{"id":556602,"date":"2026-03-22T08:03:12","date_gmt":"2026-03-22T08:03:12","guid":{"rendered":"https:\/\/www.newsbeep.com\/au\/556602\/"},"modified":"2026-03-22T08:03:12","modified_gmt":"2026-03-22T08:03:12","slug":"delve-accused-of-misleading-customers-with-fake-compliance","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/au\/556602\/","title":{"rendered":"Delve accused of misleading customers with \u2018fake compliance\u2019"},"content":{"rendered":"

An anonymous Substack post<\/a> published this week accuses compliance startup Delve<\/a> of \u201cfalsely\u201d convincing \u201chundreds of customers they were compliant\u201d with privacy and security regulations, potentially exposing those customers to \u201ccriminal liability under HIPAA and hefty fines under GDPR.\u201d<\/p>\n

Delve is a Y Combinator-backed startup that last year announced raising a $32 million Series A<\/a> at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to refute the accusations on its blog<\/a>, calling the Substack post \u201cmisleading\u201d and saying it \u201ccontains a number of inaccurate claims.\u201d<\/p>\n

The Substack post is credited to \u201cDeepDelver,\u201d who described themselves as working at a (now former) Delve client.\u00a0<\/p>\n

DeepDelver recounted receiving an email in December claiming the startup had \u201cleaked a spreadsheet with confidential client reports.\u201d While Delve CEO Karun Kaushik apparently assured customers in a subsequent email that they were in compliance and that no external party gained access to sensitive data, DeepDelver said they and other customers had become suspicious.<\/p>\n

\u201cHaving the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together,\u201d they wrote.<\/p>\n

Their conclusion? That Delve \u201cachieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.\u201d<\/p>\n

DeepDelver went into considerable detail about those claims, accusing the startup of providing customers with \u201cfabricated evidence of board meetings, tests, and processes that never happened,\u201d then forcing those customers to \u201cchoose between adopting fake evidence or performing mostly manual work with little real automation or AI.\u201d<\/p>\n

Techcrunch event<\/p>\n

\n\t\t\t\t\t\t\t\t\tSan Francisco, CA
\n\t\t\t\t\t\t\t\t\t\t\t\t\t|
\n\t\t\t\t\t\t\t\t\t\t\t\t\tOctober 13-15, 2026\n\t\t\t\t\t\t\t<\/p>\n

DeepDelver also claimed that virtually all of Delve\u2019s clients seem to have gone through two audit firms, Accorp and Gradient, which they described as \u201cpart of the same operation,\u201d one that operates primarily in India, with only a nominal presence in the United States.<\/p>\n

Those firms, they said, are just rubber-stamping reports that were generated by Delve. As a result, DeepDelver said the startup \u201cinverts\u201d the normal compliance structure: \u201cBy generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation.\u201d<\/p>\n

In addition to accusing Delve of misleading its customers, DeepDelver said the startup is helping those customers \u201cmislead the public by hosting trust pages that contain security measures that were never implemented.\u201d\u00a0<\/p>\n

DeepDelver said that while their company was discussing its issues with Delve, the startup \u201csent us multiple boxes of donuts [\u2026] to keep us happy.\u201d Nonetheless, DeepDelver\u2019s employer supposedly unpublished its trust page and no longer relies on the startup for compliance.<\/p>\n

Delve responded to the accusations by saying it does not issue compliance reports at all. Instead, it\u2019s an \u201cautomation platform\u201d that ingests information about compliance, then provides auditors with access to that information.<\/p>\n

\u201cFinal reports and opinions are issued solely by independent, licensed auditors, not Delve,\u201d the company said.<\/p>\n

Delve also said that its customers \u201ccan opt to work with an auditor of their choosing or opt to work with one from Delve\u2019s network of independent, accredited third-party audit firms.\u201d Those auditors, the startup said, are \u201cestablished firms used broadly across the industry, including by other compliance platforms.\u201d<\/p>\n

In response to the accusation that it\u2019s providing customers with \u201cfake evidence,\u201d Delve countered that it\u2019s simply offering \u201ctemplates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms.\u201d<\/p>\n

\u201cDraft templates are not the same as \u2018pre-filled evidence,\u2019\u201d the company said.<\/p>\n

Delve added that it is \u201cactively investigating any leaks\u201d and is \u201cstill reviewing the Substack.\u201d<\/p>\n

Following the initial Substack post, an X user named James Zhou said<\/a> they were able to gain access to sensitive information from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O\u2019Reilly shared more details<\/a> from what O\u2019Reilly said was a conversation with Zhou about \u201cseveral gaping security holes in Delve\u2019s external attack surface.\u201d<\/p>\n

TechCrunch sent an email seeking additional comment to the media contact address listed on Delve\u2019s website. The email bounced, but I subsequently received a calendar invite for a \u201cDelve demo\u201d later this week. TechCrunch has also reached out to DeepDelver for additional comment.<\/p>\n

This post has been updated with additional information about purported security vulnerabilities provided by Jamieson O\u2019Reilly, and additional details about Delve\u2019s response to TechCrunch.<\/p>\n","protected":false},"excerpt":{"rendered":"An anonymous Substack post published this week accuses compliance startup Delve of \u201cfalsely\u201d convincing \u201chundreds of customers they…\n","protected":false},"author":2,"featured_media":15015,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[256,254,255,64,63,16519,105],"class_list":{"0":"post-556602","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-au","12":"tag-australia","13":"tag-delve","14":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/556602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/comments?post=556602"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/posts\/556602\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media\/15015"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/media?parent=556602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/categories?post=556602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/au\/wp-json\/wp\/v2\/tags?post=556602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}