An anonymous Substack post revealed this week accuses compliance startup Delve of “falsely” convincing “lots of of consumers they have been compliant” with privateness and safety rules, doubtlessly exposing these prospects to “legal legal responsibility underneath HIPAA and hefty fines underneath GDPR.”
Delve is a Y Combinator-backed startup that final 12 months introduced elevating a $32 million Sequence A at a $300 million valuation. (The spherical was led by Perception Companions.) On Friday, the startup tried to refute the accusations on its blog, calling the Substack publish “deceptive” and saying it “incorporates quite a few inaccurate claims.”
The Substack publish is credited to “DeepDelver,” who described themselves as working at a (now former) Delve consumer. In response to emailed questions from TechCrunch, DeepDelver mentioned that they and their collaborators “selected to stay nameless out of worry for retaliation by Delve.”
Of their publish, DeepDelver recounted receiving an e-mail in December claiming the startup had “leaked a spreadsheet with confidential consumer stories.” Whereas Delve CEO Karun Kaushik apparently assured prospects in a subsequent e-mail that they have been in compliance and that no exterior celebration gained entry to delicate knowledge, DeepDelver mentioned they and different prospects had turn into suspicious.
“Having the shared expertise of being underwhelmed with the Delve expertise, and having the general sense that one thing fishy was occurring, we determined to pool sources and examine collectively,” they wrote.
Their conclusion? That Delve “achieves its declare of being the quickest platform by producing faux proof, producing auditor conclusions on behalf of certification mills that rubber stamp stories, and skipping main framework necessities whereas telling shoppers they’ve achieved 100% compliance.”
DeepDelver went into appreciable element about these claims, accusing the startup of offering prospects with “fabricated proof of board conferences, assessments, and processes that by no means occurred,” then forcing these prospects to “select between adopting faux proof or performing largely guide work with little actual automation or AI.”
Techcrunch occasion
San Francisco, CA
|
October 13-15, 2026
DeepDelver additionally claimed that nearly all of Delve’s shoppers appear to have gone by way of two audit corporations, Accorp and Gradient, which they described as “a part of the identical operation,” one which operates primarily in India, with solely a nominal presence in america.
These corporations, they mentioned, are simply rubber-stamping stories that have been generated by Delve. Because of this, DeepDelver mentioned the startup “inverts” the conventional compliance construction: “By producing auditor conclusions, take a look at procedures, and last stories earlier than any unbiased evaluation happens, Delve locations itself within the position of each implementer and examiner. This isn’t a technicality. It’s a structural fraud that invalidates the complete attestation.”
Along with accusing Delve of deceptive its prospects, DeepDelver mentioned the startup helps these prospects “mislead the general public by internet hosting belief pages that include safety measures that have been by no means applied.”
DeepDelver mentioned that whereas their firm was discussing its points with Delve, the startup “despatched us a number of bins of donuts […] to maintain us completely happy.” Nonetheless, DeepDelver’s employer supposedly unpublished its belief web page and not depends on the startup for compliance.
Delve responded to the accusations by saying it doesn’t problem compliance stories in any respect. As a substitute, it’s an “automation platform” that ingests details about compliance, then supplies auditors with entry to that info.
“Ultimate stories and opinions are issued solely by unbiased, licensed auditors, not Delve,” the corporate mentioned.
Delve additionally mentioned that its prospects “can decide to work with an auditor of their selecting or decide to work with one from Delve’s community of unbiased, accredited third-party audit corporations.” These auditors, the startup mentioned, are “established corporations used broadly throughout the business, together with by different compliance platforms.”
In response to the accusation that it’s offering prospects with “faux proof,” Delve countered that it’s merely providing “templates to assist groups doc their processes in accordance with compliance necessities, as do different compliance platforms.”
“Draft templates usually are not the identical as ‘pre-filled proof,’” the corporate mentioned.
Delve added that it’s “actively investigating any leaks” and is “nonetheless reviewing the Substack.”
When requested about Delve’s response, DeepDelver informed TechCrunch that they have been “baffled by the laziness, clumsiness and brazenness of it.”
“They’re attempting to snake their method out [of] being held accountable by denying having ‘pre-filled proof’ however calling it ‘templates’ as an alternative, successfully shifting the blame to prospects for adopting the ‘templates’ as is,” DeepDelver mentioned. “They’re claiming they aren’t those to ‘problem’ the report, which is simple to assert if you happen to outline issuing a report as offering the ultimate stamp.”
They added that there are “quite a few very critical allegations” that Delve didn’t deal with in any respect: “The India accusation, the shortage of AI (they solely discuss ‘automations’), and the belief (lol) web page containing controls that have been by no means applied.”
Apparently DeepDelver isn’t completed with its criticism, because it promised, “Half II will comply with quickly.”
As well as, following the preliminary Substack publish, an X consumer named James Zhou said they have been capable of achieve entry to delicate info from Delve, reminiscent of worker background checks and fairness vesting schedules. Dvuln founder Jamieson O’Reilly shared more details from what O’Reilly mentioned was a dialog with Zhou about “a number of gaping safety holes in Delve’s exterior assault floor.”
TechCrunch despatched an e-mail searching for further remark to the media contact deal with listed on Delve’s web site. The e-mail bounced, however after this text was revealed, I acquired a calendar invite for a “Delve demo” later this week.
This publish was initially revealed on March 21, 2026. It has been up to date with emailed solutions from DeepDelver, further details about purported safety vulnerabilities offered by Jamieson O’Reilly, and extra particulars about Delve’s response to TechCrunch.
