An anonymous Substack post published this week accuses compliance startup Delve of “falsely” convincing “hundreds of customers” that it complies with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and significant fines under GDPR.”
Delve is a Y Combinator-backed startup that announced last year that it would raise $32 million in Series A at a valuation of $300 million. (The round was led by Insight Partners.) On Friday, the startup sought to refute the accusations on its blog, saying Substack’s post was “misleading” and “contains a number of inaccurate claims.”
The Substack post is attributed to “DeepDelver,” who claims to work for the (now former) Delve client.
DeepDelver recalled receiving an email in December claiming that the company had “leaked spreadsheets containing confidential customer reports.” Although Delve CEO Karun Kaushik appeared to clarify in a subsequent email that the customers were compliant and that sensitive data would not be accessed by outside parties, DeepDelver said they and other customers had doubts.
“With a shared experience of being overwhelmed by the Delve experience and an overall sense that something fishy was going on, we decided to pool our resources and investigate together,” they wrote.
Their conclusion? That Delve “achieves its claim to be the fastest platform by creating false evidence, deriving auditor conclusions on behalf of rubber-stamp-reported certified factories, and skipping key framework requirements while telling customers it’s 100% compliant.”
DeepDelver looked into these claims in considerable detail, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened,” and forcing those customers to “choose between adopting fake evidence or doing the work mostly manually with little actual automation or AI.”
tech crunch event
San Francisco, California
|
October 13-15, 2026
DeepDelver also claimed that virtually all of Delve’s clients appear to go through two audit firms, Accorp and Gradient, which it said are “part of the same practice” and which operate primarily in India and have only a nominal presence in the United States.
They said those companies were just rubber-stamp reports created by Delve. As a result, DeepDelver said, the startup has “inverted” the usual compliance structure: “By producing auditor conclusions, test procedures, and final reports before an independent review takes place, Delve assumes the role of both implementer and assessor. This is not a technicality. It is a structural fraud that invalidates the entire certification.”
In addition to accusing Delve of misleading customers, DeepDelver said the startup helps customers “mislead the public by hosting trust pages that contain security measures that are never implemented.”
Regarding its relationship with Delve, DeepDelver said the company has made its trust page private and is no longer dependent on the startup for compliance.
Delve responded to the accusations by saying it had not issued any compliance reports. Instead, it is an “automation platform” that captures compliance information and provides auditors with access to that information.
“Final reports and opinions will be issued only by independent licensed auditors and not by Delve,” the company said.
Delve also said that customers “can choose to work with an auditor of their own choice or with an auditor from Delve’s network of independent, certified third-party audit firms.” The company says these companies are “long-established companies that are widely used across the industry, including by other compliance platforms.”
In response to accusations that it provides “fake evidence” to customers, Delve countered that it only provides “templates to help teams document processes in accordance with compliance requirements, like other compliance platforms.”
“Draft templates are not the same as ‘pre-populated evidence,'” the company said.
Delve added that it is “actively investigating any breaches” and is “still considering Substack.”
TechCrunch sent an email seeking additional comment to the media contact address listed on Delve’s website. Your email has been bounced. We also reached out to DeepDelver for additional comment.
