Delve Accused of 'Fake Compliance,' Facing Scrutiny Over Practices
Compliance startup Delve, a prominent Y Combinator-backed company with a recent $32 million Series A funding round valuing it at $300 million, is currently facing serious accusations of misleading hundreds of customers

Compliance startup Delve, a prominent Y Combinator-backed company with a recent $32 million Series A funding round valuing it at $300 million, is currently facing serious accusations of misleading hundreds of customers with "fake compliance." An anonymous Substack post, published this week by an entity identifying as "DeepDelver," alleges that Delve falsely convinced its clientele they were fully compliant with critical privacy and security regulations, including HIPAA and GDPR. These claims suggest potential criminal liability and substantial fines for the affected customers.
Delve swiftly responded to the allegations on its official blog, dismissing the Substack post as "misleading" and asserting it "contains a number of inaccurate claims." The controversy highlights significant concerns within the compliance-as-a-service sector, raising questions about the authenticity and independence of regulatory certifications provided through automated platforms.
DeepDelver's Damning Allegations
DeepDelver, who identified themselves as an employee of a former Delve client and chose anonymity due to fears of retaliation, detailed a series of events leading to their investigation. Their suspicions were first ignited in December after receiving an email from Delve that mentioned the alleged leak of a spreadsheet containing confidential client reports. Although Delve CEO Karun Kaushik reportedly assured customers of their compliance and data security, DeepDelver and other clients, feeling "underwhelmed with the Delve experience," decided to collectively investigate.
The investigation concluded that Delve achieves its speed claims by generating "fake evidence," fabricating auditor conclusions, and bypassing significant framework requirements while simultaneously assuring clients of 100% compliance. DeepDelver specifically accused the startup of providing customers with "fabricated evidence of board meetings, tests, and processes that never happened." This practice, they claim, left customers with a difficult choice: either adopt the pre-filled, potentially false evidence or undertake extensive manual work with minimal automation.
A key aspect of DeepDelver's criticism targets Delve's alleged reliance on two audit firms, Accorp and Gradient, which are described as being part of the "same operation" primarily based in India with a limited U.S. presence. DeepDelver asserted these firms merely "rubber stamp" reports generated by Delve, effectively "inverting" the traditional compliance structure. By preparing auditor conclusions and final reports before an independent review, Delve allegedly positioned itself as both implementer and examiner, which DeepDelver argues invalidates the entire attestation process.
Furthermore, the Substack post accused Delve of assisting clients in misleading the public by hosting "trust pages" that feature security measures reportedly never implemented. DeepDelver recounted an incident where Delve sent their employer boxes of donuts in an attempt to maintain satisfaction amid ongoing discussions. Despite this, DeepDelver's employer ultimately withdrew its trust page and ceased using Delve's services.
Delve's Rebuttal and Lingering Questions
In its blog post, Delve countered the accusations by clarifying its role as an "automation platform" that facilitates the ingestion of compliance-related information, providing auditors with access to this data. The company explicitly stated, "Final reports and opinions are issued solely by independent, licensed auditors, not Delve." Delve emphasized that customers have the flexibility to choose their preferred auditors or select from Delve’s network of "established firms" that are widely used across the industry.
Regarding the claim of providing "fake evidence," Delve clarified that it offers "templates to help teams document their processes in accordance with compliance requirements," a practice common among other compliance platforms. The company asserted that "Draft templates are not the same as ‘pre-filled evidence.’" Delve also confirmed it is "actively investigating any leaks" and continues to review the Substack post.
However, DeepDelver found Delve's response unsatisfactory, describing it as "baffled by the laziness, clumsiness and brazenness of it." DeepDelver argued that Delve attempted to evade accountability by recharacterizing "pre-filled evidence" as "templates," thereby shifting blame onto customers. DeepDelver also highlighted that Delve's response failed to address several "very serious allegations," including the claims about the India-based audit operations, the purported lack of actual AI capabilities, and the issue of trust pages displaying unimplemented controls. DeepDelver promised a "Part II" of their criticism to follow soon.
