An anonymous Substack post this week accused compliance startup Delve of “falsely” assuring “hundreds of its customers are compliant” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and massive fines under GDPR.”
Delve is a Y Combinator-backed startup that last year announced a $32 million Series A round at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to rebut the accusations on its blog, calling the Substack post “misleading” and “containing a number of inaccurate claims.”
The Substack post comes from “DeepDelver”. He explained that he was working for a (now former) Delve client.
DeepDelver said it received an email in December claiming the startup had “leaked a spreadsheet containing confidential customer reports.” Delve CEO Karun Kaushik said in a follow-up email that while he assured customers that they were compliant and that external parties could not access sensitive data, DeepDelver said he and other customers were suspicious.
“With our shared experience of being overwhelmed by the Delve experience and the general feeling that something fishy was going on, we decided to pool our resources and investigate together,” they wrote.
Their conclusion? Delve “achieves its claim to be the fastest platform by generating fake evidence, generating audit conclusions on behalf of certified factories, and skipping key framework requirements while informing customers that 100% compliance has been achieved.”
DeepDelver went into considerable detail about these claims, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened” and then forcing those customers “to choose between accepting the fake evidence or performing manual tasks with little real automation or AI.”
Tech Crunch Event
San Francisco, California
|
October 13-15, 2026
DeepDelver also claimed that almost all of Delve’s clients appear to have gone through two audit firms: Accorp and Gradient. They described the companies as “part of the same operation.” The company operates primarily in India and has only a nominal presence in the United States.
They said the companies were just rubber-stamped reports generated by Delve. As a result, DeepDelver said the startup is “reversing” the typical compliance structure. “By producing audit conclusions, test procedures, and final reports before an independent review occurs, Delve assumes the role of both implementer and investigator. This is not a technical issue; it is a structural fraud that invalidates the entire attestation.”
In addition to accusing Delve of misleading its customers, DeepDelver said the startup is “helping its customers mislead the public by hosting trust pages with unimplemented security measures.”
DeepDelver said that while his company is discussing the matter with Delve, the startup has “already sent several boxes of donuts to keep us happy.” Nonetheless, DeepDelver’s employer has taken down the trust page and is supposedly no longer relying on the startup for compliance.
Delve responded to the criticism by saying it does not publish any compliance reports. Instead, it is an “automation platform” that collects information about compliance and then provides auditors with access to that information.
“Final reports and opinions are issued only by independent, licensed auditors and not by Delve,” the company said.
Delve also said customers “can work with an auditor of their choice or with an auditor who is part of Delve’s network of independent, accredited third-party audit firms.” The auditor is “an established company widely used across the industry, including other compliance platforms,” the startup said.
Delve countered accusations that it provides “fake evidence” to customers, saying it simply provides “templates to help teams document their processes in line with compliance requirements, like other compliance platforms.”
“A draft template is not the same as ‘pre-written evidence,’” the company said.
Delve added that it is “actively investigating all leaks” and is “still reviewing the substack.”
After the initial Substack post, an X user named James Zhou said he was able to access sensitive information from Delve, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly shared more details in a conversation with Zhou about what O’Reilly called “multiple security holes in Delve’s external attack surface.”
TechCrunch sent an email to the media contact address listed on Delve’s website seeking further comment. The email bounced, but I later received a calendar invite for a “Delve demo” later this week. TechCrunch has reached out to DeepDelver for further comment.
This post has been updated with additional information about the purported security vulnerability, courtesy of Jamieson O’Reilly, and additional details about Delve’s response to TechCrunch.
