A recent anonymous Substack post has accused the compliance startup Delve of misleading “hundreds of customers” into believing they were compliant with privacy and security regulations, potentially putting them at risk of “criminal liability under HIPAA and hefty fines under GDPR.”
Delve, a startup backed by Y Combinator, disclosed last year that it raised $32 million in a Series A funding round, valuing the company at $300 million. (Insight Partners led the funding round.) On Friday, Delve sought to counter the allegations by posting on its blog, describing the Substack post as “misleading” and stating it includes “a number of inaccurate claims.”
The Substack post is attributed to “DeepDelver,” who identified themselves as being associated with a former Delve client.
DeepDelver shared that an email received in December suggested that Delve had “leaked a spreadsheet with confidential client reports.” Although Delve CEO Karun Kaushik reportedly reassured clients in a follow-up email that they were compliant and no external party accessed sensitive information, DeepDelver noted that both they and other clients grew suspicious.
“Having shared the experience of dissatisfaction with Delve, and sensing that something was amiss, we decided to combine resources and investigate collaboratively,” they wrote.
Their investigation concluded that Delve “claims to be the fastest platform by fabricating evidence, generating auditor conclusions on behalf of certification mills that simply rubber-stamp reports, and omitting major framework requirements while informing clients they have achieved 100% compliance.”
DeepDelver elaborated on these accusations, claiming that Delve provided clients with “fabricated evidence of board meetings, tests, and processes that never took place,” compelling customers to “choose between adopting fake evidence or conducting mostly manual work with minimal real automation or AI.”
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
DeepDelver also alleged that nearly all of Delve’s clients were audited by two firms, Accorp and Gradient, which they characterized as “part of the same operation,” primarily functioning in India with only a nominal presence in the United States.
According to DeepDelver, these firms merely rubber-stamp reports generated by Delve, leading to an inversion of the typical compliance structure. “By generating auditor conclusions, test procedures, and final reports prior to any independent review, Delve assumes the roles of both implementer and examiner. This is not a mere technicality; it represents a structural fraud that invalidates the entire attestation.”
Besides accusing Delve of misleading its customers, DeepDelver claimed the startup is aiding clients in “misleading the public by hosting trust pages that list security measures which were never implemented.”
Regarding its own dealings with Delve, DeepDelver mentioned that their company has removed its trust page and no longer depends on Delve for compliance.
In response, Delve stated it does not issue compliance reports, describing itself instead as an “automation platform” that processes compliance information and provides auditors access to this data.
“Final reports and opinions are issued exclusively by independent, licensed auditors, not Delve,” the company asserted.
Delve further clarified that its clients “can choose to work with an auditor of their preference or select one from Delve’s network of independent, accredited third-party audit firms.” These firms, according to the startup, are “established firms widely used across the industry, including by other compliance platforms.”
Addressing the allegation of providing customers with “fake evidence,” Delve countered that it merely offers “templates to assist teams in documenting their processes in line with compliance requirements, as do other compliance platforms.”
“Draft templates are not equivalent to ‘pre-filled evidence,” the company noted.
Delve added that it is “actively investigating any leaks” and “still reviewing the Substack.”
JS attempted to reach Delve for further remarks by sending an email to the media contact address on Delve’s website; the email was returned. Efforts to contact DeepDelver for additional comments are also ongoing.