Broader Security Concerns Emerge
Compounding Delve's challenges, new security vulnerability claims have surfaced following the initial Substack post. An X user named James Zhou publicly stated that they had accessed sensitive information from Delve, including employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly further elaborated on these claims, sharing details from a conversation with Zhou about "several gaping security holes in Delve’s external attack surface."
TechCrunch's own attempt to contact Delve via its listed media contact email initially bounced back, though a calendar invite for a "Delve demo" was later received. These unfolding events cast a significant shadow over Delve, a high-growth startup in a critical industry, and underscore the increasing scrutiny on automated compliance solutions.
FAQ
Q: What is Delve primarily accused of?
A: Delve is accused of providing "fake compliance" services, allegedly misleading its customers into believing they were fully compliant with privacy and security regulations (like HIPAA and GDPR) by using fabricated evidence and audit reports from questionable, interconnected firms.
Q: How has Delve officially responded to these serious allegations?
A: Delve has publicly refuted the claims as "misleading" and inaccurate, stating that it functions as an automation platform that merely provides data to independent, licensed auditors. The company maintains that these auditors, not Delve, are solely responsible for issuing final compliance reports and opinions. It also describes its provided documentation as "templates," not "pre-filled evidence."
Q: What are the potential implications for Delve and its customers?
A: If the accusations prove true, Delve could face severe reputational damage, potential legal action, and a significant loss of trust. Its customers, who believed they were compliant, could face criminal liability under HIPAA and substantial fines under GDPR due to alleged non-compliance. Separately, new security vulnerability claims also raise concerns about Delve's own data protection practices.
Related articles
JPMorgan Chase Taps Seattle for Critical AI Control Layer Development
Global financial giant JPMorgan Chase is making a significant strategic investment in Seattle, establishing a new AI software infrastructure team. This pivotal group will build an "AI control layer" to manage the bank's AI operations, aiming to control costs, protect intellectual property, and prevent vendor lock-in.
The Motorola Edge 70 Max is all about power: Android — Key Details
Motorola has launched its new flagship, the Edge 70 Max, designed for power users with a massive 7100mAh silicon-carbon battery and 25W Qi2 wireless charging. It’s the first Android phone since the Pixel 10 Pro XL to support full 25W Qi2, surpassing other Qi2-enabled Androids capped at 15W. The device also offers 90W wired charging and a Snapdragon 8 Gen 5 chip.
DeepMind CEO calls for independent body to regulate frontier AI
DeepMind CEO Demis Hassabis has proposed an independent standards body, modeled after FINRA, to regulate frontier AI models. The body would test advanced AI systems and develop best practices for their release, initially on a voluntary basis before potentially becoming mandatory. This initiative aims to provide technically focused, adaptable oversight to the rapidly evolving field of AI.
OnePlus is reportedly bailing on the US: Oppo — Key Details
OnePlus, and parent company Oppo, are reportedly exiting the US and European markets, with an announcement due shortly. This follows months of rumors and signals a major shift in the Western smartphone landscape.
startups: The web is now mostly bots. Cloudflare is rebuilding its
Cloudflare has launched Precursor, a new defense system, in response to bots now generating over 57% of all web traffic. Precursor monitors entire user sessions to distinguish humans from sophisticated bots, moving beyond traditional single-check methods. This initiative is part of a broader strategy to classify and manage AI agents, control content reuse, and rebuild the web's foundational infrastructure for a machine-dominated internet.
industry: ACRouter picks the smartest AI model per task, beating
A groundbreaking open-source framework, ACRouter, dynamically selects the most capable and cost-effective AI model for any given task, demonstrating a 2.6x cost reduction over Opus-only setups while maintaining performance. It learns and adapts in real-time, addressing limitations of static routing.






