An anonymous Substack post published this week accuses compliance startup Delve of “falsely” convincing “hundreds of customers” that it complies with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and significant fines under GDPR.”
Delve is a Y Combinator-backed startup that announced last year that it would raise $32 million in Series A at a valuation of $300 million. (The round was led by Insight Partners.) On Friday, the startup sought to refute the accusations on its blog, saying Substack’s post was “misleading” and “contains a number of inaccurate claims.”
The Substack post is attributed to “DeepDelver,” who claims to work for the (now former) Delve client. In response to email questions from TechCrunch, DeepDelver said they and their collaborators “chose to remain anonymous due to fear of retaliation by Delve.”
DeepDelver detailed in his post that he received an email in December claiming that the company had “leaked a spreadsheet containing confidential customer reports.” Although Delve CEO Karun Kaushik appeared to clarify in a subsequent email that the customers were compliant and that sensitive data would not be accessed by outside parties, DeepDelver said they and other customers had doubts.
“With a shared experience of being overwhelmed by the Delve experience and an overall sense that something fishy was going on, we decided to pool our resources and investigate together,” they wrote.
Their conclusion? That Delve “achieves its claim to be the fastest platform by creating false evidence, deriving auditor conclusions on behalf of rubber-stamp-reported certified factories, and skipping key framework requirements while telling customers it’s 100% compliant.”
DeepDelver looked into these claims in considerable detail, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened,” and forcing those customers to “choose between adopting fake evidence or doing the work mostly manually with little actual automation or AI.”
tech crunch event
San Francisco, California
|
October 13-15, 2026
DeepDelver also claimed that virtually all of Delve’s clients appear to go through two audit firms, Accorp and Gradient, which it said are “part of the same practice” and which operate primarily in India and have only a nominal presence in the United States.
They said those companies were just rubber-stamp reports created by Delve. As a result, DeepDelver said, the startup has “inverted” the usual compliance structure: “By producing auditor conclusions, test procedures, and final reports before an independent review takes place, Delve assumes the role of both implementer and assessor. This is not a technicality. It is a structural fraud that invalidates the entire certification.”
In addition to accusing Delve of misleading customers, DeepDelver said the startup helps customers “mislead the public by hosting trust pages that contain security measures that are never implemented.”
DeepDelver said that while his company was discussing the issue with Delve, the startup “sent us multiple boxes of donuts to satisfy us.” Nevertheless, DeepDelver’s employers have likely made their trust pages private and are no longer relying on the company for compliance.
Delve responded to the accusations by saying it had not issued any compliance reports. Instead, it is an “automation platform” that captures compliance information and provides auditors with access to that information.
“Final reports and opinions will be issued only by independent licensed auditors and not by Delve,” the company said.
Delve also said that customers “can choose to work with an auditor of their own choice or with an auditor from Delve’s network of independent, certified third-party audit firms.” The company says these auditors are “established companies that are widely used across the industry, including by other compliance platforms.”
In response to accusations that it provides “fake evidence” to customers, Delve countered that it only provides “templates to help teams document processes in accordance with compliance requirements, like other compliance platforms.”
“Draft templates are not the same as ‘pre-filled evidence,'” the company said.
Delve added that it is “actively investigating any breaches” and is “still considering Substack.”
When asked about Delve’s response, DeepDelver told TechCrunch that he was “embarrassed by its laziness, clumsiness, and brazenness.”
“They seek to evade liability by denying the existence of ‘pre-filled evidence,’ but instead calling it a ‘template,’ effectively shifting the blame to customers who have adopted the ‘template’ verbatim,” Deepdelver said. “They claim that they are not the ones who ‘issue’ the report, but it is easy to make that claim if you define issuing a report as giving the final verdict.”
They added that there were “a number of very serious allegations” that Mr Delve never raised. “Trust (lol) page with India accusations, lack of AI (they only talk about ‘automation’), and controls that were never implemented.”
DeepDelver apparently isn’t done with the criticism, as he promised, “Part II will follow soon.”
Additionally, after the initial Substack post, an X user named James Zhou said he was able to access sensitive information from Delve, including employee background checks and stock vesting schedules. Dvuln founder Jamison O’Reilly shared details of what he said was a conversation O’Reilly had with Chou about “some major security holes in Delve’s external attack surface.”
TechCrunch sent an email seeking additional comment to the media contact address listed on Delve’s website. My email bounced, but after this article was published, I received an invitation from Calendar to a “Delve Demo” later this week.
This post was first published on March 21, 2026. Updated with an email response from DeepDelver, additional information regarding the alleged security vulnerability provided by Jamieson O’Reilly, and additional details regarding Delve’s response to TechCrunch.
