to choose between accepting the fake evidence or performing manual tasks with little real automation or AI.”
Tech Crunch Event
San Francisco, California
|
October 13-15, 2026
DeepDelver also claimed that almost all of Delve’s clients appear to have gone through two audit firms: Accorp and Gradient. They described the companies as “part of the same operation.” The company operates primarily in India and has only a nominal presence in the United States.
They said the companies were just rubber-stamped reports generated by Delve. As a result, DeepDelver said the startup is “reversing” the typical compliance structure. “By producing audit conclusions, test procedures, and final reports before an independent review occurs, Delve assumes the role of both implementer and investigator. This is not a technical issue; it is a structural fraud that invalidates the entire attestation.”
In addition to accusing Delve of misleading its customers, DeepDelver said the startup is “helping its customers mislead the public by hosting trust pages with unimplemented security measures.”
DeepDelver said that while his company was discussing the issue with Delve, the startup “sent us several boxes of donuts to keep us happy (…).” Nonetheless, DeepDelver’s employer has taken down the trust page and is supposedly no longer relying on the startup for compliance.
Delve responded to the criticism by saying it does not publish any compliance reports. Instead, it is an “automation platform” that collects information about compliance and then provides auditors with access to that information.
“Final reports and opinions are issued only by independent, licensed auditors and not by Delve,” the company said.
Delve also said customers “can work with an auditor of their choice or with an auditor who is part of Delve’s network of independent, accredited third-party audit firms.” The auditor is “an established company widely used across the industry, including other compliance platforms,” the startup said.
Delve countered accusations that it provides “fake evidence” to customers, saying it simply provides “templates to help teams document their processes in line with compliance requirements, like other compliance platforms.”
“Draft templates are not the same as ‘pre-written evidence,’” the company said.
Delve added that it is “actively investigating all leaks” and is “still reviewing the substack.”
When asked about Delve’s response, DeepDelver told TechCrunch that it was “embarrassed by its laziness, clumsiness and shamelessness.”
“They are trying to evade responsibility by denying that there is a ‘pre-populated proof’ and instead calling it a ‘template,’ effectively shifting the blame to customers who have adopted the ‘template’ verbatim,” DeepDelver said. “They are claiming that they are not the ones ‘issuing’ the report. This can easily be argued by defining the issuance of a report as providing a final stamp.”
They added that “there are a number of very serious allegations” that Delve has not addressed at all. “Condemnation of India, lack of AI (only talks about ‘automation’), trust (laughs) page with unimplemented controls.”
Apparently, the criticism isn’t over as DeepDelver promised, “Part 2 will follow soon.”
Additionally, following the initial Substack post, an X user named James Zhou said he was able to access sensitive information from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly shared more details in a conversation with Zhou about what O’Reilly called “multiple security holes in Delve’s external attack surface.”
TechCrunch sent an email to the media contact address listed on Delve’s website seeking further comment. The email bounced, but after this article was published I received a calendar invitation to a “Delve demo” later this week.
This post was first published on March 21, 2026. Updated with an emailed response from DeepDelver, additional information about the alleged security vulnerability provided by Jamieson O’Reilly, and additional details about Delve’s response to TechCrunch.
